bumblebee | 6ca37dde5f16f43659886b569cc22b4718ff1430db32b9e1a9687e495bd908f4

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
19-03-2023 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0.msi
Size

6.4MB
MD5

6f7e07b84897cccab30594305416d36f
SHA1

6d1d531c921a17b36e792e2843311e27b9aa77a4
SHA256

9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0
SHA512

689ba6b48065a9098ef62bc8ed0650fa0b66f403af9dc315a456d514ea61afda7cf67c3786760e4ac49adc8a60f489199e6aae08a59aa4ef8e57e064bce9e892
SSDEEP

196608:+kyJofCBPu0rDMQFVOiNRUm0TcrdJgRueb3IR6s8:DymfCBPoYOiPTacBeue7xs8

Score

10^/10

bumblebee pgchat persistence trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

pgchat

45.61.187.225:443

91.206.178.68:443

193.109.120.252:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 9 IoCs

flow	pid	Process
14	860	msiexec.exe
17	860	msiexec.exe
24	860	msiexec.exe
71	1848	powershell.exe
92	1848	powershell.exe
187	1848	powershell.exe
236	1848	powershell.exe
278	1848	powershell.exe
282	1848	powershell.exe

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Executes dropped EXE 11 IoCs

pid	Process
3884	MSI919E.tmp
628	MicrosoftEdgeUpdate.exe
1896	MicrosoftEdgeUpdate.exe
3784	MicrosoftEdgeUpdate.exe
800	MicrosoftEdgeUpdateComRegisterShell64.exe
4268	MicrosoftEdgeUpdateComRegisterShell64.exe
4440	MicrosoftEdgeUpdateComRegisterShell64.exe
2868	MicrosoftEdgeUpdate.exe
2820	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdate.exe
1456	MicrosoftEdgeUpdate.exe

Loads dropped DLL 16 IoCs

pid	Process
1836	MsiExec.exe
628	MicrosoftEdgeUpdate.exe
1896	MicrosoftEdgeUpdate.exe
3784	MicrosoftEdgeUpdate.exe
800	MicrosoftEdgeUpdateComRegisterShell64.exe
3784	MicrosoftEdgeUpdate.exe
4268	MicrosoftEdgeUpdateComRegisterShell64.exe
3784	MicrosoftEdgeUpdate.exe
4440	MicrosoftEdgeUpdateComRegisterShell64.exe
3784	MicrosoftEdgeUpdate.exe
2868	MicrosoftEdgeUpdate.exe
2820	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdate.exe
2820	MicrosoftEdgeUpdate.exe
1456	MicrosoftEdgeUpdate.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Checks system information in the registry 2 TTPs 8 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1848	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_hu.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\psmachine_64.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_te.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ms.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\psuser_64.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_de.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_en.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_pt-PT.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_sl.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_bn-IN.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_bs.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_kk.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdate.exe	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_et.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_nb.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_lb.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ne.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_kn.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_nl.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ga.dll	MSI919E.tmp
File created	C:\Program Files\ChatGPT\ChatGPT.exe	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_lt.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_zh-TW.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_sv.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\psuser_arm64.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_es-419.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_pt-BR.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_fr-CA.dll	MSI919E.tmp
File created	C:\Program Files\ChatGPT\Uninstall ChatGPT.lnk	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MSI919E.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ca.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_da.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ta.dll	MSI919E.tmp
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdateSetup.exe	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_uk.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_zh-CN.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_af.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_or.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdateBroker.exe	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ur.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_mt.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_sr-Latn-RS.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdate.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_cs.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ja.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_it.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_mi.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_pa.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_mr.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_az.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_cy.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_lv.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_vi.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdateOnDemand.exe	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_bg.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_hi.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_gd.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_nn.dll	MSI919E.tmp
File created	C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_iw.dll	MSI919E.tmp

