Analysis
-
max time kernel
832s -
max time network
834s -
platform
windows11_x64 -
resource
win11 -
submitted
16-10-2021 06:26
Static task
static1
URLScan task
urlscan1
Sample
http://discordc.gift/duVhHCkqq7
Behavioral task
behavioral1
Sample
http://discordc.gift/duVhHCkqq7
Resource
win11
Errors
General
-
Target
http://discordc.gift/duVhHCkqq7
-
Sample
211016-g7a2eacefp
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs
Processes:
SystemSettings.exeSystemSettings.exedescription pid process target process PID 2148 created 2060 2148 SystemSettings.exe sihost.exe PID 2148 created 2060 2148 SystemSettings.exe sihost.exe PID 2148 created 2060 2148 SystemSettings.exe sihost.exe PID 2148 created 2060 2148 SystemSettings.exe sihost.exe PID 2148 created 2060 2148 SystemSettings.exe sihost.exe PID 4172 created 2060 4172 SystemSettings.exe sihost.exe PID 4172 created 2060 4172 SystemSettings.exe sihost.exe PID 4172 created 2060 4172 SystemSettings.exe sihost.exe PID 4172 created 2060 4172 SystemSettings.exe sihost.exe PID 4172 created 2060 4172 SystemSettings.exe sihost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 15 IoCs
Processes:
msedgerecovery.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateSetup_X86_1.3.153.47.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdge_X64_94.0.992.50.exesetup.exeMicrosoftEdge_X64_94.0.992.50.exesetup.exepid process 5580 msedgerecovery.exe 1200 MicrosoftEdgeUpdateSetup.exe 2588 MicrosoftEdgeUpdate.exe 5980 MicrosoftEdgeUpdateComRegisterShell64.exe 5428 MicrosoftEdgeUpdateComRegisterShell64.exe 5412 MicrosoftEdgeUpdateComRegisterShell64.exe 3392 MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe 4372 MicrosoftEdgeUpdate.exe 604 MicrosoftEdgeUpdateComRegisterShell64.exe 2628 MicrosoftEdgeUpdateComRegisterShell64.exe 3284 MicrosoftEdgeUpdateComRegisterShell64.exe 648 MicrosoftEdge_X64_94.0.992.50.exe 1908 setup.exe 4548 MicrosoftEdge_X64_94.0.992.50.exe 5864 setup.exe -
Modifies Installed Components in the registry 2 TTPs
-
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 35 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 2588 MicrosoftEdgeUpdate.exe 5452 MicrosoftEdgeUpdate.exe 5936 MicrosoftEdgeUpdate.exe 5980 MicrosoftEdgeUpdateComRegisterShell64.exe 5936 MicrosoftEdgeUpdate.exe 5428 MicrosoftEdgeUpdateComRegisterShell64.exe 5936 MicrosoftEdgeUpdate.exe 5412 MicrosoftEdgeUpdateComRegisterShell64.exe 5936 MicrosoftEdgeUpdate.exe 5508 MicrosoftEdgeUpdate.exe 5812 MicrosoftEdgeUpdate.exe 5968 MicrosoftEdgeUpdate.exe 5924 MicrosoftEdgeUpdate.exe 4468 MicrosoftEdgeUpdate.exe 5292 MicrosoftEdgeUpdate.exe 5292 MicrosoftEdgeUpdate.exe 5924 MicrosoftEdgeUpdate.exe 2796 MicrosoftEdgeUpdate.exe 4372 MicrosoftEdgeUpdate.exe 4148 MicrosoftEdgeUpdate.exe 1212 MicrosoftEdgeUpdate.exe 604 MicrosoftEdgeUpdateComRegisterShell64.exe 1212 MicrosoftEdgeUpdate.exe 2628 MicrosoftEdgeUpdateComRegisterShell64.exe 1212 MicrosoftEdgeUpdate.exe 3284 MicrosoftEdgeUpdateComRegisterShell64.exe 1212 MicrosoftEdgeUpdate.exe 568 MicrosoftEdgeUpdate.exe 1168 MicrosoftEdgeUpdate.exe 720 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 2580 MicrosoftEdgeUpdate.exe 2580 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 6072 MicrosoftEdgeUpdate.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
setup.exemsedge.exesetup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeAutoLaunch_5EFC0ECB77A7585FE9DCDD0B2E946A2B = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --no-startup-window /prefetch:5" msedge.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 1 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
Processes:
setup.exesetup.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdge_X64_94.0.992.50.exeMicrosoftEdgeUpdateSetup_X86_1.3.153.47.exedescription ioc process File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\VisualElements\SmallLogoDev.png setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\vulkan-1.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\id.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\BHO\ie_to_edge_stub.exe setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_ka.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\vcruntime140_1.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\Staging setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\sl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\identity_proxy\stable.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\94.0.992.50.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\ml.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\nb.