quasar | 773e13fffd0842e717ce55e2a678da37123c55186f9c92460c671261b1654ffd

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-12-2024 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
Size

72.2MB
MD5

33c2adebfe2c3acedfb34ffff8151b7d
SHA1

8e93f7ecafa92017a7d528423574ab5cfeec754a
SHA256

773e13fffd0842e717ce55e2a678da37123c55186f9c92460c671261b1654ffd
SHA512

6f545b4da55412ec78de6d1c3bddbcc6bb857b7d13b15fe4bb832259dbe1842d44a02b46395233c23ca57abd34239226a60c9f7ee26fcf82ba383a836f8d61ad
SSDEEP

1572864:yIWs/6+mI5n17YTIytz8ATFiQiFGaaoE13gIFxXtzM/zMfCOA6Z:ssJmIBiTvR8UFiQYGvoq35FVEeCOr

Score

10^/10

quasar office04 discovery persistence privilege_escalation spyware trojan upx

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Office04

167.71.56.116:22269

Mutex

3470ac31-30aa-4cf6-ab0a-1ed0dd64656f

Attributes

encryption_key
33E08519CDBEF59C54E93052681A76D1969C659E
install_name
Client.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Quasar Client Startup
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar
Quasar family
quasar

Quasar payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000b000000012029-1329.dat	family_quasar
behavioral1/memory/2640-1333-0x0000000000140000-0x0000000000464000-memory.dmp	family_quasar
behavioral1/memory/2572-2315-0x0000000003520000-0x0000000003B08000-memory.dmp	family_quasar

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00050000000194e2-1657.dat	acprotect