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIDE30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EA0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{2A0ABAEF-4058-4BE6-BAAA-00E855A11F4F}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Installer\e56dc0d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File created	C:\Windows\Installer\e56dc10.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56dc10.msi	msiexec.exe
File created	C:\Windows\Installer\e56dc12.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI919E.tmp	msiexec.exe
File created	C:\Windows\Installer\e56dc0d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e56dc0f.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{2A0ABAEF-4058-4BE6-BAAA-00E855A11F4F}\ProductIcon	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2A0ABAEF-4058-4BE6-BAAA-00E855A11F4F}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a577c74c521b2f150000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a577c74c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900a577c74c000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a577c74c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "ServiceModule"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}\ = "PSFactoryBuffer"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEABA0A285046EB4ABAA008E551AF1F4\ProductName = "ChatGPT"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4348	msiexec.exe
4348	msiexec.exe
1848	powershell.exe
1848	powershell.exe
1848	powershell.exe
1848	powershell.exe
4348	msiexec.exe
4348	msiexec.exe
628	MicrosoftEdgeUpdate.exe
628	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeSecurityPrivilege	4348	msiexec.exe
Token: SeCreateTokenPrivilege	860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	860	msiexec.exe
Token: SeLockMemoryPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeMachineAccountPrivilege	860	msiexec.exe
Token: SeTcbPrivilege	860	msiexec.exe
Token: SeSecurityPrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeLoadDriverPrivilege	860	msiexec.exe
Token: SeSystemProfilePrivilege	860	msiexec.exe
Token: SeSystemtimePrivilege	860	msiexec.exe
Token: SeProfSingleProcessPrivilege	860	msiexec.exe
Token: SeIncBasePriorityPrivilege	860	msiexec.exe
Token: SeCreatePagefilePrivilege	860	msiexec.exe
Token: SeCreatePermanentPrivilege	860	msiexec.exe
Token: SeBackupPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeDebugPrivilege	860	msiexec.exe
Token: SeAuditPrivilege	860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	860	msiexec.exe
Token: SeChangeNotifyPrivilege	860	msiexec.exe
Token: SeRemoteShutdownPrivilege	860	msiexec.exe
Token: SeUndockPrivilege	860	msiexec.exe
Token: SeSyncAgentPrivilege	860	msiexec.exe
Token: SeEnableDelegationPrivilege	860	msiexec.exe
Token: SeManageVolumePrivilege	860	msiexec.exe
Token: SeImpersonatePrivilege	860	msiexec.exe
Token: SeCreateGlobalPrivilege	860	msiexec.exe
Token: SeBackupPrivilege	4068	vssvc.exe
Token: SeRestorePrivilege	4068	vssvc.exe
Token: SeAuditPrivilege	4068	vssvc.exe
Token: SeBackupPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
860	msiexec.exe
3240	msiexec.exe
860	msiexec.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 652	4348	msiexec.exe	98
PID 4348 wrote to memory of 652	4348	msiexec.exe	98
PID 4348 wrote to memory of 3240	4348	msiexec.exe	101
PID 4348 wrote to memory of 3240	4348	msiexec.exe	101
PID 4348 wrote to memory of 1848	4348	msiexec.exe	100
PID 4348 wrote to memory of 1848	4348	msiexec.exe	100
PID 1848 wrote to memory of 1252	1848	powershell.exe	103
PID 1848 wrote to memory of 1252	1848	powershell.exe	103
PID 1252 wrote to memory of 2464	1252	csc.exe	104
PID 1252 wrote to memory of 2464	1252	csc.exe	104
PID 1848 wrote to memory of 4404	1848	powershell.exe	106
PID 1848 wrote to memory of 4404	1848	powershell.exe	106
PID 4404 wrote to memory of 3540	4404	csc.exe	107
PID 4404 wrote to memory of 3540	4404	csc.exe	107
PID 4348 wrote to memory of 1836	4348	msiexec.exe	126
PID 4348 wrote to memory of 1836	4348	msiexec.exe	126
PID 4348 wrote to memory of 1836	4348	msiexec.exe	126
PID 4348 wrote to memory of 3884	4348	msiexec.exe	127
PID 4348 wrote to memory of 3884	4348	msiexec.exe	127
PID 4348 wrote to memory of 3884	4348	msiexec.exe	127
PID 3884 wrote to memory of 628	3884	MSI919E.tmp	129
PID 3884 wrote to memory of 628	3884	MSI919E.tmp	129
PID 3884 wrote to memory of 628	3884	MSI919E.tmp	129
PID 628 wrote to memory of 1896	628	MicrosoftEdgeUpdate.exe	130
PID 628 wrote to memory of 1896	628	MicrosoftEdgeUpdate.exe	130
PID 628 wrote to memory of 1896	628	MicrosoftEdgeUpdate.exe	130
PID 628 wrote to memory of 3784	628	MicrosoftEdgeUpdate.exe	131
PID 628 wrote to memory of 3784	628	MicrosoftEdgeUpdate.exe	131
PID 628 wrote to memory of 3784	628	MicrosoftEdgeUpdate.exe	131
PID 3784 wrote to memory of 800	3784	MicrosoftEdgeUpdate.exe	132
PID 3784 wrote to memory of 800	3784	MicrosoftEdgeUpdate.exe	132
PID 3784 wrote to memory of 4268	3784	MicrosoftEdgeUpdate.exe	133
PID 3784 wrote to memory of 4268	3784	MicrosoftEdgeUpdate.exe	133
PID 3784 wrote to memory of 4440	3784	MicrosoftEdgeUpdate.exe	134
PID 3784 wrote to memory of 4440	3784	MicrosoftEdgeUpdate.exe	134
PID 628 wrote to memory of 2868	628	MicrosoftEdgeUpdate.exe	135
PID 628 wrote to memory of 2868	628	MicrosoftEdgeUpdate.exe	135
PID 628 wrote to memory of 2868	628	MicrosoftEdgeUpdate.exe	135
PID 628 wrote to memory of 2820	628	MicrosoftEdgeUpdate.exe	136
PID 628 wrote to memory of 2820	628	MicrosoftEdgeUpdate.exe	136
PID 628 wrote to memory of 2820	628	MicrosoftEdgeUpdate.exe	136
PID 1252 wrote to memory of 1456	1252	MicrosoftEdgeUpdate.exe	138
PID 1252 wrote to memory of 1456	1252	MicrosoftEdgeUpdate.exe	138
PID 1252 wrote to memory of 1456	1252	MicrosoftEdgeUpdate.exe	138

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:652
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\chch.ps1"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qsbfjhvb\qsbfjhvb.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDA1.tmp" "c:\Users\Admin\AppData\Local\Temp\qsbfjhvb\CSCC4C49BD10944C5DB317213D41195820.TMP"
      4⤵
      PID:2464
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r43nqt3b\r43nqt3b.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD7F.tmp" "c:\Users\Admin\AppData\Local\Temp\r43nqt3b\CSCFD0B040F654D4410A919B4E7FCD9725.TMP"
      4⤵
      PID:3540
- C:\Windows\system32\msiexec.exe
  msiexec /i "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ChatGPT.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:3240
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 410AC3F4E447C51FEE1D24DF258081AE C
  2⤵
  - Loads dropped DLL
  PID:1836
- C:\Windows\Installer\MSI919E.tmp
  "C:\Windows\Installer\MSI919E.tmp" /silent /install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Sets file execution options in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:1896
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3784
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:800
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4268
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4440
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REM0RTc1MEMtNEM3Qi00Rjc3LTlBNEUtNTYxODBDMDBEMTQwfSIgdXNlcmlkPSJ7NjZCNzhGMjMtMDFEMC00NzE0LUE5RTEtNTUxMzQ1OUNBNjQ5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1ODhGMzlENy0zRkIzLTQxOTQtOEY3OC1BMjBBOEZGMkM1NzJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzMuNDUiIG5leHR2ZXJzaW9uPSIxLjMuMTczLjQ1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDQ3ODcwOTQ2IiBpbnN0YWxsX3RpbWVfbXM9IjEwOTQiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      PID:2868
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{DC4E750C-4C7B-4F77-9A4E-56180C00D140}" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7REM0RTc1MEMtNEM3Qi00Rjc3LTlBNEUtNTYxODBDMDBEMTQwfSIgdXNlcmlkPSJ7NjZCNzhGMjMtMDFEMC00NzE0LUE5RTEtNTUxMzQ1OUNBNjQ5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswOTkwRjZCNS1CODhCLTQ5NDItQTQ4OC1DMUVBOUI2M0M2RDB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIzIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDYwMDU4NzQ3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e56dc0e.rbs

