Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
793s -
max time network
894s -
platform
windows10-2004_x64 -
resource
win10v2004-20250207-en -
resource tags
arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2025, 03:27
Static task
static1
Behavioral task
behavioral1
Sample
Predictor7.6.3.rar
Resource
win10v2004-20250207-en
Behavioral task
behavioral2
Sample
Predictor7.6.3/Check this Before Open!.png
Resource
win10v2004-20250207-en
Behavioral task
behavioral3
Sample
Predictor7.6.3/Predictor7.6.3.msi
Resource
win10v2004-20250207-en
Behavioral task
behavioral4
Sample
Predictor7.6.3/Sounds/VisualStudioSetup.exe
Resource
win10v2004-20250207-en
General
-
Target
Predictor7.6.3/Check this Before Open!.png
-
Size
106KB
-
MD5
2aaf9dcbef5f0fb02725b516163d71fa
-
SHA1
77a4f69078a4fb5e258c3196b42ec319589f60da
-
SHA256
83471a3c48abf4f11c7a920ab907efcd183e058801f8711e467e9c2efa8b1ad8
-
SHA512
ddc353c3fbc469dee34ee69d33be80997170194aaf8d580df0f044125698cdec6239f736e11e1dd01e2abd7c3a7e09f5d370f1a9d2f7bb43f6fdafa2ea0d5396
-
SSDEEP
3072:K5GDgY9gZCAnoiicqJUcs6WOw91co1FpSOqycoiCq:OGtKZ7ozcAWOwPpHiB
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 47 1708 Process not Found 66 1760 Process not Found -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 10 IoCs
pid Process 4128 setup.exe 4124 setup.exe 1368 setup.exe 4568 setup.exe 4916 setup.exe 4832 setup.exe 2412 setup.exe 640 setup.exe 3448 setup.exe 4664 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\webview2_integration.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Content setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\vk_swiftshader_icd.json setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files\msedge_installer.log setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\sl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\icudtl.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\LogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Entities setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Social setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\tr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\dev.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\sl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win11\identity_helper.Sparse.Dev.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\132.0.2957.140.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\fr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\lv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_bho.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\msedge_200_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Mu\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\en-GB.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\lb.pak setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_stub.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ja.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\kk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ko.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\pt-PT.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\29d96ac0-1f59-4e29-bb0b-54206f773993.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Mu\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ga.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\zh-TW.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_game_assist\EdgeGameAssist.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\ur.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\WidevineCdm\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\VisualElements\SmallLogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\cs.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\lv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\ml.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\stable.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Fingerprinting setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\oneds.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\MEIPreload\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Stable.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Trust Protection Lists\Sigma\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Locales\it.pak setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Trust Protection Lists\Sigma\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\mt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\edge_game_assist\VERSION setup.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1868 MicrosoftEdgeUpdate.exe 1036 MicrosoftEdgeUpdate.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\BHO" setup.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\elevation_service.