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 20 IoCs

pid	Process
2640	Client-built.exe
476	TeamViewer_Setup_x64.exe
2084	TeamViewer_.exe
2700	TeamViewer_Service.exe
2572	TeamViewer.exe
2992	crashpad_handler.exe
2532	MicrosoftEdgeWebview2Setup.exe
864	MicrosoftEdgeUpdate.exe
2584	MicrosoftEdgeUpdate.exe
2552	MicrosoftEdgeUpdate.exe
1328	MicrosoftEdgeUpdateComRegisterShell64.exe
1912	MicrosoftEdgeUpdateComRegisterShell64.exe
1816	MicrosoftEdgeUpdateComRegisterShell64.exe
2096	MicrosoftEdgeUpdate.exe
1716	MicrosoftEdgeUpdate.exe
2060	MicrosoftEdgeUpdate.exe
2648	MicrosoftEdgeUpdate.exe
2556	MicrosoftEdge_X64_109.0.1518.140.exe
2152	setup.exe
2848	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
476	TeamViewer_Setup_x64.exe
476	TeamViewer_Setup_x64.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2084-1659-0x0000000074DA0000-0x0000000074DAA000-memory.dmp	upx
behavioral1/files/0x00050000000194e2-1657.dat	upx
behavioral1/memory/2084-1754-0x0000000074DA0000-0x0000000074DAA000-memory.dmp	upx
behavioral1/memory/2084-2983-0x0000000074DA0000-0x0000000074DAA000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_or.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\msvcp140_codecvt_ids.dll	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ar.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\kk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\nacl_irt_x86_64.nexe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\fa.pak	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\x64\TVMonitor.inf	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\identity_helper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\identity_proxy\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\MicrosoftEdgeUpdateBroker.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_lt.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\gl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\vcruntime140.dll	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ko.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_ru.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_ne.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\icudtl.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer.ico	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\identity_proxy\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_da.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\tvfiles_printer_WithoutPDFSupport_x64.7z	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_es-419.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_ko.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\oneds.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\ka.pak	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\uninstall.exe	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\msedge_proxy.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\am.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_pa.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_sq.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\msedge.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\msedgewebview2.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Trust Protection Lists\Mu\Analytics	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\elevation_service.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_id.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\identity_proxy\beta.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\en-GB.pak	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_zhCN.dll	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\tv_x64.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\RollbackTemp\	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\NOTICE.TXT	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\show_third_party_software_licenses.bat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\cy.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\id.pak	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\CopyrightFULL.txt	TeamViewer_.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_el.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\x64\TeamViewer_VirtualDeviceDriver.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\gu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Locales\ne.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\ro.pak	setup.exe
File created	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_cs.dll	TeamViewer_.exe
File opened for modification	C:\Program Files\TeamViewer\TVExtractTemp\TeamViewer_Resource_fi.dll	TeamViewer_.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\msedgeupdateres_bn-IN.dll	MicrosoftEdgeWebview2Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_Setup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2096	MicrosoftEdgeUpdate.exe
2648	MicrosoftEdgeUpdate.exe
2848	MicrosoftEdgeUpdate.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy = "1"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1840FA4-2F2A-4181-99C5-5E90F32747D5}\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1840FA4-2F2A-4181-99C5-5E90F32747D5}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1840FA4-2F2A-4181-99C5-5E90F32747D5}\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDecisionTime = 40cad9ba614adb01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDecisionTime = 807014b8614adb01	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1840FA4-2F2A-4181-99C5-5E90F32747D5}\WpadDecisionTime = 40cad9ba614adb01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1840FA4-2F2A-4181-99C5-5E90F32747D5}\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1840FA4-2F2A-4181-99C5-5E90F32747D5}\WpadDecisionTime = 602abfbe614adb01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDecisionTime = a091c6a6614adb01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDecisionTime = 602abfbe614adb01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDecisionTime = 402053dc614adb01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1840FA4-2F2A-4181-99C5-5E90F32747D5}	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-e5-f9-a4-1c-e1\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FC73DAE1-5456-440C-B6EE-0D4A235B71B5}\ProxyStubClsid32	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A20E949F-5456-4A49-BE51-88077E13F793}\TypeLib\ = "{D5883D5C-5456-4BF9-844A-3F8C5E61AF9F}"	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F5E4D7D-7181-44DC-8407-CAF525D85345}\ProxyStubClsid32	TeamViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerPilotSessionReporting\shell	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D5883D5C-5456-4BF9-844A-3F8C5E61AF9F}\1.2\0	TeamViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blizzv1	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F5E4D7D-7181-44DC-8407-CAF525D85345}\TypeLib\ = "{D5883D5C-5456-4BF9-844A-3F8C5E61AF9F}"	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvvpn1\shell	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6EB079FD-5456-432D-BDAB-9B38DF8DD0EE}\ProxyStubClsid32	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerSession\shell\open\command	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvoneweblogin	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvjoinv8\shell\open	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BF93CDAB-5456-4611-AE2C-6F50A41564C1}\TypeLib\ = "{D5883D5C-5456-4BF9-844A-3F8C5E61AF9F}"	TeamViewer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{BE43CF28-943E-4BA2-9B74-00CC57E7B1FC}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.45\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tvjoinv8\shell	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tvfiletransfer1\shell\open\command\ = "\"C:\\Program Files\\TeamViewer\\TeamViewer.exe\" \"%1\""	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerConfiguration\DefaultIcon	TeamViewer_.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{877D726A-5456-4171-9CDB-0DAB3AFFE07F}\LocalServer32	TeamViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tvlink\ = "InternetShortcut"	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{877D726A-5456-4171-9CDB-0DAB3AFFE07F}\VersionIndependentProgID	TeamViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD9D431B-3B37-4F4A-B676-D43D8AEAD6E2}\TypeLib\Version = "1.2"	TeamViewer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TeamViewerPilotSessionReporting\shell\open\command	TeamViewer_.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\CurVer	MicrosoftEdgeUpdate.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	TeamViewer_Service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	TeamViewer_Service.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1920	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
2084	TeamViewer_.exe
864	MicrosoftEdgeUpdate.exe
864	MicrosoftEdgeUpdate.exe
864	MicrosoftEdgeUpdate.exe
864	MicrosoftEdgeUpdate.exe
864	MicrosoftEdgeUpdate.exe
864	MicrosoftEdgeUpdate.exe
864	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
Token: SeDebugPrivilege	2640	Client-built.exe
Token: SeRestorePrivilege	2084	TeamViewer_.exe
Token: SeDebugPrivilege	864	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	864	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	864	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2640	Client-built.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2640	Client-built.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2640	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	30
PID 2884 wrote to memory of 2640	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	30
PID 2884 wrote to memory of 2640	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	30
PID 2884 wrote to memory of 2640	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	30
PID 2884 wrote to memory of 476	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	31
PID 2884 wrote to memory of 476	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	31
PID 2884 wrote to memory of 476	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	31
PID 2884 wrote to memory of 476	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	31
PID 2884 wrote to memory of 476	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	31
PID 2884 wrote to memory of 476	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	31
PID 2884 wrote to memory of 476	2884	33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe	31
PID 476 wrote to memory of 2084	476	TeamViewer_Setup_x64.exe	32
PID 476 wrote to memory of 2084	476	TeamViewer_Setup_x64.exe	32
PID 476 wrote to memory of 2084	476	TeamViewer_Setup_x64.exe	32
PID 476 wrote to memory of 2084	476	TeamViewer_Setup_x64.exe	32
PID 476 wrote to memory of 2084	476	TeamViewer_Setup_x64.exe	32
PID 476 wrote to memory of 2084	476	TeamViewer_Setup_x64.exe	32
PID 476 wrote to memory of 2084	476	TeamViewer_Setup_x64.exe	32
PID 2084 wrote to memory of 1920	2084	TeamViewer_.exe	33
PID 2084 wrote to memory of 1920	2084	TeamViewer_.exe	33
PID 2084 wrote to memory of 1920	2084	TeamViewer_.exe	33
PID 2084 wrote to memory of 1920	2084	TeamViewer_.exe	33
PID 2084 wrote to memory of 2700	2084	TeamViewer_.exe	36
PID 2084 wrote to memory of 2700	2084	TeamViewer_.exe	36
PID 2084 wrote to memory of 2700	2084	TeamViewer_.exe	36
PID 2084 wrote to memory of 2700	2084	TeamViewer_.exe	36
PID 2084 wrote to memory of 2572	2084	TeamViewer_.exe	38
PID 2084 wrote to memory of 2572	2084	TeamViewer_.exe	38
PID 2084 wrote to memory of 2572	2084	TeamViewer_.exe	38
PID 2084 wrote to memory of 2572	2084	TeamViewer_.exe	38
PID 2572 wrote to memory of 2992	2572	TeamViewer.exe	39
PID 2572 wrote to memory of 2992	2572	TeamViewer.exe	39
PID 2572 wrote to memory of 2992	2572	TeamViewer.exe	39
PID 2084 wrote to memory of 2512	2084	TeamViewer_.exe	41
PID 2084 wrote to memory of 2512	2084	TeamViewer_.exe	41
PID 2084 wrote to memory of 2512	2084	TeamViewer_.exe	41
PID 2084 wrote to memory of 2512	2084	TeamViewer_.exe	41
PID 2084 wrote to memory of 2512	2084	TeamViewer_.exe	41
PID 2084 wrote to memory of 2512	2084	TeamViewer_.exe	41
PID 2084 wrote to memory of 2512	2084	TeamViewer_.exe	41
PID 2084 wrote to memory of 1588	2084	TeamViewer_.exe	42
PID 2084 wrote to memory of 1588	2084	TeamViewer_.exe	42
PID 2084 wrote to memory of 1588	2084	TeamViewer_.exe	42
PID 2084 wrote to memory of 1588	2084	TeamViewer_.exe	42
PID 2084 wrote to memory of 2532	2084	TeamViewer_.exe	44
PID 2084 wrote to memory of 2532	2084	TeamViewer_.exe	44
PID 2084 wrote to memory of 2532	2084	TeamViewer_.exe	44
PID 2084 wrote to memory of 2532	2084	TeamViewer_.exe	44
PID 2084 wrote to memory of 2532	2084	TeamViewer_.exe	44
PID 2084 wrote to memory of 2532	2084	TeamViewer_.exe	44
PID 2084 wrote to memory of 2532	2084	TeamViewer_.exe	44
PID 2532 wrote to memory of 864	2532	MicrosoftEdgeWebview2Setup.exe	45
PID 2532 wrote to memory of 864	2532	MicrosoftEdgeWebview2Setup.exe	45
PID 2532 wrote to memory of 864	2532	MicrosoftEdgeWebview2Setup.exe	45
PID 2532 wrote to memory of 864	2532	MicrosoftEdgeWebview2Setup.exe	45
PID 2532 wrote to memory of 864	2532	MicrosoftEdgeWebview2Setup.exe	45
PID 2532 wrote to memory of 864	2532	MicrosoftEdgeWebview2Setup.exe	45
PID 2532 wrote to memory of 864	2532	MicrosoftEdgeWebview2Setup.exe	45
PID 864 wrote to memory of 2584	864	MicrosoftEdgeUpdate.exe	46
PID 864 wrote to memory of 2584	864	MicrosoftEdgeUpdate.exe	46
PID 864 wrote to memory of 2584	864	MicrosoftEdgeUpdate.exe	46
PID 864 wrote to memory of 2584	864	MicrosoftEdgeUpdate.exe	46
PID 864 wrote to memory of 2584	864	MicrosoftEdgeUpdate.exe	46
PID 864 wrote to memory of 2584	864	MicrosoftEdgeUpdate.exe	46