Filesize
8KB

MD5
8e40c2375c2268c1ab8f9b98c1e1d9a8

SHA1
f3b945fc420a8bacb5ea740ff0a0cd68eeee8a34

SHA256
023943b442c4c3b6e161e28efc5bc0564a1eda6d2060a6ea94e579d1a95bc2ed

SHA512
5c58081b6fc734f3fbd98591ccad4801649a7363ee3fec7c8a338583e70e6ea843150842d78ecd4135a28a3e0802a542c48905c88adb7068a17743b15aa0aa79

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
66fcafc9f2f49c19563d76f5337788f1

SHA1
9544b0b23129dccaa43eaa5da4b5b4aa5eedf88d

SHA256
06cfede5f76e1f17f971fa265e318e22fa6d743f0ee5879dfa9b09f5f471f207

SHA512
ae1b4435e866ea4795e370940a8524a1b0bf04941612017831363b735d97184f1a125af9f7aef1e755b1b242419adbe4e5db7473ff090ca87d6669c25b76f14d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
a0a6fe642213826a1613a5208a008055

SHA1
e9059ce64a1ee047d299c88a9c64edf61cdc0504

SHA256
f87c42f298612bb4cdaba4d56cbc1fde4856648bb1b771651b985b5d0f163cba

SHA512
bfa27c53eda95fea35e2b732fae85760f4c260999a646d951a7c2c0ad34f1c7af0a8d90916f4f99ba1cb1951801dfee01d0f7f2775e4491519187fa8b9718d5b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
465c5a2eae01ad9cc32ed0c5348fc2dc

SHA1
aaccb9ae7aa82c8ed62a43571596c3a965b658b6

SHA256
ff9b8963958042a650acf2f13a3697e5bb1c5ff2cab55d06166f5527de626021

SHA512
605d9f9d12b981f218d0636912e048d4a76f01c960793ae9f6e1dd59f49c1fc2e615b51d919605d433467bb2fe9b9fa5fdb979432085a88f568b3b4cf876af44

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
6545c51ed0d062d63c7dd5a6f00a32c6

SHA1
b6b7e5f44cb3c11f76a46e18fa7d80be9f6fdbd3

SHA256
f9431d85c0869faf740220f88b2d8db61b53d9fb324da995d938412caaed0f3e

SHA512
c99b0333b4e598fd9cad556a2fd60c725ae4c4ae45d53a45a7e051d106e3e24c401fd8686eb707d8357f01d899734889271ea3fda28bb55b7d35dcd338db7fb2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
6545c51ed0d062d63c7dd5a6f00a32c6

SHA1
b6b7e5f44cb3c11f76a46e18fa7d80be9f6fdbd3

SHA256
f9431d85c0869faf740220f88b2d8db61b53d9fb324da995d938412caaed0f3e

SHA512
c99b0333b4e598fd9cad556a2fd60c725ae4c4ae45d53a45a7e051d106e3e24c401fd8686eb707d8357f01d899734889271ea3fda28bb55b7d35dcd338db7fb2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
fa5578b2efc78389b459ab88b58c9abd

SHA1
980ed1ceab5063849eef96deb26825d66aaec16d

SHA256
79dca4ee4b15d9e599ccd7e12529a8b4d453d51c2b9ecd54d50bb280f0f5be7b

SHA512
a4146ef506737eba5a7c373a51059abe4569d41b7030f75a9fa1228c729fa8465e22f0c2739af2690e9408d76f43c343e4ccdb92e6110505d2655bed5844ab67

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
e59264b8cdedc5590fb6d3abb52569c9

SHA1
2fa3c37ac3c81bbce1d1e2c6b9861b36715eb14f

SHA256
5426cd930a651e304aed15fc8d693dd809f994cb195ca023608317efa7ef69f9

SHA512
3d16943726526929678d7b4d9ab30b291643bf28c93fc010371a68af24f3a169d5da8b3e75413dae8279681092a558eba36ccc6fad177bd9b39a13728d3f3737

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
bcfb450a64ce92040d69e4fb5930762c

SHA1
944a72d0072ea260e8927e6309de6ae4a4796ff6

SHA256
a09fe2478e1662bcab92b41c8ecbe73d6bdeff386f0789c59236588ae2f887b7

SHA512
210a39a25db954636e8da1ed6b1a9e3608f19ac3b154ec9f274694d3fb8617af69abf7516ea00d62a5b100b5121bd7de32ff5afec7632f697dece7d8a201e5ad

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
ff972d54852866ec3a43f11d7eeebd3e

SHA1
d3aaa7122de308be3fdfe27eaf7e22e0c0a02852

SHA256
b7862bb1d69e0e720db9fc1c498ed30f309dcaba73b304d239c1847441c5fd3d

SHA512
a4141404d4873bbef1a522e63644fdf37c6118a6314624541e367855e7d7bebf4bdf736295857a6e5c28db79ac6f51ff94123fb7119e05a48fbe3ac77505624a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
75188196b6f7149d5ee776b95ff56ee4

