Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250207-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
16-02-2025 05:28
Behavioral task
behavioral1
Sample
Bootstrapper Test.exe
Resource
win10ltsc2021-20250207-en
windows10-ltsc 2021-x64
31 signatures
150 seconds
General
-
Target
Bootstrapper Test.exe
-
Size
50KB
-
MD5
83a547dd8ce000e555f3eb83cca0bded
-
SHA1
bf1835cf9f701125846e3397ab7f10fd120cd13f
-
SHA256
a945f099affe68abe0ba9fd522a0df2787262b97ea5cb5868f9752a00b1c1186
-
SHA512
d01f505b168a1669931c828b0a86d75401c3c1ef8667a7cba612cb61662592802e8130ac335914e9f02cabd2c63608259cca8fac3cf267ef2404792aeb020bfe
-
SSDEEP
768:CdhO/poiiUcjlJInLdH9Xqk5nWEZ5SbTDaCWI7CPW5Sspa:kw+jjgnJH9XqcnW85SbTbWIqspa
Malware Config
Extracted
Family
xenorat
C2
108.77.173.66
Mutex
Xeno_rat_nd8912d
Attributes
-
install_path
appdata
-
port
4785
-
startup_name
Solara Bootstrapper Dependinces
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral1/memory/5908-1-0x00000000001A0000-0x00000000001B2000-memory.dmp family_xenorat behavioral1/files/0x0008000000027f86-2.dat family_xenorat -
Xenorat family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe -
Downloads MZ/PE file 1 IoCs
flow pid Process 55 320 Process not Found -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation Bootstrapper Test.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 11 IoCs
pid Process 6140 Bootstrapper Test.exe 2656 setup.exe 5472 setup.exe 4556 setup.exe 1984 setup.exe 5220 setup.exe 1072 setup.exe 1576 setup.exe 644 setup.exe 5652 setup.exe 4896 setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Canary.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\prefs_enclave_x64.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Canary.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\Logo.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Advertising setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Temp\source2656_1565032911\msedge.hollow.7z setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\onramp.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\d3dcompiler_47.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ml.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\delegatedWebFeatures.sccd setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\qu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\pl.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\en-US.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ga.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vcruntime140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es-419.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\it.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ur.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\5220_13384157472830865_5220.pma setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mt.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Extensions\external_extensions.json setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ro.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\concrt140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxcompiler.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\resources.pri setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nn.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\vi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_pwa_launcher.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\msedge.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Social setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\hi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_game_assist\VERSION setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\msedge_7z.data setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e3899af7-714e-45ee-abb4-3b4c2c760320.tmp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bg.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\resources.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bg.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Edge.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EdgeWebView.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dual_engine_adapter_x64.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_elf.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ka.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\qu.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Dev.msix setup.exe -
Drops file in Windows directory 35 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper Test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper Test.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wermgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3728 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wermgr.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS wermgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU wermgr.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe\"" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,11" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationDescription = "Browse the web" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open\command setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32 setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho.dll" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\PdfPreview\\PdfPreviewHandler.dll" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.webp\OpenWithProgids\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ setup.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\AppUserModelId = "MSEdge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mhtml setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.shtml setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.webp setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ setup.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5032 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2024 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2024 taskmgr.exe Token: SeSystemProfilePrivilege 2024 taskmgr.exe Token: SeCreateGlobalPrivilege 2024 taskmgr.exe Token: 33 2656 setup.exe Token: SeIncBasePriorityPrivilege 2656 setup.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe 2024 taskmgr.