revengerat | 38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

16-02-2025 01:02

250216-bd8gxstmfr 10

13-02-2025 19:41

250213-yd78gssrap 10

Analysis

max time kernel
891s
max time network
907s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2025 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Size

21KB
MD5

6fe3fb85216045fdf8186429c27458a7
SHA1

ef2c68d0b3edf3def5d90f1525fe87c2142e5710
SHA256

905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550
SHA512

d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c
SSDEEP

384:nPD9On5gIdjbvRPJnMacNj6FIlKrZbJsV5reQ+ys:b9On2nV6FIlKr1

Score

10^/10

revengerat adware discovery execution persistence privilege_escalation stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral30/files/0x0008000000023e17-13.dat	revengerat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe

Downloads MZ/PE file 3 IoCs

flow	pid	Process
160	1184	Process not Found
107	2992	Process not Found
59	1184	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Control Panel\International\Geo\Nation	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSO.exe	MSSCS.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 11 IoCs

pid	Process
4516	MSSCS.exe
3416	setup.exe
2936	setup.exe
4284	setup.exe
4020	setup.exe
1808	setup.exe
3612	setup.exe
4292	setup.exe
4320	setup.exe
3432	setup.exe
4080	setup.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4900	powershell.exe

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
File opened for modification	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File created	C:\Windows\system32\MSSCS.exe	MSSCS.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\uk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vulkan-1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\af.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\concrt140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Edge.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\dxil.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\or.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ka.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Other	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\wns_push_client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ne.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ca.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\hu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4ae89c7a-edb2-4cd8-927a-d0a8a6182b16.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ru.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\pl.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\it.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\as.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\fa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\nl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\pa.pak	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4780	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com\ = "0"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "1"	wwahost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,11"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage	wwahost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\NumberOfSubdomains = "0"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\notification_click_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\EBWebView\\x64\\EmbeddedBrowserWebView.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\MuiCache	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\URL Protocol	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-3932017190-1449707826-1445630-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4900	powershell.exe
4900	powershell.exe
4900	powershell.exe
1808	setup.exe
1808	setup.exe
4888	LocalBridge.exe
4888	LocalBridge.exe
4888	LocalBridge.exe
4888	LocalBridge.exe
4888	LocalBridge.exe
4888	LocalBridge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
Token: SeDebugPrivilege	4516	MSSCS.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: 33	3416	setup.exe
Token: SeIncBasePriorityPrivilege	3416	setup.exe
Token: SeDebugPrivilege	4088	wwahost.exe
Token: SeDebugPrivilege	4088	wwahost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4088	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 4516	4332	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	96
PID 4332 wrote to memory of 4516	4332	905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe	96
PID 4516 wrote to memory of 4900	4516	MSSCS.exe	103
PID 4516 wrote to memory of 4900	4516	MSSCS.exe	103
PID 4516 wrote to memory of 3672	4516	MSSCS.exe	105
PID 4516 wrote to memory of 3672	4516	MSSCS.exe	105
PID 3672 wrote to memory of 2976	3672	vbc.exe	108
PID 3672 wrote to memory of 2976	3672	vbc.exe	108
PID 4516 wrote to memory of 4232	4516	MSSCS.exe	109
PID 4516 wrote to memory of 4232	4516	MSSCS.exe	109
PID 4232 wrote to memory of 544	4232	vbc.exe	111
PID 4232 wrote to memory of 544	4232	vbc.exe	111
PID 4516 wrote to memory of 4416	4516	MSSCS.exe	112
PID 4516 wrote to memory of 4416	4516	MSSCS.exe	112
PID 4416 wrote to memory of 2656	4416	vbc.exe	114