SHA1
ad80c3fbb83d67c96fc4c3276747678d78d71359

SHA256
fddd8aba9fee226a935ace41d0f6707f1fae84d88f703bfa50ae9a13cd22610b

SHA512
08ee04a6a95b5b7c2396dc60dad24f2dcd46259a6318a15596581cf86ca66a47cd7a6685c94a746e88ccacf3f5ae051894dd2eaf2d09f04fde94524fcf63d952

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
1820cfa69f244a787a0af9a4935e94a3

SHA1
65dbdda6e072b7f7b60e5740468be3374d5783a9

SHA256
9fbc74077908ad444da57cabe2f070dfb1c4f902b6917ce539cb2728612324b8

SHA512
c7f3d33c0b0a8b0a68ebf7a2e79936b07ba7fd43bacd67dacc549a5856f7fd0495dd8922d0c12e5bcb774d67267c5ee8bad63ca12012c95311cae42d878b42d0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
aba517fc0076e621244645abfdf2d60f

SHA1
3c1226b3fd9ae38967f8f3fc81d5c8014eab8ff3

SHA256
17e4f7edf396f0b4d8f64b46c5530260558ab0637cafba8c93c8e928c2b6de43

SHA512
5e3e48c8a97d10eac726b964716aa3524388474a7271c03657868fe8f1575ff0bde8911b91f6e874011e0c93581bd7a8d0d2920a140fdb47f37bb0d831befe45

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
933d66b54eaf05bc5aaab7c681da0b36

SHA1
a86effdbcc468df187d74f5b5e9d42d88e3197d1

SHA256
0e472bcc13ccfa83096e11217fefcb0e5aed3fa7ed8f1bfca7f2b7c151691b06

SHA512
628ca72071bd072bab9f81a10c6ba79a3b9d48c60dda1b58d4245d24841ca1288fb253e9212ff2cf721e366ea0aff0a068b08372a0cdf9279b298825ec8d2086

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
0961601651370bc0ad92ae34c745455e

SHA1
25b29bd74f6c5b5d16fb178cd6a53ea981309457

SHA256
5443ff8250092985e0ea1ab213eebff92bf0a40d908051915ead8d1ae0e97a5d

SHA512
d81053a2bb8ebdcbcc8d55671371a71af68c5d2cc309cb92d79dbd20203285846887da7c59453f38cb721fc164768a0b92bfaf62f78eb264acd37142df5f4e5e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
1a1ddb1f95ecca9d13139ad436c3fe48

SHA1
bee6baf32a15188f5d64df3df3bacc12dcc56845

SHA256
515a028bfc6dbd7d1aa1819f1ef70dc6382337318f907656f3768d1c66cdd53b

SHA512
6e1bcb85d15a43757e6f3f75fb78cfedc4a8dd099c334415996cac7ea29f7e1577b8152c709192820d2b78b48b6cab7bf4015f741d4f1a2d845c6ec2376e5c54

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
140f6d23813e344ab06afe865699c0c0

SHA1
527abdec73c8add2f9baf9d8de5c7d454512710d

SHA256
390c60bbf529ffe7174f6e1f7cde2af1455d618f5eb16f6bc3a48cf2bdf51d27

SHA512
b51988055a11eeff7a07b9b97a5055c0e0b8ce60f5a7aca94adcaa62472f63a9620d4f34eae75a772674eaa9e9461d716ba39989c1d6708e3846b92807f6c4f5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
90d8f09d6e68940399ebb1215c521511

SHA1
06d2a1a3a08cc2bf519ba83dbe08e4f240b60a4a

SHA256
2c27a8c3653aae163bebe05f010a5d73aa47f0b58aad14bd1811b2300fe564dc

SHA512
34cf592dbebf2055451b967d27cae5849896b26ef161bfc07aada6cf7757d39ac8b8fc9c003d3770f72aa046c132280be0646f9ae101e0ec36e3b6d95aa6a89d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
cd2d40775ef0773519afcaa17509324e

SHA1
0ccc30932a50991937af5a16bd7ef92787eeb57b

SHA256
a20e03e1c56dd2438c85b52e94f54839596e5352ba4b3a406b2daeab5fd24c0d

SHA512
5d8aab4054c17720f9ea9dc28754efd440c06bf22b31c00c9020418a1ddea7bc9f5db285b2916af2e659c33649549a363af281563dff296275c4c8e2a7faf8d3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_da.dll

Filesize
28KB

MD5
dd517584ac41b7c185c1258a13143062

SHA1
60da459099559e30908938b742d6f5c1d0f99a4b

SHA256
904481a7bc079a6734dbce692d756952e7ffecebecb2f743568defc19f9f9e1b

SHA512
f96a73ad75e8d9adc01841a3f7a552c3115ff643d1cba669511e17012f892cb352cd77963044029ff7a7243b941e9f29e53a4ec51ba52977d05af20ab6d44779

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_de.dll

Filesize
30KB

MD5
c4ec05491b1585b7a3aa50375f5e4368

SHA1
cb37296d111b4c6d0456e88b94b482de4582161a

SHA256
a1d616c002ae667321cb3d78958877dfa47bdaa83a43d374d8e3628ec6ae18d5

SHA512
6392f6b349804243965b2ab83e80ee9a80627f9acaf5803aade67ab49c78647e3c8983b38fe7d1f55fefa0c90d2ca3b0cedf3d820c32a700eacd747fc4c72401

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_el.dll

Filesize
30KB

MD5
7ed8de68978a390eeda6b9f4145f8fec

SHA1
d4553ca5efd8801608196c81649dcd045e8beacf

SHA256
6ddf0517c8e51150048ee6ac66d5659559ecd4e6c3343245068ea1b8a3350878

SHA512
61806df41a9f2df86c71880be3e5e338ac35dad2a4964856e42a6d821b3d432b4412daa7a849cbbb3cb05228be777948387d90f6a4ed2276c537656098636e71