C:\Users\Admin\AppData\Local\Temp\33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe
"C:\Users\Admin\AppData\Local\Temp\33C2ADEBFE2C3ACEDFB34FFFF8151B7D.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\Client-built.exe
  "C:\Users\Admin\AppData\Local\Temp\Client-built.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2640
- C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup_x64.exe
  "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup_x64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:476
- - C:\Users\Admin\AppData\Local\Temp\nsyA4F7.tmp\nsjA537\TeamViewer_.exe
    "C:\Users\Admin\AppData\Local\Temp\nsyA4F7.tmp\nsjA537\TeamViewer_.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2084
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks /Create /TN TVInstallRestore /TR "\"C:\Program Files\TeamViewer\RollbackTemp\TeamViewer_.exe\" /RESTORE" /RU SYSTEM /SC ONLOGON /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1920
  - - C:\Program Files\TeamViewer\TeamViewer_Service.exe
      "C:\Program Files\TeamViewer\TeamViewer_Service.exe" -install
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      PID:2700
  - - C:\Program Files\TeamViewer\TeamViewer.exe
      "C:\Program Files\TeamViewer\TeamViewer.exe" api --install
      4⤵
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Program Files\TeamViewer\crashpad_handler.exe
        
        "C:\Program Files\TeamViewer\crashpad_handler.exe" --no-rate-limit --database=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports --metrics-dir=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports --url=https://errorreporting.teamviewer.com:443/api/3/minidump/?sentry_client=sentry.native/0.4.17&sentry_key=ab2b65e79a501de39a5e47e7bc23e13b --attachment=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports\84b3acce-b5b7-46da-cd93-5a061bf47bf2.run\__sentry-event --attachment=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports\84b3acce-b5b7-46da-cd93-5a061bf47bf2.run\__sentry-breadcrumb1 --attachment=C:\Users\Admin\AppData\Local\TeamViewer\Logs\ErrorReports\84b3acce-b5b7-46da-cd93-5a061bf47bf2.run\__sentry-breadcrumb2 --initial-client-data=0x1d0,0x1d4,0x1d8,0x1a4,0x1dc,0x144ffd8d8,0x144ffd8f0,0x144ffd908
        5⤵
        Executes dropped EXE
        
        PID:2992
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\TeamViewer\outlook\TeamViewerMeetingAddinShim.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2512
  - - C:\Windows\SysWOW64\schtasks.exe
      C:\Windows\system32\schtasks /Delete /TN TVInstallRestore /F
      4⤵
      System Location Discovery: System Language Discovery
      PID:1588
  - - C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe
      "C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe" /install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EUF43E.tmp\MicrosoftEdgeUpdate.exe" /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:864
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2584
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2552
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1328
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1912
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.45\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1816
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEU2QkI4QTItM0Y3Qy00RjQzLUFGQzUtMTYwNTI2OTQ5OTJBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins2MzQyOUVCQS0zQzBFLTRFMTMtOTBBNC00QjcxMTIwRjU0MTl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3My40NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjU0OTQ5MjAwMCIgaW5zdGFsbF90aW1lX21zPSI2NDAiLz48L2FwcD48L3JlcXVlc3Q-
        6⤵
        Executes dropped EXE
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2096
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{0E6BB8A2-3F7C-4F43-AFC5-16052694992A}"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "1716" "368"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1524
      - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "864" "332"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1540