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFC650F6-B7CE-4CF9-98FE-2AD9443584D6}\EDGEMITMP_3D5D2.tmp\setup.exe MicrosoftEdge_X64_94.0.992.50.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\d3dcompiler_47.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\wns_push_client.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Locales\mr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\ar.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\oneauth.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Edge.dat setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdate.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\Content setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\ffmpeg.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\qu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\VisualElements\Logo.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Locales\hi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\resources.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_gl.dll MicrosoftEdgeUpdateSetup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Installer\setup.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\vulkan-1.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\identity_proxy\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\af.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdateBroker.exe MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdateres_sr-Cyrl-RS.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdateres_ug.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\swiftshader\libGLESv2.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\Analytics setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdateres_nn.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\sk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\libGLESv2.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\vk_swiftshader_icd.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\MLModels\autofill_labeling.ort setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Locales\id.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdateres_am.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\VisualElements\SmallLogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\identity_proxy\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\learning_tools.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Locales\ka.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Mu\TransparentAdvertisers setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\Trust Protection Lists\Mu\Content setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdateres_lb.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\mi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\Locales\tr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\94.0.992.50\msedge.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdateSetup.exe MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdateres_cs.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File created C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\msedgeupdateres_ka.dll MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\94.0.992.50\identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\94.0.992.50\Trust Protection Lists\Sigma\Staging setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdateCore.exe MicrosoftEdgeUpdateSetup.exe -
Drops file in Windows directory 8 IoCs
Processes:
SystemSettings.exeUserOOBEBroker.exedescription ioc process File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml SystemSettings.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setuperr.log UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagerr.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\diagwrn.xml UserOOBEBroker.exe File opened for modification C:\Windows\Panther\UnattendGC\setupact.log SystemSettings.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
SystemSettings.exeSystemSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000 SystemSettings.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\HardwareID SystemSettings.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000 SystemSettings.exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
SystemSettings.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier SystemSettings.exe -
Enumerates system info in registry 2 TTPs 7 IoCs
Processes:
msedge.exeSystemSettings.exeSystemSettings.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SystemSettings.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS SystemSettings.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer SystemSettings.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Processes:
setup.exeiexplore.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\94.0.992.50\\BHO" setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "30908836" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\94.0.992.50\\BHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "5140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "148338321" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
LogonUI.exesihclient.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesvchost.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "73" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs sihclient.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\TzNotification\PreviousTzChange SystemSettingsAdminFlows.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\S-1-5-19\Control Panel\International\TzNotification\PreviousTzChange SystemSettingsAdminFlows.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates sihclient.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exesetup.exeMicrosoftEdgeUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\CLSID\ = "{77857D02-7A25-4B67-9266-3E122A8F39E4}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.151.27\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.151.27\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ABD63202-F52F-4225-9C85-19DD88589B66}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.151.27\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC} MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0DCA09F-8BE2-4384-ABF4-D12022E8D67F}\InprocHandler32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E0DCA09F-8BE2-4384-ABF4-D12022E8D67F}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.47\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.151.27\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.151.27\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalServer32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 2244 msedge.exe 2244 msedge.exe 2952 msedge.exe 2952 msedge.exe 5248 identity_helper.exe 5248 identity_helper.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2852 msedge.exe 2588 MicrosoftEdgeUpdate.exe 2588 MicrosoftEdgeUpdate.exe 2588 MicrosoftEdgeUpdate.exe 2588 MicrosoftEdgeUpdate.exe 2588 MicrosoftEdgeUpdate.exe 2588 MicrosoftEdgeUpdate.exe 5968 MicrosoftEdgeUpdate.exe 5968 MicrosoftEdgeUpdate.exe 4468 MicrosoftEdgeUpdate.exe 4468 MicrosoftEdgeUpdate.exe 5924 MicrosoftEdgeUpdate.exe 5924 MicrosoftEdgeUpdate.exe 5292 MicrosoftEdgeUpdate.exe 5292 MicrosoftEdgeUpdate.exe 2796 MicrosoftEdgeUpdate.exe 2796 MicrosoftEdgeUpdate.exe 4372 MicrosoftEdgeUpdate.exe 4372 MicrosoftEdgeUpdate.exe 1168 MicrosoftEdgeUpdate.exe 1168 MicrosoftEdgeUpdate.exe 720 MicrosoftEdgeUpdate.exe 720 MicrosoftEdgeUpdate.exe 720 MicrosoftEdgeUpdate.exe 720 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 5540 MicrosoftEdgeUpdate.exe 2580 MicrosoftEdgeUpdate.exe 2580 MicrosoftEdgeUpdate.exe 6072 MicrosoftEdgeUpdate.exe 6072 MicrosoftEdgeUpdate.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs
Processes:
msedge.exepid process 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
svchost.exeSystemSettings.exesvchost.exesvchost.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_94.0.992.50.exesetup.exeMicrosoftEdge_X64_94.0.992.50.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeSystemSettings.exeSystemSettingsAdminFlows.exesvchost.exedescription pid process Token: SeSystemtimePrivilege 4700 svchost.exe Token: SeSystemtimePrivilege 4700 svchost.exe Token: SeIncBasePriorityPrivilege 4700 svchost.exe Token: SeShutdownPrivilege 2148 SystemSettings.exe Token: SeCreatePagefilePrivilege 2148 SystemSettings.exe Token: SeShutdownPrivilege 2148 SystemSettings.exe Token: SeCreatePagefilePrivilege 2148 SystemSettings.exe Token: SeShutdownPrivilege 2148 SystemSettings.exe Token: SeCreatePagefilePrivilege 2148 SystemSettings.exe Token: SeTcbPrivilege 5192 svchost.exe Token: SeTcbPrivilege 5192 svchost.exe Token: SeTcbPrivilege 5192 svchost.exe Token: SeTcbPrivilege 5192 svchost.exe Token: SeTcbPrivilege 5192 svchost.exe Token: SeTcbPrivilege 5192 svchost.exe Token: SeShutdownPrivilege 2148 SystemSettings.exe Token: SeCreatePagefilePrivilege 2148 SystemSettings.exe Token: SeShutdownPrivilege 2148 SystemSettings.exe Token: SeCreatePagefilePrivilege 2148 SystemSettings.exe Token: SeShutdownPrivilege 2148 SystemSettings.exe Token: SeCreatePagefilePrivilege 2148 SystemSettings.exe Token: 34 2148 SystemSettings.exe Token: SeSystemtimePrivilege 4700 svchost.exe Token: SeSystemtimePrivilege 5772 svchost.exe Token: SeSystemtimePrivilege 5772 svchost.exe Token: SeIncBasePriorityPrivilege 