PID 4416 wrote to memory of 2656	4416	vbc.exe	114
PID 4516 wrote to memory of 4320	4516	MSSCS.exe	115
PID 4516 wrote to memory of 4320	4516	MSSCS.exe	115
PID 4320 wrote to memory of 4596	4320	vbc.exe	117
PID 4320 wrote to memory of 4596	4320	vbc.exe	117
PID 4516 wrote to memory of 4116	4516	MSSCS.exe	118
PID 4516 wrote to memory of 4116	4516	MSSCS.exe	118
PID 4116 wrote to memory of 3700	4116	vbc.exe	120
PID 4116 wrote to memory of 3700	4116	vbc.exe	120
PID 4516 wrote to memory of 4504	4516	MSSCS.exe	121
PID 4516 wrote to memory of 4504	4516	MSSCS.exe	121
PID 4504 wrote to memory of 3668	4504	vbc.exe	123
PID 4504 wrote to memory of 3668	4504	vbc.exe	123
PID 4516 wrote to memory of 1592	4516	MSSCS.exe	124
PID 4516 wrote to memory of 1592	4516	MSSCS.exe	124
PID 1592 wrote to memory of 2952	1592	vbc.exe	126
PID 1592 wrote to memory of 2952	1592	vbc.exe	126
PID 4516 wrote to memory of 2668	4516	MSSCS.exe	127
PID 4516 wrote to memory of 2668	4516	MSSCS.exe	127
PID 2668 wrote to memory of 3044	2668	vbc.exe	129
PID 2668 wrote to memory of 3044	2668	vbc.exe	129
PID 4516 wrote to memory of 2176	4516	MSSCS.exe	130
PID 4516 wrote to memory of 2176	4516	MSSCS.exe	130
PID 2176 wrote to memory of 2452	2176	vbc.exe	132
PID 2176 wrote to memory of 2452	2176	vbc.exe	132
PID 4516 wrote to memory of 772	4516	MSSCS.exe	133
PID 4516 wrote to memory of 772	4516	MSSCS.exe	133
PID 772 wrote to memory of 2100	772	vbc.exe	135
PID 772 wrote to memory of 2100	772	vbc.exe	135
PID 1904 wrote to memory of 3416	1904	MicrosoftEdge_X64_133.0.3065.69.exe	145
PID 1904 wrote to memory of 3416	1904	MicrosoftEdge_X64_133.0.3065.69.exe	145
PID 3416 wrote to memory of 2936	3416	setup.exe	146
PID 3416 wrote to memory of 2936	3416	setup.exe	146
PID 3416 wrote to memory of 4284	3416	setup.exe	147
PID 3416 wrote to memory of 4284	3416	setup.exe	147
PID 4284 wrote to memory of 4020	4284	setup.exe	148
PID 4284 wrote to memory of 4020	4284	setup.exe	148
PID 3416 wrote to memory of 1808	3416	setup.exe	149
PID 3416 wrote to memory of 1808	3416	setup.exe	149
PID 3416 wrote to memory of 3612	3416	setup.exe	150
PID 3416 wrote to memory of 3612	3416	setup.exe	150
PID 1808 wrote to memory of 4292	1808	setup.exe	152
PID 1808 wrote to memory of 4292	1808	setup.exe	152
PID 3416 wrote to memory of 4320	3416	setup.exe	151
PID 3416 wrote to memory of 4320	3416	setup.exe	151
PID 3612 wrote to memory of 3432	3612	setup.exe	153
PID 3612 wrote to memory of 3432	3612	setup.exe	153
PID 4320 wrote to memory of 4080	4320	setup.exe	154
PID 4320 wrote to memory of 4080	4320	setup.exe	154

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe
"C:\Users\Admin\AppData\Local\Temp\905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Windows\system32\MSSCS.exe
  "C:\Windows\system32\MSSCS.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ExecutionPolicy Bypass -Command [System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); [System.Windows.Forms.MessageBox]::Show('Isto abriu lol','Rekt!',0,64)
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4900
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d-vrh_yd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES70B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB78E2D5EA2294984A79CC98E9CC7D92.TMP"
      4⤵
      PID:2976
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sydpt9w1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4232
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES814.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA615AC4BF11848A892D7AF1D24DB08D.TMP"
      4⤵
      PID:544
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c0mxgul8.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C330D5EC502467E8A1A5B9D47275334.TMP"
      4⤵
      PID:2656
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rfotnxmm.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCD6CD554D5E548A19C2EB31769795F3F.TMP"
      4⤵
      PID:4596
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ukvfu-5z.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7174FF5918FA42E2AA9FB8CC1EA1A2C.TMP"
      4⤵
      PID:3700
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6_1rksfl.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4504
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA95.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAB31107F8804587AFBC9DAFC0D0AB5F.TMP"
      4⤵
      PID:3668
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ji0stn5u.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC169544624846A38D58A99CD2B356.TMP"
      4⤵
      PID:2952
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\eu9fpoxh.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc23FB40C4E88044DF8CC429DB1253D6FF.TMP"
      4⤵
      PID:3044
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\65km4okc.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC5A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD17FEC46313A410D821CD7B58719392E.TMP"
      4⤵
      PID:2452
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1baenipg.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcBC42350EF80340DBAA8066B8EF7DDBB7.TMP"
      4⤵
      PID:2100