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2060
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEU2QkI4QTItM0Y3Qy00RjQzLUFGQzUtMTYwNTI2OTQ5OTJBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxNDdCRjM0OC1GN0Y0LTQxQzktOTVFQi1ERDU2MDI3NUNDMDV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjMiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI1NTEzNjQwMDAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:2648
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9D4C2C4-2CFB-4CA7-B791-C3646D1A1DAA}\MicrosoftEdge_X64_109.0.1518.140.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9D4C2C4-2CFB-4CA7-B791-C3646D1A1DAA}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:2556
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9D4C2C4-2CFB-4CA7-B791-C3646D1A1DAA}\EDGEMITMP_893B4.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9D4C2C4-2CFB-4CA7-B791-C3646D1A1DAA}\EDGEMITMP_893B4.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A9D4C2C4-2CFB-4CA7-B791-C3646D1A1DAA}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2152
  - - C:\Windows\system32\wermgr.exe
      "C:\Windows\system32\wermgr.exe" "-outproc" "2152" "492"
      4⤵
      PID:3044
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNDUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNDUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEU2QkI4QTItM0Y3Qy00RjQzLUFGQzUtMTYwNTI2OTQ5OTJBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1MDJFQUI5Mi1GNDgyLTRDNUMtODI0NC1BQTYxNjUyMTdEM0Z9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTA5LjAuMTUxOC4xNDAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjMwNjQ2MDQwMDAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIzMDY0NjA0MDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzI4ODYyMDAwMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMGM0MDg0ZjMtMWJlZC00MjQ2LWI4ZWQtMjA2Y2NiZTYwZTNjP1AxPTE3MzQzNzA5NzAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bWtRZ2lOM1IlMmJmeFMlMmZBdzF2djdGSlhSck1RQWhveEVnZXNFU2tvY0RQeSUyYnBDcDlvTVBqMkR6OGZvS1RtMGFJTUkxY2lqdDlGVENNMjFNVVRUSG9wSlElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNDA2OTYwMDgiIHRvdGFsPSIxNDA2OTYwMDgiIGRvd25sb2FkX3RpbWVfbXM9IjE2MTc3Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzI4ODYyMDAwMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjMzMDE1NjgwMDAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iNiIgZXJyb3Jjb2RlPSI4NyIgZXh0cmFjb2RlMT0iMTA3NDc5MDQwMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzQ1MTAxNjAwMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjYyMDkiIGRvd25sb2FkX3RpbWVfbXM9IjIyNDAxIiBkb3dubG9hZGVkPSIxNDA2OTYwMDgiIHRvdGFsPSIxNDA2OTYwMDgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjE0OTQ1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
ae0bd70d0d7e467457b9e39b29f78410

SHA1
b4a549508cbc9f975a191434d4d20ad3c28d5028

SHA256
4d9f16b00bda1db65b68cb486f7ae1bf5b32aedf7fd335e4a8ef2fa087870986

SHA512
cbe2b5ffe647f5318edd9825ea6536d6d14dab66920def0323fb5b4dc03a4f8b6781b9209e5a557ab4d270b3f2b170797e6bd807195c93869367c0a245a3168e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Installer\msedge_7z.data

Filesize
3KB

MD5
bd70ed26e6e6f3193043ac09c58c6a1c

SHA1
d733a65e17f2851d5116598dd80533efc1656468

SHA256
7a474217d20b9a6fe3c3a46c0d6d5b2d2040fa790663f6da9202ee7cb07bb448

SHA512
3e2ecade6d687b0736d5eafd7527b24095b9c51f0c8ba99398b23da2d8843c49fc8c1fa37190d385b504d8224c8c517d78d44ae32e10e45d54b19477a6970756

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2152_894818457\109.0.1518.140\Installer\setup.exe

Filesize
3.8MB

MD5
3a92a61a6e01c80ecc7d9499abb901b7

SHA1
d89d05802d937f9c71ced14282b8a19623fca7c8

SHA256
b70b2ed82c7afde8003983992b74f8182f55080b43da3d96dd29e8c0c7e8b47e

SHA512
3867efbd984ddd1eec084c70a42104cbc0057c3bed222af8963051779b612b46bf4cea3311452f6564513d7558d49a1e66a9473ad53f1b2fb4c43a9d7d0fb47d

Download Submit
C:\Program Files\TeamViewer\utils\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
b32d72daeee036e2b8f1c57e4a40e87a

SHA1
564caa330d077a3d26691338b3e38ee4879a929d

SHA256
65f6efdf6df4095971a95f4bf387590ae63109388344632a22458265ab7dd289

SHA512
b5d62ce1462d786c01d38e13d030ad6236ce63321819cf860cc6169f50f6309e627bc7709b305422851779e37dbae9fb358008aad8d6c124cd33cdec730288d5

Download Submit
C:\Program Files\TeamViewer\x64\teamviewervpn.sys

Filesize
34KB

MD5
f5520dbb47c60ee83024b38720abda24

SHA1
bc355c14a2b22712b91ff43cd4e046489a91cae5

SHA256
b8e555d92440bf93e3b55a66e27cef936477ef7528f870d3b78bd3b294a05cc0

SHA512
3c5bb212467d932f5eaa17a2346ef8f401a49760c9c6c89c6318a1313fcbabb1d43b1054692c01738ea6a3648cc57e06845b81becb3069f478d5b1a7cbcb0e66

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
2246114286748914db563b00a04e73dc

SHA1
529250bcf9b1c010a317dbc7fca3b615967d5188

SHA256
c625a0e9eaee4b3468110129c0d7c56baba266689d1ababb16f88e9508ca0594

SHA512
90e4dab7ab795cf5700f1f8a08b49aa36528bc0a2b0ac0ab82257cea9e4405df0a2de5d6117e2b9b96942049e6ced71af9363c3053140a3c209c8bf27e318958