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xht setup.exe Set value (str) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" wwahost.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\ProgrammaticAccessOnly setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.xml\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" setup.exe Key created \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html\Extension = ".htm" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.svg setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\132.0.2957.140\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open\command setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mhtml setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "0" wwahost.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32 setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0" wwahost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command setup.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3696 mspaint.exe 3696 mspaint.exe 4916 setup.exe 4916 setup.exe 3768 LocalBridge.exe 3768 LocalBridge.exe 3768 LocalBridge.exe 3768 LocalBridge.exe 3768 LocalBridge.exe 3768 LocalBridge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 4128 setup.exe Token: SeIncBasePriorityPrivilege 4128 setup.exe Token: SeDebugPrivilege 4464 wwahost.exe Token: SeDebugPrivilege 4464 wwahost.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 3696 mspaint.exe 3696 mspaint.exe 3696 mspaint.exe 3696 mspaint.exe 4464 wwahost.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 3092 wrote to memory of 4128 3092 MicrosoftEdge_X64_132.0.2957.140.exe 99 PID 3092 wrote to memory of 4128 3092 MicrosoftEdge_X64_132.0.2957.140.exe 99 PID 4128 wrote to memory of 4124 4128 setup.exe 100 PID 4128 wrote to memory of 4124 4128 setup.exe 100 PID 4128 wrote to memory of 1368 4128 setup.exe 101 PID 4128 wrote to memory of 1368 4128 setup.exe 101 PID 1368 wrote to memory of 4568 1368 setup.exe 102 PID 1368 wrote to memory of 4568 1368 setup.exe 102 PID 4128 wrote to memory of 4916 4128 setup.exe 103 PID 4128 wrote to memory of 4916 4128 setup.exe 103 PID 4128 wrote to memory of 4832 4128 setup.exe 104 PID 4128 wrote to memory of 4832 4128 setup.exe 104 PID 4128 wrote to memory of 2412 4128 setup.exe 105 PID 4128 wrote to memory of 2412 4128 setup.exe 105 PID 4916 wrote to memory of 640 4916 setup.exe 106 PID 4916 wrote to memory of 640 4916 setup.exe 106 PID 2412 wrote to memory of 3448 2412 setup.exe 107 PID 2412 wrote to memory of 3448 2412 setup.exe 107 PID 4832 wrote to memory of 4664 4832 setup.exe 108 PID 4832 wrote to memory of 4664 4832 setup.exe 108 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Predictor7.6.3\Check this Before Open!.png"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:624
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0IxQTc2MEMtN0M0Qi00NzQwLUE4MTctMDBGREVDMjVFMDIyfSIgdXNlcmlkPSJ7NDcwRTdENTAtQzhEMS00MEUzLUE4OUMtMDEyMjU5MkU2MzgzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkJFN0M0QjAtRENCMy00Q0YyLUJCRDctMjE0NzMxMTlGQzg2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mjk0NDAxMjE1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1036
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\MicrosoftEdge_X64_132.0.2957.140.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\MicrosoftEdge_X64_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4128 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6322ba818,0x7ff6322ba824,0x7ff6322ba8303⤵
- Executes dropped EXE
PID:4124
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6322ba818,0x7ff6322ba824,0x7ff6322ba8304⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4568
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7f665a818,0x7ff7f665a824,0x7ff7f665a8304⤵
- Executes dropped EXE
PID:640
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7f665a818,0x7ff7f665a824,0x7ff7f665a8304⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4664
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.160 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\132.0.2957.140\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.140 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7f665a818,0x7ff7f665a824,0x7ff7f665a8304⤵
- Executes dropped EXE
PID:3448
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness1⤵PID:4100
-
C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3768
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4464