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OTU4RkQ4OUMtNjAxOS00OEI0LTg4MkMtNTU2NjZDREE0NTBBfSIgdXNlcmlkPSJ7M0YzRkY5ODItN0FCMi00RjU3LUEyNjItNTJEQzM3MzZBNTg1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0Q1QzZBNEQtRkY5OC00NTA3LTlFNTQtMDNBRTg1MzZBOURGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY0MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODc1OTU2NTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDQwMzcwMDI3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4780

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\MicrosoftEdge_X64_133.0.3065.69.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3416
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff692056a68,0x7ff692056a74,0x7ff692056a80
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2936
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:4284
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff692056a68,0x7ff692056a74,0x7ff692056a80
      4⤵
      Executes dropped EXE
      PID:4020
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78c946a68,0x7ff78c946a74,0x7ff78c946a80
      4⤵
      Executes dropped EXE
      PID:4292
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff78c946a68,0x7ff78c946a74,0x7ff78c946a80
      4⤵
      Executes dropped EXE
      PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff78c946a68,0x7ff78c946a74,0x7ff78c946a80
      4⤵
      Executes dropped EXE
      PID:4080

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:1292

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{68785F97-958E-43C3-B8B9-35226FC54A7A}\EDGEMITMP_A3410.tmp\setup.exe

Filesize
6.8MB

MD5
bdb1aecedc15fc82a63083452dad45c2

SHA1
a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

SHA256
4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

SHA512
50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
4aaa893417cccc147989f876c6a7b295

SHA1
b1e35c83518bb275924ead0cd6206bf0c982d30f

SHA256
2c38e3c3f18e2d3fb7f04336356b9b5186cabe06b3343beec318ef0def1a9eeb

SHA512
109e0c88977fae65a4950fc38393ca32a70d68ef41aeb75b28e6566e0fa626e32e31be38308e7ed5b6a8ba1f56fb5f2133a07aa8bb643224c3dbb089ce9cfd0e

Download Submit
C:\Program Files\msedge_installer.log

Filesize
74KB

MD5
cf0fa4d728731ed9fe0a63fbd3937315

SHA1
90eb2e2639079ef4e512a2ed7c8e2d51ec895ed3

SHA256
ee7efcd0a2940ed93e1bd48051b706a8d8eafc2dceb9b58343a753a324437915

SHA512
d46a1971786bd50f735ebe9d7a567b49845a2793b6a08cae31bc3fed74fe9bddb83a711005cd40fd0ca53eb93de97460f6f7b89c400206203cc73cde14fcb065

Download Submit
C:\Program Files\msedge_installer.log

Filesize
103KB

MD5
df43bc0a93f59897891af957f1925e0f

SHA1
bd9428c766a679fea624a650b03584234c43af85

SHA256
63370e6e38578974d97c94ecc3851ac7ed7d35cb3e86358290f472da494c2ac7

SHA512
a67fca59d9d1de2e2ef43d9b67e9e8a5a60209b081dac81a1c43c2d01f5654a839f555741e79d5bb06b3487542dcd447384b08d3208e7b87ca091348e03bbefe

Download Submit
C:\Program Files\msedge_installer.log

Filesize
104KB

MD5
ae0de3cd07c5371333e94e22e9c5da71

SHA1
6dfd5905141d0fcc002f08db55123e21b5a48ff5

SHA256
f93887dfc7c3e2ee505efaedaf66df6ecfd62e75e9ccadef94c5c708f0d5f417

SHA512
2fe29f737dc533b7461f361ee7732661e6e7230c505c723b256aa8965d2e61f97b511d8e4264136d759d1e2a16c9a0185c568d8870fe8d1dbdd363d3e855d5aa