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
f0a758482ae88ee848215489129ec7bc

SHA1
d1298f7e6e60f4a2c11a61c137200665aabdb3ad

SHA256
2d76f0bf2669c672d1fa6c46417e65ac9a160a01d11990804ca40d3a3d9dbe76

SHA512
0ec2be7863d2a7f187e831529ab959ffb9c90b4d90d45ad86a9e3522d77af86c12eef4bf9a5cdfadb7957e3e8fd8fd3841f4c301865b823bfaf99e1b55182bfd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
dde9aacccb335e8a14bc4c0f2ac28eab

SHA1
8dfd19ecafda06c7e760e8fc17cc1dc43b9f3508

SHA256
c701a69236db5927f925a7d2d9845ca22cd59e03e83bfaabe5c4db35d373c056

SHA512
37de0760864b0e25277664ef8d8c4ac0df1f90ec6caa37f6e527be3b6af7a977b58453d26095fdede13ea9383166a9e60e9e0fdb9d8856eb54632a2943c1fada

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
7e8d44be65ac66ce05fb0bae2ba06f59

SHA1
f7341452313b2e38c0212b1ed499912d210fd315

SHA256
564c505c5f3617b2ccbffafff9f81771055b6edccce22917fa0bf553386a3749

SHA512
59417deaed339aa61f19336f307f2a5f5057f7ee18a13f1c8b4055e0bf0b8ee15bba6b15233aff239a7dc9b1fedc4a993fa8f4fbf9d76393f930c6ab2f52da85

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_es.dll

Filesize
28KB

MD5
4c3382b9bb276730ac626a30904420f6

SHA1
622af5199231a82a88fc70af89474f55af5fc2ed

SHA256
430a568d7d001f4dbd4c3473838146542f06e8b7a0e8a8f41dec5de94feb9f84

SHA512
1248bf0a772a7ad2264dfc3ddc6d0ffd278c83c335c8a4a1468ddee742fb6a0fa033ffd40bdd135c2604ce35c12f882951cdfd6ea728709ed287294e5fc149ec

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
8b51e86ace114d92a5fd2f53269a0785

SHA1
c175ead12ddc50d1df4b9b1687364aabee035a65

SHA256
7b5b4c7eb487f5411c6dda6e7a91501f9473e2fa66dedcce28a12f356b984840

SHA512
96de82a64d420120cc6eaf16d4ca77fd5aef1e848d6b006c2ec0ce5bbbc1ce6fae9fe57de552f3df9dcc59c49f5cdb024097a33c24c10de12c4adb6a5fecee4f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
8a3bd0c8f91564d3be5696756e05969d

SHA1
5388d1afb06786bfd4907b7580f763810d07d4dc

SHA256
a8d60b8d17da26931755bdca16c486f03a5423d368f64eb164b22a7839bb17bd

SHA512
4ec41f8e7c945f583d35ce61e58cb84d97fd8fddd31619c9ded8da7b90a4bfd5bc41c350d15bee2d7ca430ac69f04df980d67a5b931e5e1adc4fcf5ea2afe8b9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
33639788ab5d596a09d2fdf7688ee4cc

SHA1
c6697fdd982c0ebe1559084f81d4e22304cd7184

SHA256
f2763c899c134238e169d0fd09eb8bfdb8fd42b25d0724dbb6a1adf329a7845e

SHA512
7a2998a7f7301671c7dcad8723ff5cd694710848ee1c43c9f06e525489b91a344d369aae45dc1d259c10c1ae083f88de8cdf1b8ce07b5a0d1a99fdfc87cfc21f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
a3ae249b4498363bfc94043e725c5e2f

SHA1
fd1baf19de13def5c9e8dc3d91e57f2ad1a7aca7

SHA256
7c6c0a0ebc9e48da16f54f559f48af5ccdb375dcd914a36cc4662db0b7fe82b1

SHA512
e8d6cd5981e96f7c4897355fe3283c8b3a0da20cead2e1a6bc2dff9f00a6fa7493fe129607c24d9dded9ab86cfb09e090af3038d4f16268d473d417b4dc2dfd6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
635e9a59fb087047b6521a8c622dc31c

SHA1
9a6b5f14738fe1d11b0bdc52ac86962145a4c852

SHA256
698d85a10bed433032d04d8221b2fec183ee7d944dbcb685ee90d28483084c64

SHA512
cb368f6bcdc85c41adfaf77f4705109a74794b7b99d2ffa2c4af4a7457ebab3777164bcd42c4de2d7c4944460342c8efd8102de6b9e51ee7c193b43205ff5eac

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
1a743785d82759aeb4d8cd84f163e515

SHA1
55949bb303ce5285bfba2603df34249fead59a6d

SHA256
e73749cb09eee8f9b6b62e0aca144ddb73b35c89c06432f5f24c8a3ad609e731

SHA512
6f90905195914560db4050514e496978964501173f13b0d6df499e8659bb53681e19669be4d5b0a6467a2beeca88ac9512edd17558b7ff75580d15bbdc59b540

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
63167811b5d67909811ab2ea52f69687

SHA1
3c8c954d7e9295a89dd5b347598c55c450575aef

SHA256
cbe59981860ccdba144c645bd1fbb70072643bab98a21e2008e2731daf74ca59

SHA512
c33ba711dacca5219f3029b6d0ac0da2895d4ab9a203e6bb37b39cb9e558a555b9d7244f2b5c026d2a75a01901931830a15358e109215022958d089af0d66bb4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_ga.dll

