sectoprat | 0b3a5a436be69f5e20ac0fd84dab58e27abb3cc5ecb821a182da5a3c25418feb

Analysis

max time kernel
126s
max time network
156s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-02-2025 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KSCMWOLPRKU31OY0O7IA05ZD.exe
Size

4.0MB
MD5

0b32762b67c07329013d3b4f01b9f840
SHA1

6cc1205ae97744ae4ebfed85577404a03e4d64f0
SHA256

0b3a5a436be69f5e20ac0fd84dab58e27abb3cc5ecb821a182da5a3c25418feb
SHA512

836d54d2ff9bec071c49746e23e82ff9bafc24547ffaad6c37d18b8b9eeab47f25dd8bf88217e02cef38e298be197714177774a37689c72022f5b1795cd85ae9
SSDEEP

98304:vmH01flvieIOBNZSAHVnAELyOpGKOnxz9M5iCj:eUfhIOB/HVnfLyOOxB8vj

Score

10^/10

sectoprat discovery persistence rat spyware trojan

Malware Config

Signatures

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1780-62-0x0000000000B00000-0x0000000000BC4000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3469783627-1975607001-3640873922-1000\Control Panel\International\Geo\Nation	KSCMWOLPRKU31OY0O7IA05ZD.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-3469783627-1975607001-3640873922-1000\Control Panel\International\Geo\Nation	KSCMWOLPRKU31OY0O7IA05ZD.tmp

Executes dropped EXE 3 IoCs

pid	Process
3696	KSCMWOLPRKU31OY0O7IA05ZD.tmp
1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp
768	Maui.com

Loads dropped DLL 2 IoCs

pid	Process
3696	KSCMWOLPRKU31OY0O7IA05ZD.tmp
1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3469783627-1975607001-3640873922-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rabbitweed = "\"C:\\dece46ed-a799-48e1-8b91-21e9bb410ae9\\Autoit3.exe\" \"C:\\dece46ed-a799-48e1-8b91-21e9bb410ae9\\rabbitweed.a3x\""	Maui.com

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
4920	tasklist.exe
1940	tasklist.exe
2164	tasklist.exe
1652	tasklist.exe
3292	tasklist.exe
3016	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 768 set thread context of 1780	768	Maui.com	116