Download Submit
C:\Program Files\msedge_installer.log

Filesize
106KB

MD5
bf5f159edfc0faff6f4520da08804457

SHA1
9c24d14a476861db8f0805563bb29e68e8cbfba4

SHA256
d76208d7d09c20147a660c6e04180af1bc1a638ef66e9f7501e0dbf77b4d21ef

SHA512
16478b0d6b2e162cf56ecb7e69e3b8f45c2a03c000a66778e2cbf21487e7615887072c6f91c6ed698df20b14826db1214004b8dcef3e5991daded897c79b6a15

Download Submit
C:\Users\Admin\AppData\Local\Temp\1baenipg.0.vb

Filesize
273B

MD5
3c3d3136aa9f1b87290839a1d26ad07a

SHA1
005a23a138be5d7a98bdd4a6cc7fab8bdca962f4

SHA256
5b745f85a39312bfa585edbd7e3465371578b42fa639eded4cdad8c9f96b87fd

SHA512
fbb085ffcd77ac96c245067fd96a0c20492d55331161f292975b0c11386424a96534a500133217f84d44455e16139d01230455bce5db3d472271620c29381f60

Download Submit
C:\Users\Admin\AppData\Local\Temp\1baenipg.cmdline

Filesize
173B

MD5
3f694063adf866e344475ee4105c3350

SHA1
43d2496144d2365ca740548441a99da5f5259209

SHA256
a9347433ac194ef5c019558e0ba3d903992705e9bb0819a8fa0e3b9b777c2f16

SHA512
242520be974b0db3761724189f80a2f227ad824001ec193475a625ef1209903263a1f79cad64776bcbdf0e7552e3d4990309a7e4b60b69289b878dc07aa00412

Download Submit
C:\Users\Admin\AppData\Local\Temp\65km4okc.0.vb

Filesize
270B

MD5
658573fde2bebc77c740da7ddaa4634b

SHA1
073da76c50b4033fcfdfb37ba6176afd77b0ea55

SHA256
c07206283d62100d426ba62a81e97bd433966f8b52b5a8dd1451e29a804a1607

SHA512
f93c7f4378be5eca51161d1541d772a34c07884c9d829608c6fa21563df5691920394afe9da1174ad5c13f773a588b186d1d38a9d375a28562eb58ca4a8b8fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\65km4okc.cmdline

Filesize
170B

MD5
b4639c813cf46b5ae04916878b907bdd

SHA1
aa855911f16783e5377dd8917120edd92ca51273

SHA256
7760ef9cb28ea566f03038377e72579b2a58d30a58e2e32cdca91c6ca2154617

SHA512
fcdd8102ab011413005f8dd1dadcfbf8fc8455e2ba3a0840a4a10ddafef5c9acb393e88aff101b56e1d1f26349b6493ebf17b71b13e67fb2d29d73427baa0851

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_1rksfl.0.vb

Filesize
271B

MD5
325f27ef75bebe8b3f80680add1943d3

SHA1
1c48e211258f8887946afb063e9315b7609b4ee3

SHA256
034c75813491d628a1a740b45888fc0c301b915456aaa7ba6433b4f1368cda35

SHA512
e2165b425558872897990953c26e48776f45751a53da035f1ad86ac062ec23a2923b984d84f992de5c0170f6e192feb155ffff25f51bc76ab273b996daacb804

Download Submit
C:\Users\Admin\AppData\Local\Temp\6_1rksfl.cmdline

Filesize
171B

MD5
327a6ab854805fc40db9ca0ed7d8de9e

SHA1
c942b76ce6facd37644ebca01a4beed87d08e064

SHA256
bf562d07d7d17d6157888baed9128e015622a25a8fb7d55a680733d918d771b8

SHA512
2daca3be7194283b63745062a4704aae4a103ceb7031a920c0527db1f7441dc9090b4813f2d5222ceb7b34c2a2ce9891d8f9e2b3298b9daf8f874ef0d85fe960

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES70B.tmp

Filesize
1KB

MD5
1ba16ad6c1a74e8c64a0929557b4333c

SHA1
a345441b6252bb2838718d4735e9950fe4053a48

SHA256
3d1e1e20c1632107118b327662c1c442203713fa371281116f690d8889a5b1a3

SHA512
cbb7b18ef769e7806905fc9d32479649d89ae5b00a0d43cb6209b3f55cc171f04fcd5c3703d932b8dcff1dc7b00c25b44f54902c78f65556f3b724db44c76f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES814.tmp

