ee0b405b3e166fa9c1062ac6bed228b4ca7f990ce2dc62305d15ae4b3e6e35f1

Analysis

max time kernel
623s
max time network
575s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2025 00:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RES/XWorm.Shell.resources
Size

130KB
MD5

a3fea8391774bbb0376e1f69eb6ee9d2
SHA1

96032202ca3dee1983d1990ae856112f8c832173
SHA256

7f71160fb4d68eda2e6af07f2b89416cd5668ffa5260dfbeb69391dfc5508586
SHA512

10a3c77631a0d1ee80198ffe430a0a389897201ef60a8f3e9beff5125545477d8ce6ea8fa5d186ef31dc4681b62048d71fcbb3106a88f22aaa08ee75de2c842c
SSDEEP

768:aoR1HiAxeglYAQ8BXIHDiJ9zUQI0xV3PrEiv/ewrmTIgdEM7XoSxSdL5NCc+Y:ayheg/Q8B59zUQISXnFmV+Ib81NJ+Y

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 4 IoCs

flow	pid	Process
50	3656	Process not Found
49	3060	Process not Found
59	3060	Process not Found
34	3656	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2380	MicrosoftEdgeUpdate.exe
3804	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-895555807-3853795127-2958627047-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4008	MicrosoftEdgeUpdate.exe
4008	MicrosoftEdgeUpdate.exe
4008	MicrosoftEdgeUpdate.exe
4008	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4008	MicrosoftEdgeUpdate.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RES\XWorm.Shell.resources
1⤵
- Modifies registry class
PID:2568

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2808

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUE5MTdDMkYtNTJBQy00NDI0LUE0NEMtODA3N0M1Q0RFNDBCfSIgdXNlcmlkPSJ7N0U5NEMyNUYtRUQ1MC00MjgzLTg0OEItRTBDMUU1NkI2N0YxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjhBMzhGRTEtREEwNy00OEEyLUEzNkYtRjlDNEU1M0NGMERDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4MzAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTE0Njg3NjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTg4NDY0OTgzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3804