5772 svchost.exe Token: SeDebugPrivilege 2588 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 2588 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 5968 MicrosoftEdgeUpdate.exe Token: 33 5812 MicrosoftEdgeUpdate.exe Token: SeIncBasePriorityPrivilege 5812 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 4468 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 5924 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 5292 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 2796 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 4372 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 1168 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 720 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 720 MicrosoftEdgeUpdate.exe Token: 33 720 MicrosoftEdgeUpdate.exe Token: SeIncBasePriorityPrivilege 720 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 5540 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 5540 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 5540 MicrosoftEdgeUpdate.exe Token: 33 648 MicrosoftEdge_X64_94.0.992.50.exe Token: SeIncBasePriorityPrivilege 648 MicrosoftEdge_X64_94.0.992.50.exe Token: 33 1908 setup.exe Token: SeIncBasePriorityPrivilege 1908 setup.exe Token: 33 4548 MicrosoftEdge_X64_94.0.992.50.exe Token: SeIncBasePriorityPrivilege 4548 MicrosoftEdge_X64_94.0.992.50.exe Token: 33 5864 setup.exe Token: SeIncBasePriorityPrivilege 5864 setup.exe Token: SeDebugPrivilege 2580 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 6072 MicrosoftEdgeUpdate.exe Token: SeShutdownPrivilege 4172 SystemSettings.exe Token: SeCreatePagefilePrivilege 4172 SystemSettings.exe Token: 34 4172 SystemSettings.exe Token: 34 4172 SystemSettings.exe Token: SeSystemtimePrivilege 5772 svchost.exe Token: SeSystemtimePrivilege 5208 SystemSettingsAdminFlows.exe Token: SeSystemtimePrivilege 5208 SystemSettingsAdminFlows.exe Token: SeSystemtimePrivilege 3996 svchost.exe Token: SeSystemtimePrivilege 3996 svchost.exe Token: SeIncBasePriorityPrivilege 3996 svchost.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
msedge.exeSystemSettings.exepid process 2952 msedge.exe 2148 SystemSettings.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
msedge.exepid process 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe 2952 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
SystemSettings.exeSystemSettingsAdminFlows.exeSystemSettingsAdminFlows.exeSystemSettings.exeSystemSettingsAdminFlows.exeLogonUI.exepid process 2148 SystemSettings.exe 6060 SystemSettingsAdminFlows.exe 5212 SystemSettingsAdminFlows.exe 4172 SystemSettings.exe 5208 SystemSettingsAdminFlows.exe 3860 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
iexplore.exemsedge.exedescription pid process target process PID 1416 wrote to memory of 2952 1416 iexplore.exe msedge.exe PID 1416 wrote to memory of 2952 1416 iexplore.exe msedge.exe PID 2952 wrote to memory of 968 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 968 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2184 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2244 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 2244 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe PID 2952 wrote to memory of 5012 2952 msedge.exe msedge.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 02⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 02⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 12⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime2⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 02⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 02⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 02⤵
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 12⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://discordc.gift/duVhHCkqq71⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "http://discordc.gift/duVhHCkqq7"2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8655446f8,0x7ff865544708,0x7ff8655447183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe" ms-settings:dateandtime3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5276 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5732 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5716 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5972 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3276 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2032 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3140 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2220,16296267697180107861,1077373057576111312,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:13⤵