Filesize
1KB

MD5
de08f84cf97cbb70e1e7a914cda0e56c

SHA1
6b86abe5165aa1c6a98ac71e850a568f3dcb3b01

SHA256
c8038a26e24688659084c1006d222395fee725f71c9b70dece1a67763bb1f38f

SHA512
e9abe8847fd62f798f3db8869d3f3df5db2c86be85fad2b3182f29836b1e13462f4de4451634e97afb18d12b1437661a82fc98e0664c9cd6b2e97cefc2a763c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8C0.tmp

Filesize
1KB

MD5
e0bdc92c39a37c11439d6d45835781be

SHA1
42ca2dbde3b852e2f9d4ea9a8c20e9b6adfe91f9

SHA256
0a28ae0917921e6e5f179f33023a4ca8b9582aca94da46e16a28b22c116d1f71

SHA512
e5d9341b63e1940b596f8860b2094d5d178128bade68c48fd964baa6cd53813e9fc001058da21db7ab8314f92b48a5d4c2c27a3ec1be96dbf0ac43b6870199c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES95D.tmp

Filesize
1KB

MD5
cfa3cc4b5dfb680ea6b2e92754b225bb

SHA1
75bb8968ffaafc5621dd846155245209174fb3b6

SHA256
6ca613b6e15782da64dfeeae2efacf22caedd691ceb14cfb68e0f4eacb193bba

SHA512
bc63a754d63aeded1c9bcbc0128c96ccc89362321ef4a720667e48189dde80abb6e370f022d6037875981d6dadc6b9ac6eb351889fef0c1128ac0019fa13bb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F9.tmp

Filesize
1KB

MD5
70b569556a6cdd57b162d37dd0362653

SHA1
4ce5d2ccc3af6ce9eff7fc62a377c8d5a1e0e286

SHA256
7f301e7bf6b5312ff8d2be04e206872eb2fb93b6d3fde95340116c1844ac6aa0

SHA512
ef768d274b521e0d39954b3c4c6f024644870a88b8a355dd04abeab8d149ab7a112ce7419dfeeb05006e641daf87ff2e1e60257ab9a245b098e7ceefe2e7791d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA95.tmp

Filesize
1KB

MD5
ca655a113fb399300cb1445e8b790749

SHA1
a795636899f6f0a10dc88443ec12cd201821af5f

SHA256
04da11dde85982d6365ee78be880a4fc37b33bf0ad130d68df3685670d0435de

SHA512
404d1f1d8471d838f239398f69c30ed0e0243c4d8fe6277342ba2f13e35e0b6c11089810e569179055e8e3091cfebd5ac3cb3e3d3591149d40bfb699022f2a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB41.tmp

Filesize
1KB

MD5
18aea9d4d3152547ce8d433954e44ed5

SHA1
41e37b35242dbd023b80ca5ea1072160730dc296

SHA256
f34fe1894046d538ea3a50a52ab59e3e55233e6dc8a9ff08175ba2e0b2aa6d3e

SHA512
d8f4a372394d2e2c2d0fc30af0328bc7302d7a1f4e210d92e7b116630edb3281db7a7611a35825a194729180f197d933d95979830b34941ec04b4449bdc89884

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBBE.tmp

Filesize
1KB

MD5
37a8b8a67912c3b6f3b377046e692c26

SHA1
1bbdfd74b1b61bc76d1f7d0d5dcd1feb2f78b42e

SHA256
225bf4349913689a862ae77e21ae878257cc3780d553ef656699c83d10dea725

SHA512
9061a11d2c6fb6cf701d81b82b4126db6e55cba0c3daa17b86dacc7bc31d57178a7a04300f1cfd5f3146d8d51c7d20fa226c503fcbfd229d6ebd14878d941be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC5A.tmp