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSCMWOLPRKU31OY0O7IA05ZD.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSCMWOLPRKU31OY0O7IA05ZD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSCMWOLPRKU31OY0O7IA05ZD.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maui.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KSCMWOLPRKU31OY0O7IA05ZD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2324	MicrosoftEdgeUpdate.exe
2012	MicrosoftEdgeUpdate.exe
2136	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp
1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp
768	Maui.com
768	Maui.com
768	Maui.com
768	Maui.com
1780	jsc.exe
1780	jsc.exe
1780	jsc.exe
1780	jsc.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	1652	tasklist.exe
Token: SeDebugPrivilege	3292	tasklist.exe
Token: SeDebugPrivilege	3016	tasklist.exe
Token: SeDebugPrivilege	4920	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	1780	jsc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1780	jsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3160 wrote to memory of 3696	3160	KSCMWOLPRKU31OY0O7IA05ZD.exe	87
PID 3160 wrote to memory of 3696	3160	KSCMWOLPRKU31OY0O7IA05ZD.exe	87
PID 3160 wrote to memory of 3696	3160	KSCMWOLPRKU31OY0O7IA05ZD.exe	87
PID 3696 wrote to memory of 4728	3696	KSCMWOLPRKU31OY0O7IA05ZD.tmp	88
PID 3696 wrote to memory of 4728	3696	KSCMWOLPRKU31OY0O7IA05ZD.tmp	88
PID 3696 wrote to memory of 4728	3696	KSCMWOLPRKU31OY0O7IA05ZD.tmp	88
PID 4728 wrote to memory of 1700	4728	KSCMWOLPRKU31OY0O7IA05ZD.exe	89
PID 4728 wrote to memory of 1700	4728	KSCMWOLPRKU31OY0O7IA05ZD.exe	89
PID 4728 wrote to memory of 1700	4728	KSCMWOLPRKU31OY0O7IA05ZD.exe	89
PID 1700 wrote to memory of 644	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	90
PID 1700 wrote to memory of 644	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	90
PID 1700 wrote to memory of 644	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	90
PID 644 wrote to memory of 2164	644	cmd.exe	92
PID 644 wrote to memory of 2164	644	cmd.exe	92
PID 644 wrote to memory of 2164	644	cmd.exe	92
PID 644 wrote to memory of 3868	644	cmd.exe	93
PID 644 wrote to memory of 3868	644	cmd.exe	93
PID 644 wrote to memory of 3868	644	cmd.exe	93
PID 1700 wrote to memory of 3412	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	95
PID 1700 wrote to memory of 3412	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	95
PID 1700 wrote to memory of 3412	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	95
PID 3412 wrote to memory of 1652	3412	cmd.exe	97
PID 3412 wrote to memory of 1652	3412	cmd.exe	97
PID 3412 wrote to memory of 1652	3412	cmd.exe	97
PID 3412 wrote to memory of 2664	3412	cmd.exe	98
PID 3412 wrote to memory of 2664	3412	cmd.exe	98
PID 3412 wrote to memory of 2664	3412	cmd.exe	98
PID 1700 wrote to memory of 4684	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	99
PID 1700 wrote to memory of 4684	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	99
PID 1700 wrote to memory of 4684	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	99
PID 4684 wrote to memory of 3292	4684	cmd.exe	101
PID 4684 wrote to memory of 3292	4684	cmd.exe	101
PID 4684 wrote to memory of 3292	4684	cmd.exe	101
PID 4684 wrote to memory of 3196	4684	cmd.exe	102
PID 4684 wrote to memory of 3196	4684	cmd.exe	102
PID 4684 wrote to memory of 3196	4684	cmd.exe	102
PID 1700 wrote to memory of 4268	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	103
PID 1700 wrote to memory of 4268	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	103
PID 1700 wrote to memory of 4268	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	103
PID 4268 wrote to memory of 3016	4268	cmd.exe	105
PID 4268 wrote to memory of 3016	4268	cmd.exe	105
PID 4268 wrote to memory of 3016	4268	cmd.exe	105
PID 4268 wrote to memory of 60	4268	cmd.exe	106
PID 4268 wrote to memory of 60	4268	cmd.exe	106
PID 4268 wrote to memory of 60	4268	cmd.exe	106
PID 1700 wrote to memory of 3272	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	107
PID 1700 wrote to memory of 3272	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	107
PID 1700 wrote to memory of 3272	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	107
PID 3272 wrote to memory of 4920	3272	cmd.exe	109
PID 3272 wrote to memory of 4920	3272	cmd.exe	109
PID 3272 wrote to memory of 4920	3272	cmd.exe	109
PID 3272 wrote to memory of 2516	3272	cmd.exe	110
PID 3272 wrote to memory of 2516	3272	cmd.exe	110
PID 3272 wrote to memory of 2516	3272	cmd.exe	110
PID 1700 wrote to memory of 3308	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	111
PID 1700 wrote to memory of 3308	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	111
PID 1700 wrote to memory of 3308	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	111
PID 3308 wrote to memory of 1940	3308	cmd.exe	113
PID 3308 wrote to memory of 1940	3308	cmd.exe	113
PID 3308 wrote to memory of 1940	3308	cmd.exe	113
PID 3308 wrote to memory of 5000	3308	cmd.exe	114
PID 3308 wrote to memory of 5000	3308	cmd.exe	114
PID 3308 wrote to memory of 5000	3308	cmd.exe	114
PID 1700 wrote to memory of 768	1700	KSCMWOLPRKU31OY0O7IA05ZD.tmp	115

C:\Users\Admin\AppData\Local\Temp\KSCMWOLPRKU31OY0O7IA05ZD.exe
"C:\Users\Admin\AppData\Local\Temp\KSCMWOLPRKU31OY0O7IA05ZD.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3160
- C:\Users\Admin\AppData\Local\Temp\is-0MBBO.tmp\KSCMWOLPRKU31OY0O7IA05ZD.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-0MBBO.tmp\KSCMWOLPRKU31OY0O7IA05ZD.tmp" /SL5="$50226,2664948,119296,C:\Users\Admin\AppData\Local\Temp\KSCMWOLPRKU31OY0O7IA05ZD.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\KSCMWOLPRKU31OY0O7IA05ZD.exe
    "C:\Users\Admin\AppData\Local\Temp\KSCMWOLPRKU31OY0O7IA05ZD.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\is-B5BA3.tmp\KSCMWOLPRKU31OY0O7IA05ZD.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B5BA3.tmp\KSCMWOLPRKU31OY0O7IA05ZD.tmp" /SL5="$6024A,2664948,119296,C:\Users\Admin\AppData\Local\Temp\KSCMWOLPRKU31OY0O7IA05ZD.exe" /VERYSILENT
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
      - C:\Windows\SysWOW64\find.exe
        