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 5908 wrote to memory of 6140 5908 Bootstrapper Test.exe 88 PID 5908 wrote to memory of 6140 5908 Bootstrapper Test.exe 88 PID 5908 wrote to memory of 6140 5908 Bootstrapper Test.exe 88 PID 6140 wrote to memory of 5032 6140 Bootstrapper Test.exe 89 PID 6140 wrote to memory of 5032 6140 Bootstrapper Test.exe 89 PID 6140 wrote to memory of 5032 6140 Bootstrapper Test.exe 89 PID 1436 wrote to memory of 2656 1436 MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe 112 PID 1436 wrote to memory of 2656 1436 MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe 112 PID 2656 wrote to memory of 5472 2656 setup.exe 113 PID 2656 wrote to memory of 5472 2656 setup.exe 113 PID 2656 wrote to memory of 4556 2656 setup.exe 114 PID 2656 wrote to memory of 4556 2656 setup.exe 114 PID 4556 wrote to memory of 1984 4556 setup.exe 115 PID 4556 wrote to memory of 1984 4556 setup.exe 115 PID 2656 wrote to memory of 5220 2656 setup.exe 116 PID 2656 wrote to memory of 5220 2656 setup.exe 116 PID 2656 wrote to memory of 1072 2656 setup.exe 117 PID 2656 wrote to memory of 1072 2656 setup.exe 117 PID 5220 wrote to memory of 1576 5220 setup.exe 118 PID 5220 wrote to memory of 1576 5220 setup.exe 118 PID 2656 wrote to memory of 644 2656 setup.exe 119 PID 2656 wrote to memory of 644 2656 setup.exe 119 PID 1072 wrote to memory of 5652 1072 setup.exe 120 PID 1072 wrote to memory of 5652 1072 setup.exe 120 PID 644 wrote to memory of 4896 644 setup.exe 121 PID 644 wrote to memory of 4896 644 setup.exe 121 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper Test.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper Test.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5908 -
C:\Users\Admin\AppData\Roaming\XenoManager\Bootstrapper Test.exe"C:\Users\Admin\AppData\Roaming\XenoManager\Bootstrapper Test.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6140 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmpFE26.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5032
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2024
-
C:\Windows\SysWOW64\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "0" "320" "1212" "1100" "1216" "0" "0" "0" "0" "0" "0" "0" "0"1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
PID:1256
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDRBRDMzRTAtM0E5NC00OTYwLUI5NzMtQ0IyNDAwNTY5RTc1fSIgdXNlcmlkPSJ7NjBFNTg5OTMtQjZGNC00M0U3LUE3NzAtMkVCRDkwOTIzNDExfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGRUFGNUZEOC1DMkZCLTREODUtQkYyNi1EMTlCRUUxMUVGQ0J9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMi4wLjI5NTcuMTQwIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iOCIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1MDYxIj48ZXZlbnQgZXZlbnR0eXBlPSIzMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUxMTA1NDMxNCIvPjwvYXBwPjwvcmVxdWVzdD41⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3728
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\MicrosoftEdge_X64_133.0.3065.59_132.0.2957.140.exe" --previous-version="132.0.2957.140" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2656 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7907c6a68,0x7ff7907c6a74,0x7ff7907c6a803⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5472
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7907c6a68,0x7ff7907c6a74,0x7ff7907c6a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1984
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5220 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff732066a68,0x7ff732066a74,0x7ff732066a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1576
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff732066a68,0x7ff732066a74,0x7ff732066a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5652
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:644 -
C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff732066a68,0x7ff732066a74,0x7ff732066a804⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4896
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
1Component Object Model Hijacking
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2620D3F9-E675-4F38-A5AF-EDC02505AB44}\EDGEMITMP_617D4.tmp\setup.exe
Filesize6.8MB
MD51b3e9c59f9c7a134ec630ada1eb76a39
SHA1a7e831d392e99f3d37847dcc561dd2e017065439
SHA256ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e
-
Filesize
226B
MD566aea5e724c4a224d092067c3381783b
SHA1ee3cc64c4370a255391bdfeef2883d5b7a6e6230
SHA25604b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923
SHA5125d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06
-
Filesize
1KB
MD51217c304978652c5c2317fa5602c7b92
SHA12b608ea2e5c32690a721abbbd81f9d54008ce4a7
SHA2568086d0752496af7d809d41ce85c16117e73670dcbdc5decb9308ecc5a2f6aee1
SHA512a528012e4f04737e8b96626c97c2a1d369e770faec391abef7d794048b1e39be26a404a6646bb4b9d1194176953e6a2173d8a4932b7087c5970a87ba97394b7d
-
Filesize
50KB
MD583a547dd8ce000e555f3eb83cca0bded
SHA1bf1835cf9f701125846e3397ab7f10fd120cd13f
SHA256a945f099affe68abe0ba9fd522a0df2787262b97ea5cb5868f9752a00b1c1186
SHA512d01f505b168a1669931c828b0a86d75401c3c1ef8667a7cba612cb61662592802e8130ac335914e9f02cabd2c63608259cca8fac3cf267ef2404792aeb020bfe
-
Filesize
166KB
MD507f89856e5d397cdc601f087357639ae
SHA12cd411bb7971b7ecadb7054d8192690369c21215
SHA256e344c52f52cd07dee48cba299b0626e9ecb9ea9bfd090a1324e3b097712ccfb3
SHA5126af8867e91bf895fa7edf4406d274636c95ffe1390a2d6c3e5d30effbbefe7ff7e1474b6bc98e00e0f9d1a501d486bfcccfdbb9e8b57d1efe0e5b56349d795f8
-
Filesize
190KB
MD5ccb341fd63833683c749a5f9ec748b94
SHA1f5ed10eaf65d769c26062f270575e186070a89bd
SHA2563bccc473cd334a3b40443f979000774881fa1bb6e03520f8d1dd7679d9a967d3
SHA51201c2b103da436333c78e7ae7fe784c0d0c8ecb53573ef2b9497f38a0b0eb24748e8f0c4df453d46a3ab9648805ba1f9890e473c1c6ffdd7f21ff2c54b487f95b
-
Filesize
193KB
MD52ed456066da68ff9047531dd120c887e
SHA174a19a2d5e56f465c1dfb1ca08bd839dec88cb04
SHA25622bd708206a69bd171b324c9e79b8d912993644a584b800fa87af344384e3dde
SHA5121274a7f3aa54757f4a66350858934b48c24a9c81080e4c754f18f2bfd1561b9501819f53c09e7241cbe36e847349bd64fd8838f749cc04e48bac368f0807cdf4
-
Filesize
198KB
MD5a60f5fd647ebf608618f87a4d0f113e5
SHA1e5d793be3e9fc78581423140d6c9acf9e85b0d43
SHA256e242bf195a60f858bb1a2e873813f62d6044ae482a3763e8450f27e8f6226d60
SHA512c9a3eae038f4dfcfdbde19711a88049d20b9258e060ecbd0fb6c3fe4566fdcc38b4d45f1dcf80b5f3e085f904b3d4cb562d0becf1b0760e5192ff6d851686656