Filesize
28KB

MD5
aa92c3750a7c959d96701e389be062a5

SHA1
1dcdfaa8b19ca5606864db6e6b81d8ab3ce55d16

SHA256
7b1597017f98a23571d37718ca774fd2510cebbaf25f702635043a3146d1b6b0

SHA512
44c2f8123050bf37b89e1ad43996be8694d12b1528d1bbe0fb5af0af2251af1a4ec0e91cc42aae3ede3c06feba8ee947fa5ef25d6969342903f8163fae637315

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU95E2.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
89b440abe50e070b0dbb1089c215dbb9

SHA1
085cc73e258062989d525d2a27f3b4edb3d48c65

SHA256
b25f58082c09e3db22708401fca30fdf97040c3a11279089233db78705a3a04e

SHA512
90b17788b9b279ea262dfde5391e68752e2d384ff9c0c05ff7d83ac78aef17fd664e48aec2256145e5e8baba02a187d5479685b2259d6178a77ad48aaeb5835e

Download Submit
C:\Program Files\ChatGPT\ChatGPT.exe

Filesize
9.1MB

MD5
b7618931340383b66b28ed859c805a43

SHA1
5d9dec5ef5b657ef9880d93829f8ea8959ba4b67

SHA256
f7d8c1d800e64ecdf2a4aba4f9a0ac7782019f63d2b2ee81495bc4869554c2fb

SHA512
53241d24d36453cd86926c6f38fea1e90f620d50f0a51393060af5a93929a4727251fbf7c7af2f1d594732b86073271e211a81ab0fea0a6e0b3ca2e6013751b8

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
119KB

MD5
454d0890c96fe8b51f9f82489c3662cb

SHA1
1dc79ac1cda5863c37105322f624e22ca456284f

SHA256
19dcef3f6d3be9fecee28bb41d73de4ddecb0a1b9cf91a9fc3802b4b383f2969

SHA512
aca83b131c06c6ebf531c9c4ecc5359f30791a68f19b4dc14a100c27279c5525edaa62eff8304802cacbc6f748e236b3671c70a5e9814258fcec10bb63e384f8

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChatGPT\ChatGPT.lnk

Filesize
1KB

MD5
edf2a61fc7b86a9501f18eb52ad5b9b4

SHA1
18b5d23788d32b758f31207ab417d59d24d67ca9

SHA256
4a8d3fced2608213433cf39b6341cc671f4fff2389ee67fd213af6f7d1ad50de

SHA512
f470efb913b13a9f3bbd75feddf2133d3fee89c39824b83b273e3aea2a2903d12f21845979e7f4568081a722bc6fbbdc93f80f6f24b0cc4c23ab6e26f97854a1

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ChatGPT\ChatGPT.lnk~RFe589093.TMP

Filesize
1KB

MD5
0bea7243d3dc1112dce51105de36eabf

SHA1
1e71ab6c2fb8888c4d9e9119b6cfc79b705bb7bb

SHA256
ddcac60d19c37e589b97885489986841b9652109eecd7000a8f84ad0ea380d98

SHA512
5facfc0e89944cdcddb6aa930a9a010a0166d8096f2618770926f1efe1a7772e82075664edb03ab93afe5f0184d491cf9dcbf6a5053a249873547af48f231816

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
cc1dfcf33cec09cf4b02162f29a2c9ea

SHA1
a2d9977e00e49dac782209a10e16893a87c5f8a3

SHA256
57831e2f282ae5cf0af7250482eb273f084d2f9eded56adbb5ccdb201b8df8e3

SHA512
c241bde31bff14294e460769043108f526999891163dba0498b835f3fa63dc35034fc37b35ab8c43bb7b39816b1ca69fd5abd7469735d038da13f4bea1876a89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_378BA46A07A0483C428E7FC44C59C2CB

Filesize
638B

MD5
4d7c73f266c1f45f6a84afb7af11bfa6

SHA1
d34ba5d7b0a333f1d3d7cefe9809cf099a8d09e3

SHA256
5cec6e286168eb5270282378babddf54d115a35044c43398197416002554baf6

SHA512
15f93b139e7e9387672b67e3328623e8146ca52d9ac0886539636523aca9a3c2bb0f3b8687b79484293bfea34546489e4a96f6752391f1d5e1226a39f9d329ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
e2b38e80a0b051bf6a94370a1be65b43

SHA1
9b6203ec15376f74fe0e73bd81f1cd2c86341163

SHA256
cc3abffacfa492e6de85519380a95050e139794ae09b05e45f3c116199e7375d

SHA512
f5ac4fd53a4ee6bc7b934e632fc11899b0bf9cc791d307067969a2a1a342d80fc90f90caea5863fdeb3c562e7cf220e10e1c70c92cf9bf27cb6ab0bbccf53ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
2f509d782a070863875f3b2232dd8b84

SHA1
615e1ed0c40e0c6b995193b0642106f2caa31932

SHA256
72ce1f73b0dd8a0b266b43c19ba64f838a49157fa41fe51450dde565c41e2f66

SHA512
2b06a4d0cf3689a88ad8a1007f3c41f0254270ddeb261ebe887271b74ae75a82b359fa7332196e93f130f418380396ddae4f700b8b7c40a34a4cc38fe20ccbad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_378BA46A07A0483C428E7FC44C59C2CB

Filesize
484B

MD5
44623ce9831b61e112b7f379f9fa04c1

SHA1
5f0ef36d972a22c79ec87818f007fe3c64b2c4ef

SHA256
b40ea47102c152a3c873159339c0ed5b70e3f1379ad422bccf5bde5ee5a972a1

SHA512
9ffe326041b2268fe83c097f21f01fdd9cf5e9e2ca45d5525f6c28217fe2cfcb67960febebbce0e06a72486a90722f27ff82fe6a3130ae341662e840d5e15961

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
7c953a7ccce2b8ba4158c6b211f7d548