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUE5MTdDMkYtNTJBQy00NDI0LUE0NEMtODA3N0M1Q0RFNDBCfSIgdXNlcmlkPSJ7N0U5NEMyNUYtRUQ1MC00MjgzLTg0OEItRTBDMUU1NkI2N0YxfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2Njc0MzhFRi0yQjhBLTRENjgtQUEzNy1BQzM3QTRERjg0RTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMDgiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7RDUyMDI3MUEtNEQxQS00OTM5LThFOTctRjEzNTQxODYxRTFGfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMy4wLjMwNjUuNTEiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMSIgaXNfcGlubmVkX3N5c3RlbT0idHJ1ZSIgbGFzdF9sYXVuY2hfY291bnQ9IjEiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzgzNDIyNjg1ODA0MDE2MCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTIxMTkwMjg3NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjExOTAyODc3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDU5NTQ5Njg0MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzU4MWZkYTk4LWFiNTYtNDQ2OC1iOWQxLThlYmMyYTE3MzE1OT9QMT0xNzM5NzA4MTc0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVdyJTJmTXFKMGlQRUglMmZNQ1RjdXglMmJMZFlZY1I3WE13ZGtMUkFiRVYlMmJjZ0NJNXQ3JTJmaTJUekoybEtqRk9JbDZFV0dLeDk1R1oxZ21VVEVMWUFGY0QlMmJ2WDZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMTI3NDQiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNTk1NDk2ODQzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy81ODFmZGE5OC1hYjU2LTQ0NjgtYjlkMS04ZWJjMmExNzMxNTk_UDE9MTczOTcwODE3NCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1XciUyZk1xSjBpUEVIJTJmTUNUY3V4JTJiTGRZWWNSN1hNd2RrTFJBYkVWJTJiY2dDSTV0NyUyZmkyVHpKMmxLakZPSWw2RVdHS3g5NUdaMWdtVVRFTFlBRmNEJTJidlg2dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjQzMDgwIiB0b3RhbD0iMTc4NjQ1MDgwIiBkb3dubG9hZF90aW1lX21zPSI4MzIxOSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg5NCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA1OTU0OTY4NDMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9Indpbmh0dHAiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzU4MWZkYTk4LWFiNTYtNDQ2OC1iOWQxLThlYmMyYTE3MzE1OT9QMT0xNzM5NzA4MTc0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVdyJTJmTXFKMGlQRUglMmZNQ1RjdXglMmJMZFlZY1I3WE13ZGtMUkFiRVYlMmJjZ0NJNXQ3JTJmaTJUekoybEtqRk9JbDZFV0dLeDk1R1oxZ21VVEVMWUFGY0QlMmJ2WDZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iMTk5LjIzMi4yMTAuMTcyIiBjZG5fY2lkPSIzIiBjZG5fY2NjPSJHQiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iSElUIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjEzMjk4NyIgdG90YWw9IjE3ODY0NTA4MCIgZG93bmxvYWRfdGltZV9tcz0iMzQ5ODQiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwNTk1NDk2ODQzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNTgxZmRhOTgtYWI1Ni00NDY4LWI5ZDEtOGViYzJhMTczMTU5P1AxPTE3Mzk3MDgxNzQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9V3IlMmZNcUowaVBFSCUyZk1DVGN1eCUyYkxkWVljUjdYTXdka0xSQWJFViUyYmNnQ0k1dDclMmZpMlR6SjJsS2pGT0lsNkVXR0t4OTVHWjFnbVVURUxZQUZjRCUyYnZYNnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAxMjg5NCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA1OTU0OTY4NDMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzU4MWZkYTk4LWFiNTYtNDQ2OC1iOWQxLThlYmMyYTE3MzE1OT9QMT0xNzM5NzA4MTc0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVdyJTJmTXFKMGlQRUglMmZNQ1RjdXglMmJMZFlZY1I3WE13ZGtMUkFiRVYlMmJjZ0NJNXQ3JTJmaTJUekoybEtqRk9JbDZFV0dLeDk1R1oxZ21VVEVMWUFGY0QlMmJ2WDZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTQwMDgyNiIgdG90YWw9IjE3ODY0NTA4MCIgZG93bmxvYWRfdGltZV9tcz0iMzM5ODU5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDU5NTQ5Njg0MyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0id2luaHR0cCIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNTgxZmRhOTgtYWI1Ni00NDY4LWI5ZDEtOGViYzJhMTczMTU5P1AxPTE3Mzk3MDgxNzQmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9V3IlMmZNcUowaVBFSCUyZk1DVGN1eCUyYkxkWVljUjdYTXdka0xSQWJFViUyYmNnQ0k1dDclMmZpMlR6SjJsS2pGT0lsNkVXR0t4OTVHWjFnbVVURUxZQUZjRCUyYnZYNnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIxOTkuMjMyLjIxMC4xNzIiIGNkbl9jaWQ9IjMiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSJISVQiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMjcxNDEiIHRvdGFsPSIxNzg2NDUwODAiIGRvd25sb2FkX3RpbWVfbXM9IjM0MjY2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjI2ODQzNTQ2MyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTA1OTU0OTY4NDMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxNjU2IiBkb3dubG9hZF90aW1lX21zPSI1MzgzNDQiIHRvdGFsPSIxNzg2NDUwODAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIi8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MTZEMDI2REItQzk2Qi00MDJELUIwOUYtRTJFNjk3OEZBMzY3fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjgzIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezc1QkI0MDE2LURFRDYtNDYwMi1CRDc5LTAyNjgyRDk5RDYxNn0iLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2380

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2444" "996" "928" "1000" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4544

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
804KB

MD5
726f38d418ca30c9f9196e0659604f34

SHA1
3c5b4190292369263c47a791df83c15d628cf90c

SHA256
412440b929120ea7a1249aa46fc4e2b440e0d78e53774d2c489a5a27266fe467

SHA512
9abe8422326d276d950d4d908f24660399e046055ddfad53f5f425d06bc822a317cade8cc99f3d80b3ae6f636930d579f6fe84115ca029f41e3693444d733100

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
818KB

MD5
b5bed36427a6a22ee88760e40a6f9364

SHA1
286c299a6ebc2b65b6c0eafe47f704a2c24fc5cf

SHA256
7b8eb37fbb7f3eeda0748645a44b31c6f267696f5e4615093d075bd02bc1b250

SHA512
349b6463407d75f1df7022c195dd63d2a6aeed750e0bf07e9084fe3280d6e8387f673557e85113852b0038123993ac69c3c81d424b70788d0d8c0d3717ad5358

Download Submit