        find /I "wrsa.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3412
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
      - C:\Windows\SysWOW64\find.exe
        
        find /I "opssvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4684
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
      - C:\Windows\SysWOW64\find.exe
        
        find /I "avastui.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3196
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4268
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
      - C:\Windows\SysWOW64\find.exe
        
        find /I "avgui.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:60
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3272
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4920
      - C:\Windows\SysWOW64\find.exe
        
        find /I "nswscsvc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3308
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
      - C:\Windows\SysWOW64\find.exe
        
        find /I "sophoshealth.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5000
    - - C:\ProgramData\{601B404E-CB65-4102-816E-E044F381B78D}\Maui.com
        
        "C:\ProgramData\{601B404E-CB65-4102-816E-E044F381B78D}\Maui.com" rabbitweed.a3x
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:768
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1780

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjgxRjMwRUMtNEE1NC00NTI4LTk3QzEtNjZBQTI5NzQzOUQ2fSIgdXNlcmlkPSJ7REVENjYyQUItMjY3Qy00NDJGLUEwNUEtNUU3NURBQkNGODM5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7ODUwNDBCMjItMzcxNi00RkZDLUE3NjEtRjhCODhERTdGQzVBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NDk2IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NzUxNDQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk3OTcxNjUwOSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2136

C:\Windows\SysWOW64\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1148" "1144" "1140" "1108" "0" "0" "0" "0" "0" "0" "0" "0"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:4652

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjgxRjMwRUMtNEE1NC00NTI4LTk3QzEtNjZBQTI5NzQzOUQ2fSIgdXNlcmlkPSJ7REVENjYyQUItMjY3Qy00NDJGLUEwNUEtNUU3NURBQkNGODM5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InszMTFGQTRBMy1BRDBGLTQwMDktQkQ3Ni1DN0ZEMTY5OEQ3N0N9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM0OTM0Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTAxMjIxNjUxNSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2324

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RjgxRjMwRUMtNEE1NC00NTI4LTk3QzEtNjZBQTI5NzQzOUQ2fSIgdXNlcmlkPSJ7REVENjYyQUItMjY3Qy00NDJGLUEwNUEtNUU3NURBQkNGODM5fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsyMEY2REU5NC1FNUMwLTRCQjUtODEyNC03RDhBMjZDMDk2Q0Z9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuNDMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBjb2hvcnQ9InJyZkAwLjk1Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezYxOUNFRDFCLTUyNDEtNEY4Ni1CMkY3LTc4QUU4N0QwNjI0Q30iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iMTMyLjAuMjk1Ny4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMiIgY29ob3J0PSJycmZAMC4zOSIgb29iZV9pbnN0YWxsX3RpbWU9IjE4NDQ2NzQ0MDczNzA5NTUxNjA2IiB1cGRhdGVfY291bnQ9IjEiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM4MzQxMTk1NDQ0Mzc4MzAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIyIiByPSIyIiBhZD0iNjYxMiIgcmQ9IjY2MTIiIHBpbmdfZnJlc2huZXNzPSJ7NDY1NzAzRDUtOTkyMy00NTFCLUE2OEYtREUzREI5QzU0NDIzfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzIuMC4yOTU3LjE0MCIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjIiIGluc3RhbGxkYXRlPSI2NjA4IiBjb2hvcnQ9InJyZkAwLjI2Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9IjIiIHJkPSI2NjEyIiBwaW5nX2ZyZXNobmVzcz0iezE5QTExQUFCLTZBQTctNEQ3RS05RTJCLTQxOUU3ODFCMEJBOX0iLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
439KB