Filesize
1KB

MD5
0c597cad6a2c3228d9d90926e15cd8f1

SHA1
1f40f606f79d3421cf0ec1522295acfcff9a9719

SHA256
924331b8f721fd4691eabc1f8909a3e66d8152fe2d454eda0e004b7d35506d24

SHA512
d27519863cf758ff61aa3c84580df5752f6439baa4281678b2366c6900ad3a7339a3ac341c5601500217509edc7baee8baadb22e98513a73a3ac41097328efa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCF6.tmp

Filesize
1KB

MD5
b38ce72e5ef2b1ce46889e9b6ab46fd6

SHA1
08bdbd3e3d2384056baae68348e7fcb99779794f

SHA256
d6b6a248b934940962520fa18833c4629e2e53586c3e087d44dccd5f6947c04f

SHA512
da32a38a17014e85c37b18f0f8c0a20fbb2e24a652ea541bc047c29e374c91c8c022715d9160645128fb9c290bfe6323a14089d33dcabe7b551fba7cd9327967

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bxgnwchd.qyl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0mxgul8.0.vb

Filesize
263B

MD5
d1110a95f1e40f726584bd99eca52fe7

SHA1
97fac683e1116ab31a9cc9c3dcfd9fe9e53505c3

SHA256
00f373eb310beace70146b6e0fd188aa2f437efb2e5a2714a11d4d58e27d3142

SHA512
f15b5b310ace82a0106b551d71ad3d48e1c75085aa78b8bb3374a2334ceb073bd4d1bf4cd0b4e39034c39f01b6bcd76e8be30198e4872f5641a7d29b255154b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0mxgul8.cmdline

Filesize
163B

MD5
6218f2fc9f0f15ff6764576b93ef2905

SHA1
30b73799f31ddee952b550e6d9d56ce6705f650a

SHA256
859d143f7715aab691cc46836332d39e2cea67ab68a3c2a39b80aec9c39c5d07

SHA512
fca1379e7bfd6ad194868756ff5dc330148da36c13a7330536f540c004808697f354b415e603a24ace1ca160df7e1e8ae2121959bc92dd989dafce2bb4cac5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\d-vrh_yd.0.vb

Filesize
256B

MD5
076803692ac8c38d8ee02672a9d49778

SHA1
45d2287f33f3358661c3d6a884d2a526fc6a0a46

SHA256
5b3ab23bcadaeb54a41bdb1636bcaf7772af028d375f42baeb967de6579ef2a3

SHA512
cc9126384a287ccb99d10d5c2d3034cdbc8a45e94f1cec48dd95f2aa08ebbe3053ffd6d6effa31f2d84164edbb6136398cd02c08b05f027a6a777dffd1daea5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\d-vrh_yd.cmdline

Filesize
156B

MD5
ca9d4589f8f224cbd11890c5351bd908

SHA1
50f4d6e547f6f576d7ae3a44fa6c19ff6f30ee98

SHA256
4127872343f66fa5a84940beb1c661e86d588f68378c413d53401c749b8173aa

SHA512
d9046c508e4e8c77e8978459649990ccd523e90b7e3e7bf628544964ad41b5f3e946bd77431d6043e61199544e5c7e63f601194c7a60b65a9c4845c7f3b11cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\eu9fpoxh.0.vb

Filesize
264B

MD5
5ce3977a153152978fa71f8aa96909e9

SHA1
52af143c553c92afc257f0e0d556908eaa8919cb

SHA256
e07a7bd0c2901d3a349ab55e936b34de2d0abb5f2dc555cc128773b8045d3eed

SHA512
eaee02ceade0211be70a4710b28fdf043d5c540928e2095ead924a44c2edfca8fc6499395d1b7f5deee96394fb5309362fb87e45ee195094ec39d5fa11909d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\eu9fpoxh.cmdline

Filesize
164B

MD5
d1ba7474264f29b3763d6c39af57d30c

SHA1
fe79fde432e4d232e126528d3ed7be788df52a52

SHA256
ffb159f322aaf51c9c6b3d7a8eb387d0cccf9acb9b354335f3664f39f9b01478

SHA512
fe9fd865605a15dc9de135a4a5455621030b9263701c1a1fcc992e0dd4c11baf7ecded57316741bd2541417a74ca6b5c47e314cda7d85570d4c77405b469c1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ji0stn5u.0.vb