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv HUjyS0DIrUChP84ZMiaOIg.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv hT4RkUrQU0KJr6hWfqbv1w.0.21⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5908_1193927850\msedgerecovery.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5908_1193927850\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.62 --sessionid={270a2154-03b0-4f18-b299-50d4dfb34213} --system2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5908_1193927850\MicrosoftEdgeUpdateSetup.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5908_1193927850\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzA5QkZFRDEtREZGQi00NzVELUE5QkItRDU5NTU0MUREODg3fSIgdXNlcmlkPSJ7NTE1QkM5MzgtMzVEMy00MjI2LUExOTctMjgxMUQ0MDRDNDU0fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezAyMTI0MkUzLUM5MTMtNEUwQS1BRjY1LUQ1RDIwRkI1NzZGRH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjAiIHNzZTQxPSIwIiBzc2U0Mj0iMCIgYXZ4PSIwIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE1MS4yNyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMDE2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EB18F2A-58B8-438D-939B-85629F3CB7C6}\MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0EB18F2A-58B8-438D-939B-85629F3CB7C6}\MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe" /update /sessionid "{7EF7704F-FB3F-4EEE-BE4E-46D9D52D1239}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU9A34.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{7EF7704F-FB3F-4EEE-BE4E-46D9D52D1239}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNDciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0VGNzcwNEYtRkIzRi00RUVFLUJFNEUtNDZEOUQ1MkQxMjM5fSIgdXNlcmlkPSJ7NTE1QkM5MzgtMzVEMy00MjI2LUExOTctMjgxMUQ0MDRDNDU0fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7RjRFNzA0RkItQkVGOS00RjRELTlGMzQtRjY3QTZFRUVGMDYwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC4xMDAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUxLjI3IiBuZXh0dmVyc2lvbj0iMS4zLjE1My40NyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0MVIiIGluc3RhbGxhZ2U9IjcwIiBpbnN0YWxsZGF0ZXRpbWU9IjE2MjgxMjEzMTYiIGNvaG9ydD0icnJmQDAuMDkiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7N0VGNzcwNEYtRkIzRi00RUVFLUJFNEUtNDZEOUQ1MkQxMjM5fSIgdXNlcmlkPSJ7NTE1QkM5MzgtMzVEMy00MjI2LUExOTctMjgxMUQ0MDRDNDU0fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezMxRDMzMjAwLTFFNDctNDE1Mi1BODgzLTUwNTVBMTlERTI4OX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjAiIHNzZTQxPSIwIiBzc2U0Mj0iMCIgYXZ4PSIwIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE1MS4yNyIgbmV4dHZlcnNpb249IjEuMy4xNTMuNDciIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDFSIiBpbnN0YWxsYWdlPSI3MCIgY29ob3J0PSJycmZAMC4wOSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzM3YzkxMDJlLThlMzktNDM5YS05ZjE2LWEzODY1ZWQyNjkxNj9QMT0xNjM0OTcwNjU1JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpRTmNncGlkdWtBQlZxQmlsZDdaN2RKUCUyYlFudiUyZmxHR0s2cEx0JTJmNE1maCUyYmdnOW9XUTJmMmd5WE9nZEhXbTVDdFV1WWJHUDdobEp1YVZZQzZFWDlJelElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGRvd25sb2FkZWQ9IjE3NzcwNTYiIHRvdGFsPSIxNzc3MDU2IiBkb3dubG9hZF90aW1lX21zPSIyODEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PHBpbmcgcj0iNzEiIHJkPSI1MzI5IiBwaW5nX2ZyZXNobmVzcz0ie0JCRUM0NUNBLUE2Q0EtNEEzNi05ODRFLTQ1RThCNjU0QzFGMX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBsYXN0X2xhdW5jaF90aW1lPSIxMzI3NTI0MDY3NDczNTMxNyI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjEiIGE9IjgwIiByPSI3MSIgYWQ9IjUzMjAiIHJkPSI1MzI5IiBwaW5nX2ZyZXNobmVzcz0iezA2Qjc4ODhBLUM3MDEtNDJDMi05OURBLTVGRkY4RTQ1NDcxNH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iOTIuMC45MDIuNjIiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBjb2hvcnQ9InJyZkAwLjQyIiBsYXN0X2xhdW5jaF90aW1lPSIxMzI3MTc0NTkxNTA4OTU2MiI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjAiIHI9IjcxIiByZD0iNTMyOSIgcGluZ19mcmVzaG5lc3M9IntFODY1RENDMS1CRDI1LTQyODYtODZFNS0xNzFDNjc2MjkyMEV9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7E504E46-0EA9-4E1C-80B7-22F0C650DDE2}\MicrosoftEdge_X64_94.0.992.50.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7E504E46-0EA9-4E1C-80B7-22F0C650DDE2}\MicrosoftEdge_X64_94.0.992.50.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7E504E46-0EA9-4E1C-80B7-22F0C650DDE2}\EDGEMITMP_C7DE7.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7E504E46-0EA9-4E1C-80B7-22F0C650DDE2}\EDGEMITMP_C7DE7.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7E504E46-0EA9-4E1C-80B7-22F0C650DDE2}\EDGEMITMP_C7DE7.tmp\MSEDGE.PACKED.7Z" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFC650F6-B7CE-4CF9-98FE-2AD9443584D6}\MicrosoftEdge_X64_94.0.992.50.