SHA1
1cd778050aa50c6d7faf464fa68717d5ce667bab

SHA256
000c95f09096d6f0a1d07591ed3a6c5c5bc1b60787135a9e966e437db672ff39

SHA512
a83980a46b07fc39a4bf3f06f7426497cab447bb6c0e9c36f079869599c72291a625c622c3a8a5e6164db4b6e068b625867f68b66b95b10ad3b40245728cbd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI86BF.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI86BF.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ChatGPT.msi

Filesize
5.7MB

MD5
41c305f5555c83b876ad9055d8f6d6a8

SHA1
e3d2af686f2b4b1a03bf3853790697640c94ba22

SHA256
29eef3d0b07ebf231546fdd0719b0102008310916ceda253fadb4037f484e753

SHA512
956d2004ab0a69f4bf3fea667ba64a72d70a9ac4d699b5b9cda38417f3db1fe8f8e066b46dc2bf0fbb5afc4eb08ed004c0dbd1805b71f805253ab227be26dfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\chch.ps1

Filesize
2.3MB

MD5
b4153c305f599325177fc402c696c4f9

SHA1
2832c07119d99a03cff018a56088f1e4861cd42a

SHA256
6271fd1865bed9afbc9e92f36714e97495f5b327f8cda1e02b569e9e1b9daef5

SHA512
86068967708635fc21a7702fa2ce8a32cc80b687ba80e217908e81fa5bdd3aca00400759948ed67c93f6807aa156943fc876817ccfb963a0890c1f2fa3d116b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEDA1.tmp

Filesize
1KB

MD5
30c542ec937fae7ad730b8466b35cd6a

SHA1
66a6176a967ea0fcdad2f606396b85100c8ab436

SHA256
0d02106cd5aebfd359acd3f1d355803c8e362b119533c2aac6ca10b975e93922

SHA512
2cfab0747afd14ddc51155282d887eef8d13b798395a4e34d00b1cc6216ee229e678ba9a0c44b0120f6d0f3f3295b5e7013559de083e29823efac1daf90d3c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD7F.tmp

Filesize
1KB

MD5
f0de2ee666ad314c80b2be9d4463dae3

SHA1
d11f4a33e5510172a35648dbd721372475971563

SHA256
5d44151e4eb72381bdddcc9541f4ce1d0344b9ac047dbbed0e989ef7ae12f822

SHA512
f63beb063422a913c67d7ff7e26aed8374cc30211a409e20fcdb737cb143320a1e0dd07bd592c20b507c3cd3376bb029e48cdb5fd9eb0bf3a111a4a57bbf6caf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qrrrkw30.uor.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbfjhvb\qsbfjhvb.dll

Filesize
3KB

MD5
12affec38cd1615094e4bb97c84c385b

SHA1
ede78b9e91ca9e950cbd2c7db30d387b84e8f10d

SHA256
f5eb324dec71be65196ea0a2c9ff0a41fcd3610926c2ba9d87b60f95552d30ad

SHA512
652f0a985dad498b236e787a8f0ce68dea035c3ba275110749936ebdeb10a80f512a89e273851c55abb39a2e944b90cb9a6c65dc197cec751c8723d15c09129b

Download Submit
C:\Users\Admin\AppData\Local\Temp\r43nqt3b\r43nqt3b.dll

Filesize
3KB

MD5
8fca7c855468d56f5554a4277132245a

SHA1
24019e34d46e50fd94f755c0c82e9d8488a5b710

SHA256
95c4e95ee4b3d03b659caac5b885e7aab8f27dab0f10e14d1add44bb6f8a3c8a

SHA512
28309eda566f1426433c2464a6f3d3ee1cdb85345afa477a8073c673e1637e9bc086e139f11b8058bc3567ccfd60e790d4ca5ee6213fd8ca723b4b665e8f68ea

Download Submit
C:\Windows\Installer\MSI919E.tmp

Filesize
1.5MB

MD5
b32d72daeee036e2b8f1c57e4a40e87a

SHA1
564caa330d077a3d26691338b3e38ee4879a929d

SHA256
65f6efdf6df4095971a95f4bf387590ae63109388344632a22458265ab7dd289

SHA512
b5d62ce1462d786c01d38e13d030ad6236ce63321819cf860cc6169f50f6309e627bc7709b305422851779e37dbae9fb358008aad8d6c124cd33cdec730288d5

Download Submit
C:\Windows\Installer\MSI919E.tmp

Filesize
1.5MB

MD5
b32d72daeee036e2b8f1c57e4a40e87a

SHA1
564caa330d077a3d26691338b3e38ee4879a929d

SHA256
65f6efdf6df4095971a95f4bf387590ae63109388344632a22458265ab7dd289

SHA512
b5d62ce1462d786c01d38e13d030ad6236ce63321819cf860cc6169f50f6309e627bc7709b305422851779e37dbae9fb358008aad8d6c124cd33cdec730288d5

Download Submit
C:\Windows\Installer\e56dc0d.msi

Filesize
6.4MB

MD5
6f7e07b84897cccab30594305416d36f

SHA1
6d1d531c921a17b36e792e2843311e27b9aa77a4

SHA256
9982330ae990386cd74625f0eaa26ae697574694eb2ec330c2acac5e0149fdc0

SHA512
689ba6b48065a9098ef62bc8ed0650fa0b66f403af9dc315a456d514ea61afda7cf67c3786760e4ac49adc8a60f489199e6aae08a59aa4ef8e57e064bce9e892

Download Submit
C:\Windows\Installer\e56dc12.msi

Filesize
5.7MB

MD5
41c305f5555c83b876ad9055d8f6d6a8

SHA1
e3d2af686f2b4b1a03bf3853790697640c94ba22

SHA256
29eef3d0b07ebf231546fdd0719b0102008310916ceda253fadb4037f484e753

SHA512
956d2004ab0a69f4bf3fea667ba64a72d70a9ac4d699b5b9cda38417f3db1fe8f8e066b46dc2bf0fbb5afc4eb08ed004c0dbd1805b71f805253ab227be26dfa5