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE9E4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE9F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA891.tmp\start_unicode.ini

Filesize
1KB

MD5
e1e5f83035cb20fd89b7de415465eb28

SHA1
9444cf7198dbf73700d19f4725d8d06efec87366

SHA256
483e0ae06bf051ffd48e0374d6d16454ad7ebc0794bfc4572e4c40155b4b4e2f

SHA512
b3aaa4d68a0d79a5ad8471ea8ebe9cea3f2ec202fcec32da1c39555d7e17b77738411f3b6b75a99c904014d2f0dee93644813775fb1c22e3c5694ac2713c31bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA891.tmp\start_unicode.ini

Filesize
2KB

MD5
650edb4d9f1c0bf2b4c53e3f2610d865

SHA1
519ee46c9b2e82a36aa7637b4db97040f00dde45

SHA256
a45830bba58d863043e6f157615b388e1554121d1c2df87dabc220e6c8c777c6

SHA512
71fb2d0aaabf13d49f35ac45fba56a8a1b746c1263e23e54241737aacead9da5f008d2c37a9c1c1fafb97f0086b60749c26f5d05aa8c321fd7d9acf5b87bf6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA891.tmp\start_unicode.ini

Filesize
2KB

MD5
eab9169898abd47091a3fd84c45022a0

SHA1
e228953923f242cb161eb073fba79ddbbef7df39

SHA256
787cf7d6aaa19844152f7eed782d73b79ff2d3a126f9dfc202c74d5c9e55b7f3

SHA512
e8711aa555ddbd21466a609abb313075517ada7ac22d82d9436394db27f85e7f1d77e63e9b5d3d6e5a408a830fb24d202d12a06d46a3f6c991425c6ddbee73ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA4F7.tmp\TvGetVersion.dll

Filesize
686KB

MD5
878c644c12c3d96438c2909fbb7375cd

SHA1
4fb206e213bd088e28a1c10ab815d1bfd1b522f1

SHA256
75cf60d72a2cb6a748db6f69e2bfa065422df7bb6636d3c214f5435341574a66

SHA512
df0d1903901ffaf7ca1ee22cc5b8bac37cb554f78ed07a8ccaf84a2cd6fb7f9ac5599caad83d92079e170190701a9391468331ec8aa562bfdf32376703e05bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA4F7.tmp\nsjA537\TV15Install.log

Filesize
4KB

MD5
78baf7f20246ad249169b77d27d22626

SHA1
953a5db04e2f8fab6c252df2fa16df10af562613

SHA256
1437576f7b959bc2062608d4c812110f0feafc8c38162bf541e3f3537d14f48b

SHA512
7aa097a948cdd20df67234d7057047dd348d999614fef31ba8ca36caa292bb79159f079e8a7ea3b45d25a81d827dc29511b2f14a3cc9733f51934df8e6afbf88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyA4F7.tmp\nsjA537\tvinfo.ini

Filesize
50B

MD5
a48b05e8e36f7f4e9096ade8950b87e4

SHA1
c743c68fb5798389435927338d1c8ed1c59496a2

SHA256
72935bcb05a31b405a0e4a13eb0babd1640bbe03fad52ff85ffa91390d0e8eee

SHA512
7943a5c44c136347f199a1a3e1aa8af3f4ee9d5024d4588e3faa95f57dcd51292e606a057d567d45c8bc9d62ebfcfebd199654d1f1214b205124418c592f47f7

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
1b857393605362bcd2d7ff31f2be8c54

SHA1
a8aa71f776787392a725267ab336ffd4c254ab10

SHA256
9032b6bfded58df1ac337da44778fe3185a7155d9d2badc43c4e1a6c965e11fc

SHA512
ec218be680e387161f80028253ae825dfa7f7116a51c6fac5bc98f01d81231d31da4bf89961de4ea2b3feeaeba5153468bd3c8e4de25600429ad19b0efb2a952

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f10f851c877a95661a058549672cd324

SHA1
6070d594e2c7a6e29aa326cd50b2c80a236505ab

SHA256
1b34cc01d56f0ee2d28240b260d763b2e8a63fe4899c632b63d764680a9c2fcf

SHA512
c465ba545d6af55c8c7a7e24962ccf668d9771f675f0bbfe1351f2efd1ee7f643eb95677f761461b9beaacba03f79db9fe389adedb03739f767ea11d91038c73