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFC650F6-B7CE-4CF9-98FE-2AD9443584D6}\MicrosoftEdge_X64_94.0.992.50.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFC650F6-B7CE-4CF9-98FE-2AD9443584D6}\EDGEMITMP_3D5D2.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFC650F6-B7CE-4CF9-98FE-2AD9443584D6}\EDGEMITMP_3D5D2.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFC650F6-B7CE-4CF9-98FE-2AD9443584D6}\EDGEMITMP_3D5D2.tmp\MSEDGE.PACKED.7Z" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNDciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0ExRUFEQjItMTdBQS00QTBDLUJGMDgtNUNBNzRCMjMxMDdGfSIgdXNlcmlkPSJ7NTE1QkM5MzgtMzVEMy00MjI2LUExOTctMjgxMUQ0MDRDNDU0fSIgaW5zdGFsbHNvdXJjZT0iY29yZSIgcmVxdWVzdGlkPSJ7RUY4RDg2REQtNTQzMi00QzBBLUE1QjktMTYxRDM0Nzc5RUM3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC4xMDAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUzLjQ3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNocm9tZXJlYzM9MjAyMTQxUiIgaW5zdGFsbGFnZT0iNzAiIGNvaG9ydD0icnJmQDAuMDkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjU0MDAiIHBpbmdfZnJlc2huZXNzPSJ7MTU4QjNCNjctOUZCRC00RkM4LTg3Q0UtM0YwNkMxMkI4QkYwfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42MiIgbmV4dHZlcnNpb249Ijk0LjAuOTkyLjUwIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMjc1MjQwNjc0NzM1MzE3Ij48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImRvIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9mYWVmYWU3NS03ZGRkLTRmMTEtYTQwYi04MDcwMmVhOTExYjE_UDE9MTYzNDk3MDY3MCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KQUdHNE9ydUtnMWV6NlpTZkRaRmtBclR6eEpWJTJic3B1aWNsWHAwOWs0NUhYR1g3RiUyZnBqQkVTVzlDdU1yRmc2YWtZMnBnTEVjdWlPWWdOV05lTEswbGclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2ZhZWZhZTc1LTdkZGQtNGYxMS1hNDBiLTgwNzAyZWE5MTFiMT9QMT0xNjM0OTcwNjcwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpBR0c0T3J1S2cxZXo2WlNmRFpGa0FyVHp4SlYlMmJzcHVpY2xYcDA5azQ1SFhHWDdGJTJmcGpCRVNXOUN1TXJGZzZha1kycGdMRWN1aU9ZZ05XTmVMSzBsZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgZG93bmxvYWRlZD0iMTA5OTA0ODAwIiB0b3RhbD0iMTA5OTA0ODAwIiBkb3dubG9hZF90aW1lX21zPSI5MTU2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjEzMTMiIGRvd25sb2FkX3RpbWVfbXM9IjExNDUzIiBkb3dubG9hZGVkPSIxMDk5MDQ4MDAiIHRvdGFsPSIxMDk5MDQ4MDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjIwMjgyIi8-PHBpbmcgYWN0aXZlPSIwIiByZD0iNTQwMCIgcGluZ19mcmVzaG5lc3M9IntCMUJGRUU3MS0zMkVDLTRCNzgtQjI0Qy0xNEM1MjdCODhDMzB9Ii8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjkyLjAuOTAyLjYyIiBuZXh0dmVyc2lvbj0iOTQuMC45OTIuNTAiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgY29ob3J0PSJycmZAMC40MiIgbGFzdF9sYXVuY2hfdGltZT0iMTMyNzE3NDU5MTUwODk1NjIiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMzEzIiBkb3dubG9hZGVkPSIxMDk5MDQ4MDAiIHRvdGFsPSIxMDk5MDQ4MDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIyIiBpbnN0YWxsX3RpbWVfbXM9IjE5MjEiLz48cGluZyBhY3RpdmU9IjAiIHJkPSI1NDAwIiBwaW5nX2ZyZXNobmVzcz0iezI0RDkyNTQ5LThEQzYtNEY3Mi1BNTI5LURBNjFEMzg3NDRDMH0iLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a3b055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5908_1193927850\MicrosoftEdgeUpdateSetup.exeMD5
4488f766299c7fefe2a7038e3d0b7e6a
SHA104ec94e21ff2c4eb6c144f6c6241642c05f182b3
SHA2568874fb15d446396d1740a3ed90a4643de9ba982d6fdfd61282d75e81efcc415b
SHA5124a70adc8cfbef86745a7061bba71fb75fac0741db64bc27207e4b3d1855fbba710d024018bd31a31e01135efe425271bdd6be71261242b43df0b8e0e0fcf96d3
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5908_1193927850\MicrosoftEdgeUpdateSetup.exeMD5
4488f766299c7fefe2a7038e3d0b7e6a
SHA104ec94e21ff2c4eb6c144f6c6241642c05f182b3
SHA2568874fb15d446396d1740a3ed90a4643de9ba982d6fdfd61282d75e81efcc415b
SHA5124a70adc8cfbef86745a7061bba71fb75fac0741db64bc27207e4b3d1855fbba710d024018bd31a31e01135efe425271bdd6be71261242b43df0b8e0e0fcf96d3
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5908_1193927850\msedgerecovery.exeMD5
6de69804e275844266117f3f3016af57
SHA1684e1f5f5d2d9c49c491ca2f6e5dd86e4489c812
SHA25670928f78c5c52c98ff43f66b6d3b0ee0cb0e0460f0799007c970857539d5ba1c
SHA512f172c0cd760c17dd04f7b08a90ad921f92e600e21f1aeb25f4338905f829a6a1077bde92b5183d7adf56b48ef772e05a1262498038e1fd5b9682afd18e42e9d2
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\EdgeUpdate.datMD5
369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeComRegisterShellARM64.exeMD5
e7ddb7d2103fd518652eca1328f21510
SHA136bf5749f398a586ec1481cc42a3a6f5deb3754b
SHA2568666d49f5af22615eacbb8b389098c2e7276e6040c937aba970a1dd46fefa7d5
SHA51266c44138de7053a38ed25a01d5c03b08b2d91b2845b54efe6e0be79f843fbd07a81aa0796965e8de027cfb3f9ba362fd34694535f5a72d8c0dd56ea5488b97f7
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdate.exeMD5
3c2ec71dbec0629c92ee081fa5523190