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
e01542b003bac041640e753c90796fa6

SHA1
39beed612d99fa36bc1155e1fef8706d19e1a51f

SHA256
85733735b39f8c666758a9ed973530b6ab6d6ecd6d410ed1ab3a5f46ee7f51c7

SHA512
6657bf46d504448d06940a4f7da184fbafeccb12980036913c415a95ef09d01f27ba57f48c010b1e17831b773daf79ea6e9a39b4b8c69ce14dcc860a6241bd77

Download Submit
\??\Volume{4cc777a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{351b7978-8eee-4fc8-8e39-9e237cb4235d}_OnDiskSnapshotProp

Filesize
5KB

MD5
c82e4fce69d0dec4a6ef73d03d7a8656

SHA1
5e632fa0312906b26ac7565792c71cd821e97a71

SHA256
126c60ff9b17e999d43d1effa13af5d1499ef8c3d41cd281501d5b922ef98640

SHA512
0006f2d55e089bae022227a082b5c9e99a988e3e83604eb48ccd2fe037cc00e095e3b068b251f81e63e9ed1bc52c8c92b0e860d408bd84985353ffdbb14b9f71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qsbfjhvb\CSCC4C49BD10944C5DB317213D41195820.TMP

Filesize
652B

MD5
a8c3fca2ead28819170f04824d0a4302

SHA1
3bc31cf215009db23498aeb80c67e7b9c9922f50

SHA256
303b7d176afb807c6669f8f1f43554b9fab8ff7ba47ca46afa42c9db7fcbcae1

SHA512
cd875d1559f92bf0410b7f815f5b1f7cbbc70755caf1c9b87005a87c413573abc4658ffd272b4762ecc320ea376519aa079c310f6df973cd2e7466fee988b9a8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qsbfjhvb\qsbfjhvb.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qsbfjhvb\qsbfjhvb.cmdline

Filesize
369B

MD5
4d64054593d920d325fd7f16eb6f2cd0

SHA1
98c52909cd67deb9b22b0cbc7d0812485a2c6319

SHA256
7f802dd240d71abbe7c29ef9debb74f8092ff7ee6c19da6387402101fb0fde5b

SHA512
cece96578067a82b2375b6572eacb8b4122291511da35fedadf09f9f97efb70cb39cb966fbea642408d0b4bdeeec0f40ff133dd493ea4d80c5a52b0768a378fb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r43nqt3b\CSCFD0B040F654D4410A919B4E7FCD9725.TMP

Filesize
652B

MD5
0779c32cf1a479983317298ea1de261f

SHA1
2451ea1c9d253d26ff09e9a7d3e8874c3841d1d6

SHA256
193abb685479b62b7a4b5df57e8a12cc7bcee4d91348b20a9ca25421359b1b83

SHA512
a68f5d6a4c0f9cd70da99b1313f8dbc27b2bae4c7a4fc7ff666da44462e72a43a17771139e0d92751901bbcef15b54931b8318b776050b8057997b7f124f17f8

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r43nqt3b\r43nqt3b.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r43nqt3b\r43nqt3b.cmdline

Filesize
369B

MD5
5e751a67016d8cc2670f9937ce5175e3

SHA1
ba5f55b257b0d9158ea752cb33876b28d6f47f66

SHA256
ec367bd1dc9b646694c0bcd259f7c044deeabeba0c905d51bc0ed572c8e31ce5

SHA512
44b79e4f59254baa86b9d0dd37a64e8be0750dec6df741538961f58c6d8aae8162f9ea5cabc484b61ea6a398f393d1c3d42a5e6a65eb4465505251635c731adf

Download Submit
memory/1252-204-0x000001EFF8500000-0x000001EFF8FC1000-memory.dmp

Filesize
10.8MB

Download
memory/1848-237-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-238-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-221-0x000002ADED880000-0x000002ADED9F4000-memory.dmp

Filesize
1.5MB

Download
memory/1848-226-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-228-0x000002ADEDA00000-0x000002ADEDB74000-memory.dmp

Filesize
1.5MB

Download
memory/1848-229-0x000002ADEDA00000-0x000002ADEDB74000-memory.dmp

Filesize
1.5MB

Download
memory/1848-230-0x000002ADEDA00000-0x000002ADEDB74000-memory.dmp

Filesize
1.5MB

Download
memory/1848-231-0x000002ADD4750000-0x000002ADD5211000-memory.dmp

Filesize
10.8MB

Download
memory/1848-233-0x000002ADEDA00000-0x000002ADEDABE000-memory.dmp

Filesize
760KB

Download
memory/1848-236-0x00007FFBAFEB0000-0x00007FFBAFEB1000-memory.dmp

Filesize
4KB

Download
memory/1848-254-0x000002ADD4750000-0x000002ADD5211000-memory.dmp

Filesize
10.8MB

Download
memory/1848-244-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-239-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-189-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-187-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-188-0x000002ADD4320000-0x000002ADD4330000-memory.dmp

Filesize
64KB

Download
memory/1848-185-0x000002ADD5330000-0x000002ADD5352000-memory.dmp

Filesize
136KB

Download
memory/1848-240-0x000002ADD4750000-0x000002ADD5211000-memory.dmp

Filesize
10.8MB

Download
memory/4348-186-0x0000024D6C270000-0x0000024D6CD31000-memory.dmp

Filesize
10.8MB

Download
memory/4348-328-0x0000024D6C270000-0x0000024D6CD31000-memory.dmp

Filesize
10.8MB

Download
memory/4404-218-0x000001BE6F080000-0x000001BE6FB41000-memory.dmp

Filesize
10.8MB

Download