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a19a279fa32174eb3d3007f3247b5f8c

SHA1
902f0bfb70b9e990ecbc8b6d86b7be09386cdc9f

SHA256
d065386c6526b013ec171fbb65015a9cc23ab87170535dc284e88edd4bf4283b

SHA512
f19d361f1ad706a295a94c70d848deb5c62765a3bd5305792dbe152e0a6f4eae8ee22381a32dcb1b71fad5103fdc28688d3047792f10fa27c8bcf88cba8525c9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4db2b5da68fe7796e1c22166905c6421

SHA1
c232872dec4176875dfa36fa3c5772b5c67cba75

SHA256
f7696f8d40835c579997edc26c597cbe35df72ec325b488118aee5ff89e7518f

SHA512
44a89ef6b614726304605e0557ff30682316eee6904be3a5fb911c67e0e494433c22748e9dd94d2f4d13ebf4b9d9c9de418c9566c786f8b91dd6b87b69aed07b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
551db88d577e92a38fac518f733d3e37

SHA1
240f90b5927ba204ae36665069711be69960541f

SHA256
2dbebea5f7375fbc7da43db0c2a9e8e2f9bcc1071fb71f832e201d96dc84bdd6

SHA512
1a29f70b4bea9bcc3e482eb3d43036a0312105e0eff72f90fc3ed9b59594819068c4ca6436376359296d6acfaa0f0a5664c65cdeb1ec92e2cca56aeb3aa06976

Download Submit
\Users\Admin\AppData\Local\Temp\Client-built.exe

Filesize
3.1MB

MD5
181719b653c83d0463d89a625a7f5c3e

SHA1
1173005be27979dc74779e60dc790299e4f2b0a4

SHA256
03a4b081b4966130cbe615ff249954e7e9a0d62a79faf8e56ac3830929748e43

SHA512
d05e6fc586a8731903df4cffe3bdcb92f99e2cdbe15e40706e87ecc038e4e9b1ef1fc9a39f8adeda4341e3507f2f8f81ae50d590ff9f4233cd7694b26fb3fa04

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\InstallOptions.dll

Filesize
27KB

MD5
e87068563fc18e67a78230067cc240e5

SHA1
37cd2cb5581fc575b8c46383d877926bda85883b

SHA256
822f75b69dd87332b5995528771923ec74dc5329c65094bf4e372eb8ef42bb8e

SHA512
dab6b330d73abadb63f6eb02a5bc87ce9b9d1bc64fcb9289581cfc2e04be0254893945b3bdb762b382bb491388e34bc018f098a489908dfbc9feca2a9ba13d5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\System.dll

Filesize
23KB

MD5
938c37b523d7fc08166e7a5810dd0f8e

SHA1
47b9663e5873669211655e0010e322f71b5a94be

SHA256
a91aa7c0ead677fc01b1c864e43e0cace110afb072b76ad47f4b3d1563f4dc20

SHA512
77afe83fb4e80a775dae0a54a2f0ff9710c135f9f1cf77396bc08a7fe46b016a8c079b4fa612e764eea5d258703f860688e38b443e33b1f980e04831739517c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\TvGetVersion.dll

Filesize
696KB

MD5
41c3a6594060581d3bf1a16ed4ae6a72

SHA1
62bdf8c2a3fa5f70e8b25e83c946debf80c8fd47

SHA256
e35396c7d7e32a8fe771895ed9ea16bd85c8544410bf4dc70a42ccd2884cfd83

SHA512
3fee7ea74b4173b2815d631c8e69f5a21f2a170a46ce60424f9b9fb03cf7a35eab6933210497f851816a1a85eb3fdb682781ccb5e2607b7ade6dbc7a098368bd

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\UAC.dll

Filesize
29KB

MD5
488819f838abfcad73a2220c151292ee

SHA1
4a0cbd69300694f6dc393436e56a49e27546d0fe

SHA256
b5bb8d301173c4dd2969b1203d2c7d9400ba3f7f2e34ee102905bd2724162430

SHA512
b00d6cf712fe4cefce41479f6e6f4aa5ea006694d10f2837204de5bde1c5a4bef1368f2b0eb4b66d57a66e8ce6dc335fa91e9c8017e8e125c27eb1f5df4de9a0

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\UserInfo.dll

Filesize
15KB

MD5
77ff6a927940a0e4b8dc07bdde6ab5db

SHA1
8d0035242289504d050d237f7e3e548c1ddff077

SHA256
e1cb80a23786b02cb2c6a2f9e391b63cbf3ad911e42bbdc14cc6879c84b7404e

SHA512
6a3050dc8e3f4eaaa85a43cdf1ac4f69745c07efe48268103ee7d8927ec574b6866740f95e6b3aff154ba74cd05024223a3ea4957cb773dd065cfd797f8a07e3