SHA1c34429bccfa61fc4d2bfc7be42227017fcefd4a9
SHA256d357502511352995e9523c746131f8ed38457c38a77381c03dda1a1968abce42
SHA5122a50c2c3b1391b0450cea7dd02b96046fed3e5467cc0e317b4950514fff46ed07a64fd48a917ebc1d86247f30d274bab9efafed2d4e05fc485d55e9c254bd448
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdate.exeMD5
3c2ec71dbec0629c92ee081fa5523190
SHA1c34429bccfa61fc4d2bfc7be42227017fcefd4a9
SHA256d357502511352995e9523c746131f8ed38457c38a77381c03dda1a1968abce42
SHA5122a50c2c3b1391b0450cea7dd02b96046fed3e5467cc0e317b4950514fff46ed07a64fd48a917ebc1d86247f30d274bab9efafed2d4e05fc485d55e9c254bd448
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeMD5
9db970fa6963695477e8a3691c5d9940
SHA1e5b57ead1f5d0fbc3185a3761103e55b69ca03d0
SHA256d5d69fb701c077892a587f3ecbb1010ec0846f5046b05a653a7994154420c328
SHA512fdfabf237fbb833f76c9968e99e887a6bc732b9be13bdb3723c472251b11faacc16eb73377ee5b532d2e6faa03e103106120d80b2d4ac0cc843c4c9951b310b8
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\MicrosoftEdgeUpdateCore.exeMD5
b6a524d1abeb4868b67e780ea6c2e267
SHA1fbe541805bc0922f0a1c1eb9f09125a7f38a32a9
SHA256113d781452ea8d2632d50a6c64c4b1728d8d158964c0ea99e6e0b23cc9861d89
SHA5126a8df76159c0ed181e35084d75cf2edc36a0e16f93c1115d6c455b544cb2b409a447ecd1e7ae976cb2518a9cc1298df25d8ad946d4a2b89c1b3ee4b9f035c8ad
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\NOTICE.TXTMD5
6dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdate.dllMD5
93d198acff9bb99fd6dd2f0b972a4172
SHA1a1667b10a8536b773d0c0fc9dae19f0320f95336
SHA256a88a49608b123e5241c4ebe8d69dfda70c0b3d87640c4d4a565c99b8ec00aa12
SHA512b3e5fcbad61f038848dda8cbfc40664285aabce4fcbc0ede274a9d1296216a4ab3b6a3ead902f204dbeadf7d6cfabf56f50f277e18f47b399217087996c140eb
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdate.dllMD5
93d198acff9bb99fd6dd2f0b972a4172
SHA1a1667b10a8536b773d0c0fc9dae19f0320f95336
SHA256a88a49608b123e5241c4ebe8d69dfda70c0b3d87640c4d4a565c99b8ec00aa12
SHA512b3e5fcbad61f038848dda8cbfc40664285aabce4fcbc0ede274a9d1296216a4ab3b6a3ead902f204dbeadf7d6cfabf56f50f277e18f47b399217087996c140eb
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_af.dllMD5
51e0f6293052a9ed32eebadb0e78dba2
SHA1b6f109d95760e6a8da19f760b54e35316d50db47
SHA25665f20a53718c547b675f0ebd8ce406ae2dcbe242f50fbb631e0d052befaa1a87
SHA512d4ca2fa4b832537d9dcdb6358aee50824085c4327957cfe6465e5af7ddc8245158959ecd6b7767686033c799df4deca06716d8bfdfb55d297436cf65769d1161
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_am.dllMD5
a6c941f474e1c7266ab500cc932ad294
SHA1cfff3bcf205666ca3b17b65d82a7aed01888af6c
SHA2565ad20f36db95fabbb0f8c62b94bbd532db8083e0f380191180613bd2579a5481
SHA512a7b36bef2929df59999a9fb32a0a2cd8982d90e552ceb29730ed544ba0009192659b360d02181a894943571030b5e0f7ee63b3449be489527718de318a1eaaca
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_ar.dllMD5
ad19703ff751e308a0e64e5aa88e018d
SHA1aec05b96d8a10a2d6f3b09691b1f2512af92948d
SHA25613a26667a4fd42a7d9fe3b61fa5ddf959d93642b051a8ad43ef87d38619cdc82
SHA51256f7599ec7ac2db9b6d8e7c632f1327caa97395c18f436052e7482fa9d12d65c14f84dfb9e6052529a133e36201cb76ee5cab37da5ad1bb8def1abbf885f3c5f
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_as.dllMD5
57147d7160d98f0e550abbe56f09e12e
SHA18463be34d9a2852f57ff18763d8ef7d2c070e544
SHA2561ba80418686eea5fc7ece5d0d4f0dd4bcdda9df6abf5bf0e8bd941ee2972ac7b
SHA512f1020a91b43c40eebd8f6f61dcba9588c6b4966bc5bd50fa806f3a0c55ec6f9921f44bf36915fcec541df540f40f2e6f3c073a9f1fc2b603db590887cf8b2dc9
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_az.dllMD5
033e5cfa0a2627efca17f13824ad5092
SHA19f7357fd9a06f4e59cbeb4492bbed4d364789e9f
SHA256de0b777c86d95dc5e9d0614ac8a5dc1b559791a2fe11385d3758e6f7021d5cb4
SHA512453508c01d40a9c6a7c4359ec991f94201be1090f663828f1f4b962734852c6ea761a75fa590669436ec0d74025d1654ec0d4dfa116d0a2f8680d54c6efb6662
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_bg.dllMD5
b5c174c65533a224015e940453ebf7bd
SHA1e812e228587a9c8eb7ec7e5d838da264fbd3eb9a
SHA256f9b9730b97f160b22bb9e5f96c2fe623e4cd1ec8d58b36c05e62b92b6eed29e6
SHA5120ca1668e224130c9b9638c979d1e833ff3e4452d9007f1748d4d126a0dd99d829e8dd46dcd0606f5202534e8e483d3af5f5b300d92063a8294338f2264c58ead
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_bn-IN.dllMD5
03159478c2c5416cd03b90fdbb85f60b
SHA13015e5b79be506516f05366c36e885fa15675bc0
SHA256ae58ce60a6171b2fbee56f58bfe6e38f5efe568af13355b1d3f6b6c66e5b7906
SHA51238071382f91847641e19ed957e695f45b6b76fa4b91d90db1251dae00df07d6757a6e382098ec8afb35f04fd01c8dcbd661bf0b7a1bea1054b24fbc29a29cf6c
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_bn.dllMD5
ceb156024e4c9b36bc3e217201fc2322
