487dbf672aae6a0d03f819409c587052106c5e15430cf8948762f77da109ccf6

Analysis

max time kernel
57s
max time network
58s
platform
windows11-21h2_x64
resource
win11-20250207-en
resource tags

arch:x64arch:x86image:win11-20250207-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2025 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962.exe
Size

3.7MB
MD5

34bacef5e0b44c55a9b293d0cc67220b
SHA1

c898260acb34f3dd2e7212109282154e15776091
SHA256

915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962
SHA512

61a60ab79a50dd7b13ba5c8ca6886fb8501e5ca1de3185d8ccf33e95da3c5422a741c093edf722d5d9d5ac67094313c454182e158203f3a0df68325381b62fea
SSDEEP

49152:F8o8bZjyJVD0s9Mr3XIfRviWkgEOaxfCbCMcXGtSgvZPOQ5Qo:F8o8VOUs9joRbMc2tSW6o

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmic.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2900	MicrosoftEdgeUpdate.exe
1072	MicrosoftEdgeUpdate.exe
2308	MicrosoftEdgeUpdate.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "287309825"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings	control.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\WFlags = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 0c0001008421de39050000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel\HotKey = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\Registry\User\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\Microsoft.Windows.ControlPanel	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 1e00718000000000000000000000e1a40ed25739d211a40b0c50205241530000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1113119086-3642147062-910976179-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
324	explorer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3196	wmic.exe
Token: SeSecurityPrivilege	3196	wmic.exe
Token: SeTakeOwnershipPrivilege	3196	wmic.exe
Token: SeLoadDriverPrivilege	3196	wmic.exe
Token: SeSystemProfilePrivilege	3196	wmic.exe
Token: SeSystemtimePrivilege	3196	wmic.exe
Token: SeProfSingleProcessPrivilege	3196	wmic.exe
Token: SeIncBasePriorityPrivilege	3196	wmic.exe
Token: SeCreatePagefilePrivilege	3196	wmic.exe
Token: SeBackupPrivilege	3196	wmic.exe
Token: SeRestorePrivilege	3196	wmic.exe
Token: SeShutdownPrivilege	3196	wmic.exe
Token: SeDebugPrivilege	3196	wmic.exe
Token: SeSystemEnvironmentPrivilege	3196	wmic.exe
Token: SeRemoteShutdownPrivilege	3196	wmic.exe
Token: SeUndockPrivilege	3196	wmic.exe
Token: SeManageVolumePrivilege	3196	wmic.exe
Token: 33	3196	wmic.exe
Token: 34	3196	wmic.exe
Token: 35	3196	wmic.exe
Token: 36	3196	wmic.exe
Token: SeIncreaseQuotaPrivilege	3196	wmic.exe
Token: SeSecurityPrivilege	3196	wmic.exe
Token: SeTakeOwnershipPrivilege	3196	wmic.exe
Token: SeLoadDriverPrivilege	3196	wmic.exe
Token: SeSystemProfilePrivilege	3196	wmic.exe
Token: SeSystemtimePrivilege	3196	wmic.exe
Token: SeProfSingleProcessPrivilege	3196	wmic.exe
Token: SeIncBasePriorityPrivilege	3196	wmic.exe
Token: SeCreatePagefilePrivilege	3196	wmic.exe
Token: SeBackupPrivilege	3196	wmic.exe
Token: SeRestorePrivilege	3196	wmic.exe
Token: SeShutdownPrivilege	3196	wmic.exe
Token: SeDebugPrivilege	3196	wmic.exe
Token: SeSystemEnvironmentPrivilege	3196	wmic.exe
Token: SeRemoteShutdownPrivilege	3196	wmic.exe
Token: SeUndockPrivilege	3196	wmic.exe
Token: SeManageVolumePrivilege	3196	wmic.exe
Token: 33	3196	wmic.exe
Token: 34	3196	wmic.exe
Token: 35	3196	wmic.exe
Token: 36	3196	wmic.exe
Token: SeShutdownPrivilege	4452	control.exe
Token: SeCreatePagefilePrivilege	4452	control.exe
Token: SeDebugPrivilege	640	taskmgr.exe
Token: SeSystemProfilePrivilege	640	taskmgr.exe
Token: SeCreateGlobalPrivilege	640	taskmgr.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
324	explorer.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe
640	taskmgr.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 3196	2716	915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962.exe	91
PID 2716 wrote to memory of 3196	2716	915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962.exe	91
PID 2716 wrote to memory of 3196	2716	915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962.exe	91
PID 324 wrote to memory of 640	324	explorer.exe	111
PID 324 wrote to memory of 640	324	explorer.exe	111