MD5
89fe9d8d3141036c514a1f0b19bcf2cc

SHA1
be0e46ae3adbc8af03624ac2be1e943ee5f22bf6

SHA256
63e4ea4439619779eaa68b7ef356ef91ba5db87fd29df0b0afc7dfa0fd574760

SHA512
7344723c10c437dc31c463735f6426904eb40e5dfac6251f57cf533c8fcd71ba01e91da925bc4711f43c0403b323a91722d8871d65dd135c97318e7bdbe32a15

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
458KB

MD5
18023a470631428d034fd5d3e6156f33

SHA1
d61d89fe6cdbaf9a46f3cbd37987232794b39e71

SHA256
a4af932a0264ae9f5593cd1acceb758b08eb4ee23b34cbd6dda8fdfc305766f8

SHA512
c0f0f6dda0719b44db18c9ca212669b1f2e2a81bbc7c5014fb768f49a720a16c2b1b1f9ea361dcea2f67dd0387de1e4936243407383e7c7b897c47524d39bf2e

Download Submit
C:\ProgramData\{601B404E-CB65-4102-816E-E044F381B78D}\Maui.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\ProgramData\{601B404E-CB65-4102-816E-E044F381B78D}\rabbitweed.a3x

Filesize
805KB

MD5
ab6bea1bc5f739877f1991e78642b2ae

SHA1
a29b46ef3bd3a07338085570d0845bfb53304403

SHA256
9c86fad55d4ccc6bb2a10d6b835952c40080c2ce20bec49ac94ffc22305c05e3

SHA512
177135126ec9e7d3e6cdd227bf0f26a4c512a95908b80db3e1222c9893af0b1a5a342480ed8aa8f18c655ac83d9d73ddc3fb00f3ac886e9ef2297df6501bfd57

Download Submit
C:\ProgramData\{601B404E-CB65-4102-816E-E044F381B78D}\rabbitweed.vssm

Filesize
755KB

MD5
69971244ef6a1a10f85c5a334932cd67

SHA1
f43d2c261f9279f37f5e8d009b96d531d5bd3a43

SHA256
085ec8918f9d2daf85d53d18bfc56b315fb227ec4824bd3bee3aa0e3f6fa5e6a

SHA512
3bd046950ad77550528c2fdb4aa36f4eeddfef38bff5d7f14b6fcb7060532f5fcc6b9ef02fcf13b5a3f27278689f92773b95275e06307b84f446776ae9afca53

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-0MBBO.tmp\KSCMWOLPRKU31OY0O7IA05ZD.tmp

Filesize
1.1MB

MD5
b1f9d665e52c29972b50d7145d88dce1

SHA1
df2c67a5c32a19bb110ec8372134522c0dab9ac2

SHA256
2ffabb0018d335267d2d0101a41cac7ac7d1aa80956fae91825e46aaa85c0787

SHA512
bcdce189402ffc1c17b9803ac4040bd1cb23e32ba2c1476cbcfae13438078e01f78ad3f76e1bf71a6ec204663aa5f5780990016fc074218763d63db1431f1e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-68EU4.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BJBKK.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1700-38-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1700-56-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1700-26-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1700-37-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/1780-67-0x0000000005280000-0x00000000052F6000-memory.dmp

Filesize
472KB

Download
memory/1780-71-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download
memory/1780-92-0x0000000005DA0000-0x0000000005DDC000-memory.dmp

Filesize
240KB

Download
memory/1780-91-0x0000000005530000-0x0000000005542000-memory.dmp

Filesize
72KB

Download
memory/1780-76-0x00000000088D0000-0x00000000088DA000-memory.dmp

Filesize
40KB

Download
memory/1780-70-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

Filesize
120KB

Download
memory/1780-69-0x0000000006390000-0x00000000068BC000-memory.dmp

Filesize
5.2MB

Download
memory/1780-62-0x0000000000B00000-0x0000000000BC4000-memory.dmp

Filesize
784KB

Download
memory/1780-63-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/1780-64-0x00000000057B0000-0x0000000005D56000-memory.dmp

Filesize
5.6MB

Download
memory/1780-65-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/1780-66-0x00000000055A0000-0x0000000005762000-memory.dmp

Filesize
1.8MB

Download
memory/1780-68-0x0000000005200000-0x0000000005250000-memory.dmp

Filesize
320KB

Download
memory/3160-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3160-3-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3160-27-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3696-6-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/3696-24-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/4728-17-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4728-59-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4728-35-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/4728-20-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download