Filesize
274B

MD5
539683c4ca4ee4dc46b412c5651f20f5

SHA1
564f25837ce382f1534b088cf2ca1b8c4b078aed

SHA256
ec2210924d5c1af6377ef4bdf76d6ca773aaa1ae0438b0850f44d8c4e16ef92e

SHA512
df7c1a55e53f9b9bf23d27762d2d1163c78808e9b4d95e98c84c55ca4ecb7009ed58574ae6ddede31459f300483a1dc42987295a04f6c8702f297d3f1942f4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\ji0stn5u.cmdline

Filesize
174B

MD5
a302bc2607ccf8b29330be3b9ec4e684

SHA1
310d7be71394f6c00e6d1db54a8e08967e410eca

SHA256
0155568611265c046d459560ec28dcf7cea3e7f5a07fa7aee27a4a9a4b772c48

SHA512
8a7bdeb9a167f0803471e03079fd0e68b929b05091fb81eb5bda7e2a9a775b707ea995741384b604e7fd9a40001698bd19ebda646a81954a62e9790413246ab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfotnxmm.0.vb

Filesize
271B

MD5
ac972015bef75b540eb33503d6e28cc2

SHA1
5c1d09fcf4c719711532dcfd0544dfc6f2b90260

SHA256
fa445cc76cde3461a5f1f1281fefcb0c7db69b2685f8a67a06a0f33a067e74e7

SHA512
36b2e1f7b7a6f2c60788f88d95bfdc53b7d261c203eb637a36fbd07d81bc46edc87e528f1987df73963cb75ca2f19c3a4b3df9ade52d5768ecec23753099cc83

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfotnxmm.cmdline

Filesize
171B

MD5
12d0a348be6f6c4dc75cc7eee38e3ba9

SHA1
5c8610910ead2fdb2faadf93be1dd4f9ef49f20f

SHA256
2ce6ebbc95de7c41c95e3fb3814f7c474deb550941b098a82ca316e1a7e83d5d

SHA512
bb06fac9174959744b18e8f803717e4043c455449d73507cc01b26052ce8329779b5d0f1075afb32ab2fba348c27f0a7b22566a6310e78bd3f550086907719bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sydpt9w1.0.vb

Filesize
262B

MD5
88cc385da858aaa7057b54eaeb0df718

SHA1
b108224d4686b5ca3faaeb1c728dfba8740a6eca

SHA256
08a30db98d970e3b6819d5ecff6eab2211ce93f4cd000c09db96ffb294d05020

SHA512
4787835240c3e2364172ac2e7649ec8fecb907c7006c38734e59aa65509f360b4596d5db8de20e0c7388a022e1c2f4f9ba75acabba798bea1d40f688539b7df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\sydpt9w1.cmdline

Filesize
162B

MD5
35984b1bf08c8d07fb24c913faff4830

SHA1
4d3c98968ff106005c2c6fc9512bf73c9ae076d6

SHA256
f4d7c406b584a971ae4662fbcbe3434f3a0d8f31c68026cc13fc134e04b0b190

SHA512
51c7cc0cb485b8ba77a70c50c38c4e431b2ffa7abb069a948b72680518f94135eeb34b9519514a6959a2f1f1eaa1fe311acb0dfdaa4398a7bfa9abae4388ec90

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukvfu-5z.0.vb

Filesize
272B

MD5
2b3aac520562a93ebef6a5905d4765c9

SHA1
10ab45c5d73934b16fac5e30bf22f17d3e0810c8

SHA256
b9f0edf067faaaa7da2d47e3d22b957cd302eb25e01e08ea79c664868f328f89

SHA512
9514934ed12d93ea3ad4e6873cf294bafa114bc7a784a93b14dd2410d07fae3a2c00308035a5c129c57e283de8b94ed36fd9f9de35b08eb79a82a0c732e50446

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukvfu-5z.cmdline

Filesize
172B

MD5
b3876e0cb5d83a18607b39bd57a806c9

SHA1
fafdf59644b54831f888034626b8c2a861fe0cd0

SHA256
3437ae9f3fb0fed4528f8900a92c4056c10d6795167c3f6595377d9473454b94

SHA512
4983b31cdb9de0be531159bdbac624a5fc6a06be3112697a43615c93651784e07ec69044d54fc28a26a054f21429a8085d2c6ee646bb9fd20d433bdbb70999e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4C330D5EC502467E8A1A5B9D47275334.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA615AC4BF11848A892D7AF1D24DB08D.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcB78E2D5EA2294984A79CC98E9CC7D92.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC169544624846A38D58A99CD2B356.TMP