C:\Users\Admin\AppData\Local\Temp\915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962.exe
"C:\Users\Admin\AppData\Local\Temp\915a9ac1222489326e5ae312ca3365a86587f264794a1b0bdc7f4b18a6de1962.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\wbem\wmic.exe
  wmic os get oslanguage /FORMAT:LIST
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5204,i,16294233882891958660,8619871275160685719,262144 --variations-seed-version --mojo-platform-channel-handle=4644 /prefetch:14
1⤵
PID:2384

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0Q1MUEwQjEtMjMxQy00MkU2LUI0QUEtQUU0RENBRjA1MTU3fSIgdXNlcmlkPSJ7RUE5Mzc1OUEtNkY4Qy00NTY1LUEwRDgtQTFEOTNEQzZGNjIzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkQxNkFCMDMtRTY4MC00OEExLUE4OTgtMDNGMzc2REVCRUIwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NTAyNyIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNDI3NjIxMTgwMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNjQ5NDg1NTEiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2900

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "4052" "1288" "1156" "1292" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:3132

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0Q1MUEwQjEtMjMxQy00MkU2LUI0QUEtQUU0RENBRjA1MTU3fSIgdXNlcmlkPSJ7RUE5Mzc1OUEtNkY4Qy00NTY1LUEwRDgtQTFEOTNEQzZGNjIzfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswRDYxRUE2RC0xNUZGLTQ3RDgtODJGOS1CMUUxMkMxMTM0RjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTczODk1NDU0OSI-PGV2ZW50IGV2ZW50dHlwZT0iMzIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjQiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNzMzODYyMzciLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1072

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0Q1MUEwQjEtMjMxQy00MkU2LUI0QUEtQUU0RENBRjA1MTU3fSIgdXNlcmlkPSJ7RUE5Mzc1OUEtNkY4Qy00NTY1LUEwRDgtQTFEOTNEQzZGNjIzfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntDOUM4NDRCMC03RTY5LTQ2NzktODRDOS00Q0NCNDgyNjkzMjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC40OCI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSIxIiByZD0iNjYxMiIgcGluZ19mcmVzaG5lc3M9IntENTQ1NTQwOC0yQTMxLTQ4NjgtODE1My0zQjRDRDBDMzcxMDZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuOTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxODQ0Njc0NDA3MzcwOTU1MTYwNiIgdXBkYXRlX2NvdW50PSIxIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzODM0MzA1NTEwMTk5MzEwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iMSIgcj0iMSIgYWQ9IjY2MTIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezZDQzI2QUE4LUU3OUQtNDAyQS1BOERELTM4OUVBRDM5NEIxNX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBjb2hvcnQ9InJyZkAwLjI4IiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMSIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NDYxMTFDMUMtMDc4Mi00NkI2LUJEQkItQkU2OUVCRTk0MjI4fSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2308

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:2860

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:324
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /7
  2⤵
  - Checks SCSI registry key(s)
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:640

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
400KB

MD5
2eddcc2be7c04c90ecb4580ebcddce2b

SHA1
856df4e221edf840fd4ef623fcde93faef4c2178

SHA256
1cbbd38603930cb04da78adf4b0d7a8545d4a4dcd34739804a1e5c1db4ea1950

SHA512
547c2bbe850244295ef24b31f626468292cdae4248159b0741915ba309fb67d6b0c42ce1d192cb9072b4dd06f3439ae61b3f5bc0dd79a8bbdcf58360b7ae9590

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
380KB

MD5
5c26d7ef75bb89a45fab4698ba4b753c

SHA1
55ed9d1df1afeef2169bd22f4b6a9c9904288cba

SHA256
c92f80aa6373a9cee403bbe617417a9f287805f28146675bee29e64e03717a6c

SHA512
b2821f579031f948e5ce4b7ce1d97a44200e2b61a09fcf7b75149dda4f4d0d122b989beaf60b43c5fb9ce9967f84988e90030abfa09317f18e60e2017be0fd58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
460efeb2222e435a4096be5a1145bc99

SHA1
4d6b554a30952c081dd361fe84affe3aa88867e4

SHA256
5c201630e76e288924603067e513a47f2402224a7c7d884104fcfe1d5bacd11f

SHA512
3c9019113d8d841bfa33012e21c237de4b289895eef58836a1354fc98015efbbae74c05df93e40ee136c95441542308697c462405aa2dc6aa3fa2b1af66d2cf4

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\69e93a20-56e5-4b5d-b59b-42198f19a51d.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
memory/640-21-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-20-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-19-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-25-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-31-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-30-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-29-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-28-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-27-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download
memory/640-26-0x000001FC2C200000-0x000001FC2C201000-memory.dmp

Filesize
4KB

Download