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\linker.dll

Filesize
56KB

MD5
b05a97bb3f532b7cf57b8eedf198d7af

SHA1
83c13a90f4a3c1c62e132f5f3bc70c97c2ecfc80

SHA256
7817f79bcdf54ef8617f15b5c0b9b92053549d5a51fa280722ee7179311b69a1

SHA512
40706c5fc72198148962d24046722fc5e488c0cc4b3374a9f4b652175919e97a8712e882940db8c26479619a26ec4e2d41744627a9ca52ec7cb1ce4f91d7ee8c

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\nsArray.dll

Filesize
18KB

MD5
9761d708ea7c49662a21f6690d439e06

SHA1
b2e757e7eee5c788f16d666fb6cf9d41caccb04b

SHA256
8b8be21fa7bca491c93683c9f84bb49370ca7e1e864bd0658ff9e1d2809b67e4

SHA512
25990a993373009ccbd9e89cae3fc601928121775d0d5fe326c55a305ce8de51f35a2cb160e9dfbf3be82a53ddf7b9864116e7f5d3325afd7403cd3b7740c652

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\nsExec.dll

Filesize
18KB

MD5
9ea6ec7934495cc757639b5095362ca7

SHA1
ef2c14142b70689483576cc09083db4a2a363e02

SHA256
4d8c8353641bbb26bf9ea2ab2dbf126be6ef164b1ce80e3ef5030b873be166cd

SHA512
414b08f75bd7febb56784d8534cee028f6420776f07ce5797f66a78748c34b52f443aa35f72c8d7c81dd5366b34998b56d99a9d0d2b4b2b6bfc9775e4ff66531

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA891.tmp\nsis7z.dll

Filesize
187KB

MD5
7fe20cee9277556f4ef137e61d29d9f5

SHA1
d53c37dbf548914ed20c8ebb21186a95beef1ee3

SHA256
5d71aaeefbc81732017e9040c8087e6686a16dd54e6d9bcd5ba7a47af68cc925

SHA512
a90250214c6c5048b098e031fca5a8097854a8667330551d7694740e3bc83f7d77791d314e3ac75617ef1834b75c41e3e3d3c74da9794a207894c13fb2d4bef7

Download Submit
memory/864-3052-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/864-3051-0x0000000000BF0000-0x0000000000C25000-memory.dmp

Filesize
212KB

Download
memory/1716-3054-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2060-3055-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2084-2983-0x0000000074DA0000-0x0000000074DAA000-memory.dmp

Filesize
40KB

Download
memory/2084-1760-0x0000000007BE0000-0x0000000007C12000-memory.dmp

Filesize
200KB

Download
memory/2084-1754-0x0000000074DA0000-0x0000000074DAA000-memory.dmp

Filesize
40KB

Download
memory/2084-1560-0x00000000005E0000-0x00000000005EE000-memory.dmp

Filesize
56KB

Download
memory/2084-1659-0x0000000074DA0000-0x0000000074DAA000-memory.dmp

Filesize
40KB

Download
memory/2096-3060-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2096-3053-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2096-3256-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2096-3620-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2572-2316-0x0000000003520000-0x0000000003B08000-memory.dmp

Filesize
5.9MB

Download
memory/2572-2315-0x0000000003520000-0x0000000003B08000-memory.dmp

Filesize
5.9MB

Download
memory/2640-1333-0x0000000000140000-0x0000000000464000-memory.dmp

Filesize
3.1MB

Download
memory/2648-3073-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2648-3056-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2648-3308-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2648-3623-0x0000000074910000-0x0000000074B21000-memory.dmp

Filesize
2.1MB

Download
memory/2884-12-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-463-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-33-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-186-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-20-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-1342-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-222-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-18-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-244-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-0-0x00000000746C1000-0x00000000746C2000-memory.dmp

Filesize
4KB

Download
memory/2884-262-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-246-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-431-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-227-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-486-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-9-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-16-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-14-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-1324-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-6-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-1325-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-1326-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-1334-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-7-0x0000000016E10000-0x000000001B639000-memory.dmp

Filesize
72.2MB

Download
memory/2884-5-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-4-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-3-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-2-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download
memory/2884-1-0x00000000746C0000-0x0000000074C6B000-memory.dmp

Filesize
5.7MB

Download