Filesize
684B

MD5
8135713eeb0cf1521c80ad8f3e7aad22

SHA1
1628969dc6256816b2ab9b1c0163fcff0971c154

SHA256
e14dd88df69dc98be5bedcbc8c43d1e7260b4492899fec24d964000a3b096c7a

SHA512
a0b7210095767b437a668a6b0bcedf42268e80b9184b9910ed67d665fba9f714d06c06bff7b3da63846791d606807d13311946505776a1b891b39058cfb41bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcBC42350EF80340DBAA8066B8EF7DDBB7.TMP

Filesize
684B

MD5
7a707b422baa7ca0bc8883cbe68961e7

SHA1
addf3158670a318c3e8e6fdd6d560244b9e8860e

SHA256
453ad1da51152e3512760bbd206304bf48f9c880f63b6a0726009e2d1371c71c

SHA512
81147c1c4c5859249f4e25d754103f3843416e3d0610ac81ee2ef5e5f50622ea37f0c68eeb7fa404f8a1779dc52af02d2142874e39c212c66fa458e0d62926a9

Download Submit
C:\Windows\System32\MSSCS.exe

Filesize
21KB

MD5
6fe3fb85216045fdf8186429c27458a7

SHA1
ef2c68d0b3edf3def5d90f1525fe87c2142e5710

SHA256
905d572f23883f5f161f920e53473989cf7dffc16643aa759f77842e54add550

SHA512
d2180f2d7ca35362a2dc322801fb0eee22820f2ac317c0be4c788c31d3939d30c9b356bf8daf0746545fb66092471f46f5d47c40403ed68b09415fcca90a125c

Download Submit
memory/4332-6-0x000000001CCC0000-0x000000001CD5C000-memory.dmp

Filesize
624KB

Download
memory/4332-2-0x000000001BE30000-0x000000001C2FE000-memory.dmp

Filesize
4.8MB

Download
memory/4332-1-0x00007FFE4E460000-0x00007FFE4EE01000-memory.dmp

Filesize
9.6MB

Download
memory/4332-20-0x00007FFE4E460000-0x00007FFE4EE01000-memory.dmp

Filesize
9.6MB

Download
memory/4332-8-0x00007FFE4E460000-0x00007FFE4EE01000-memory.dmp

Filesize
9.6MB

Download
memory/4332-3-0x000000001C300000-0x000000001C3A6000-memory.dmp

Filesize
664KB

Download
memory/4332-7-0x00007FFE4E715000-0x00007FFE4E716000-memory.dmp

Filesize
4KB

Download
memory/4332-4-0x000000001C470000-0x000000001C4D2000-memory.dmp

Filesize
392KB

Download
memory/4332-0-0x00007FFE4E715000-0x00007FFE4E716000-memory.dmp

Filesize
4KB

Download
memory/4332-5-0x00007FFE4E460000-0x00007FFE4EE01000-memory.dmp

Filesize
9.6MB

Download
memory/4516-21-0x00007FFE4E460000-0x00007FFE4EE01000-memory.dmp

Filesize
9.6MB

Download
memory/4516-17-0x00007FFE4E460000-0x00007FFE4EE01000-memory.dmp

Filesize
9.6MB

Download
memory/4516-18-0x00007FFE4E460000-0x00007FFE4EE01000-memory.dmp

Filesize
9.6MB

Download
memory/4888-251-0x00000204CE390000-0x00000204CE398000-memory.dmp

Filesize
32KB

Download
memory/4888-250-0x00000204CE360000-0x00000204CE36A000-memory.dmp

Filesize
40KB

Download
memory/4888-249-0x00000204B2C50000-0x00000204B2C5E000-memory.dmp

Filesize
56KB

Download
memory/4888-252-0x00000204CE400000-0x00000204CE649000-memory.dmp

Filesize
2.3MB

Download
memory/4900-31-0x00000204C9CF0000-0x00000204C9D12000-memory.dmp

Filesize
136KB

Download