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Q0IxQTc2MEMtN0M0Qi00NzQwLUE4MTctMDBGREVDMjVFMDIyfSIgdXNlcmlkPSJ7NDcwRTdENTAtQzhEMS00MEUzLUE4OUMtMDEyMjU5MkU2MzgzfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins1QjQzNjI5OS1CQjA0LTQ0MzctQTFDMi1DQkFCRUEyMjUxMjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGNvaG9ydD0icnJmQDAuMjciPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7RjVBRUEzNTEtMDI3MC00MzM0LTkwMkQtRkQ2RjlBMDEwMjMyfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjEiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQyMTkyMTE3ODM1MzAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1MjQwODkwNzEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUyNDI0NTI4MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTEzMDAxODI2MDkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcwNTMwMiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1jbVJJQSUyYndpYnRvWHNOMnl1Q2x6cDk5SG93WSUyZkRsSUFxWllua0IxZHNIVER4aHJuTldaWjdqMiUyZkxHNlVnc2NpbTVvcjRyNUE1OThTT3p6V0hmWUdtUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDEyODk0IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTMwMDE4MjYwOSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMDc0MDAzNmEtNGUxOC00NTZkLTk2ZmEtZDFkOWM0Y2E0Njc2P1AxPTE3Mzk3MDUzMDImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Y21SSUElMmJ3aWJ0b1hzTjJ5dUNsenA5OUhvd1klMmZEbElBcVpZbmtCMWRzSFREeGhybk5XWlo3ajIlMmZMRzZVZ3NjaW01b3I0cjVBNTk4U096eldIZllHbVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSI1OTc5NDIyMCIgdG90YWw9IjE3NzE4MDIxNiIgZG93bmxvYWRfdGltZV9tcz0iNTM1OTM4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMzAwMTgyNjA5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJ3aW5odHRwIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8wNzQwMDM2YS00ZTE4LTQ1NmQtOTZmYS1kMWQ5YzRjYTQ2NzY_UDE9MTczOTcwNTMwMiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1jbVJJQSUyYndpYnRvWHNOMnl1Q2x6cDk5SG93WSUyZkRsSUFxWllua0IxZHNIVER4aHJuTldaWjdqMiUyZkxHNlVnc2NpbTVvcjRyNUE1OThTT3p6V0hmWUdtUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IjIuMjAuMTIuNzQiIGNkbl9jaWQ9IjIiIGNkbl9jY2M9IkdCIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc3MTgwMjE2IiB0b3RhbD0iMTc3MTgwMjE2IiBkb3dubG9hZF90aW1lX21zPSIzNTUwMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTMwMDMzOTA3MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTMxNDA4ODkzMyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTE4NzQ1NTc2NDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIyMjM3NSIgZG93bmxvYWRfdGltZV9tcz0iNTc3NjA5IiBkb3dubG9hZGVkPSIxNzcxODAyMTYiIHRvdGFsPSIxNzcxODAyMTYiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjU2MDMxIi8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7MEJBNkIyMkEtN0QxNi00OTUzLTg2NDAtNDVBRTc3NkYzN0U4fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjEiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjkyIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0ie0I5OEQ3OUE1LTZGMTAtNEIzNi04RTQ1LUUxREYzMjQ3NUZCOX0iLz48L2FwcD48L3JlcXVlc3Q-1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1868
-
C:\Windows\system32\werfault.exewerfault.exe /hc /shared Global\322d21b7b6ed424da17f14d2c29c377c /t 4572 /p 44641⤵PID:4076
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FF7EAD3A-C410-4626-AA32-DACB4C0B0B1C}\EDGEMITMP_21890.tmp\setup.exe
Filesize6.6MB
MD5b4c8ad75087b8634d4f04dc6f92da9aa
SHA17efaa2472521c79d58c4ef18a258cc573704fb5d
SHA256522a25568bb503cf8b44807661f31f0921dee91d37691bf399868733205690bf
SHA5125094505b33a848badcffd6b3b93aad9ad73f391e201dee052376c4f8573ba351f0b8c102131216088ffb38d0ed7b5fe70ba95c3ac2c33a50c993584fe7c435e3
-
Filesize
3.7MB
MD53646786aea064c0845f5bb1b8e976985
SHA1a31ba2d2192898d4c0a01511395bdf87b0e53873
SHA256a129a6de7b90500483226192b260eaca1ee116a007771d421aa3eee38af48d6f
SHA512145f8abf2ecffd8ecc3745dbd9ab2e360826fa46d6f21dbebece7802b9b5980f4ab19e2dfd180ce0cfb84366f3ac5c87cd1b74a085e1a0dd620b6c097900e0f4
-
Filesize
70KB
MD5ef747b3dcefc27758b191f4c2ff1711e
SHA10836d161f7f91c7584aadd7e50bb59c286e25c26
SHA25678d4ade499ecede2b955528469fff673a852203ab6fd46e7e4fe63bae47762f7
SHA5126a1fbdddfb9868ba207bb32b328f0f457f28df8c5ba5ee57ef4208f7ab7d631eeb806c8df54bb0245ae0bece70bb74ec426325b884c2a1d8da2ea5ac85e8c667
-
Filesize
100KB
MD5e232445b2736cbf568e133020462b037
SHA1964ce1345dc7c9c78741eefd9049be9c4631ef89
SHA2560825c29fcaa682844c7a7223c24a9318f9c394d239d5d0413e5e1683623ed4ea
SHA51259f22b6ebabab278a9046b5daac7120b60a159e480ab47c4d1a6daca69e49c9e8caa513f1da5798bbfca0690e709e1f69a2056167acbc7b694acb71a9e1f41c6
-
Filesize
101KB
MD5b1eb153bf9f5a00fa0141411aacfe09f
SHA135dff8af800cdc4e1098998fd95642fec5375bcf
SHA2566512861da7a08ee9d002a24981349613c1222a9b2f1e4df8b73492a965f3c48b
SHA5126157cafd26ba73695de37df849e09cdcf791e976bf2aca79fd30decea22eccc8e4774de6ffa6346fe4c1e22c007b39d45798addb104d02a96b56bb61cd8dc7fe
-
Filesize
945KB
MD5e78e128fe5af78bb5b1194b365fa51f8
SHA1e7db378bb2eaaa9b3d4a67cbb11461a75b90159d
SHA2568eced23b5cc53db7d6cec304282836b3fd150900dbca2929ebcbe185f5ef4e99
SHA512b980eb03edaf4c558f6a11256dcb61ae3692d24a772f3030c97b379d34cc983f1c3c1b34b2d7091f3c8339a988c25694b957fac4170d71d0736f4c751e126afc