SHA1e126d7953d5c49b724617e1f8b81edb64a769dfc
SHA256ff10d60ec3ff0cd35ce090823bcb2fdd18c825d7ee6ce17655431739e219c17e
SHA512dc74407f6b2f237479d6fde428be3fa72be3e2efe4d8dfb8e5430c119deb39ea0c9d63cde654376e7a190be0a220eaab3343df76a01059316b5b6c444479abf9
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_bs.dllMD5
32018e13551cc7fabff9b9d281d3bea8
SHA149796fd79c9c76e45358f21d8f9fabbb81f928db
SHA2566eab69d9cf28d403706e0dced218b3bfdce328cfed3103812388734bae98c693
SHA512e960f0eeb0cbd3393b575b91c953ed5bd8c9146aa8b8aa113605d646e48b4c4ba4faa8987889fc72dc2d786c8c4200867689c1cd8867c3f3dd9a249537ddae4b
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_ca-Es-VALENCIA.dllMD5
37eb7b29ec5007edf219acb6779d791e
SHA14097b0b293e2e5c8908b8baa7bc41128ad4abaed
SHA256e9b2d242cef0bf2f10824e9435eaa9cbe196c88c6692c0707bcb532580dafa8f
SHA512e9a8a52b7e52e85468edc9503bc1970585c178bcf8c29c662b17bed4d4399ac0b756a67c926b79f2a409f91de3067fb39a4e7f36efd5fa7ea720b841f3d50371
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_ca.dllMD5
13de822ff2627018bdb4c30c14463dcd
SHA19e09b285785ec4ccd6b307176212edba410b128a
SHA2569871893788cb63a024923941c1ad02da611e27328745eab33f73b42d62c9eaa8
SHA512e4e0d039f6250fd0ff78e34103909eaf13c45396900107342dc8b727b03c0e58aedad3deba7958f282e74e1a3ceb840c3cd38edf4ec10a1eabd768c1325b19b6
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_cs.dllMD5
dd7622f55ba5a8253f7140ed8619d71c
SHA10cc78f6db200f6da0d0c631e36335f9720fe4ae7
SHA25690eaa4bf9fb360730d5d9567206f0740d77007492725973e4dfd3b934cae13f8
SHA512aa46fb3b01045f2f04999e66ecbe17e43212287fa08f36e6197240fd4c1686411682d0a915d7d72ba105a350c22dd7b0e2690fded93742d027efe9bca37709e6
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_cy.dllMD5
7fa587fc34b1f4ccff8687202d5ceda8
SHA145a5c0ea96d729664401facb37bde3d764158c5e
SHA2568dddfa9c3cb4a5f6d756b80c254e2c260cc902bc029e01708bb0828abb7ca0a6
SHA512137d520fbeb25c8dae9717c2ec4ddff1a070af074d7586afbdaa8c069f62aeae1157cc8e1b08ba40db4729314e3beb0e6fb601f017ea7e8f885a948dfa454b03
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_da.dllMD5
d02196748b8425bc2c8140f4e83a78d2
SHA10969bb02aae0ef1af7f96aba45f3941d088f9eb7
SHA2562dfbb4caa84b3be64aa909d4cf63ff4efa02695d6a378e358943c623dbf2a178
SHA51253df9dac034f7a2713b7030236c9d123f4ff2eb0fe8048f5c6902459fa812572b41b7f6c01c565cd3acb38c44ffaa2ef649dcfed76d4a2ecc6a7b22c3c53da26
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_de.dllMD5
a8a9599b126dc0e904efd055f7137c6e
SHA1061824f41d8a4d2f8ef8bef3ef2cf32a443aa326
SHA256d97203d6a65b7069423228c962639a9b8772588515baf875ff3f4a3f5bc78726
SHA512e7ad1f5c7e63cf6b3f819b8b690e078d7e7be2a4bc1df6c94132e4c3e46a4cb26b509c0f28a5647a2b1749ead70d3896f4ae4c5378f3542911a97a5842d98a61
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_el.dllMD5
e14d69cce787e19d164c3f7c0ae61332
SHA1d19d3856cf7caa2b725e1b83e861e2cd907128c0
SHA256e8187fea1b82843af60eae0e49ba184e05d36f112024c029fa0125c5d7067a64
SHA51226d984b35b12fbb416d5b27eeb8784bf5200e2d2ce618c6e2974e1336cab0f62ba82296494027ce3b73e402aa43d9b66abbe19107d74376d3490f012587c1b10
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_en-GB.dllMD5
06e1502286ac9dc94e223f186df41132
SHA1946166c0e8e57e17caedf5df17242e91f5772e81
SHA2561ec5c1132baaf9732b5bc30e6d870d5537e6bf3baf9516f66f4bf0c95c1e8b6e
SHA5129c5091c95c22d87070c6a750d66feea3e42b51cf474c5ae5566d4321acf64c7ecf37687dcc3eedeeafd568c608778b2b0e06e329ebc77c24997896b755b24ca1
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_en.dllMD5
c97f93ffe9d5e3e5bbc04b168650cd00
SHA1fb035621aed66c60271df3111eecec2d178a021c
SHA2566c9f604468d01e0db22903555ce58fba91b3bc1168057bc3cb0d056c4c785ba9
SHA512b6c86093fb142af4c47b478920106eae03552ada516429bbdb249e51b4caa8a7ed49c741c8bd469c853a2e36f99b5c6a79a7414e7a7848d6027351216d6b7f27
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_es-419.dllMD5
4bcd1fee36fe6a0cdaaada40907c3d8b
SHA151eb3487585e51c3c263089bad695e0922264a79
SHA256a9b4c3aa17f41e577f3d8f47e7b1b0eb57e83a67e14f3b9796a6224f0bf13a9e
SHA512f1ce2504c051301c361ba081b41b655e2a9f6add8152f5e93867dde1d2974c7723475b935ebe815c0bfcb97b9cbcb783e9c1141786a1445e8ec44bcce2e215cc
-
C:\Program Files (x86)\Microsoft\Temp\EUA86.tmp\msedgeupdateres_es.dllMD5
f3cad4dc9b85dfadd1a2f7f23f6a115a
SHA1e6326bae48881a877b2ea0e7abad5ea8833b8aee
SHA256cd0b3d6c02257f25cac07adbc2e04745afa7677e1546de60e445a1e1cde7a2dc
SHA512e870f2a49e8f33ec90cbffd783c6bdeb8259afd0bd6851bb94f471c900e6f67e12e1da16d549564da15d65e7c517bac0f983ee3395770dc7f57a31158980bff4
-
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logMD5
28fe2255981be65da0f4afe5a1a78e05
SHA158b7449378b3cea4151b1ef755034c58e9115276
SHA256258a7aeb77ea8ef32121902fc461d64a48d6108caa8a0266cdfb7d53a29485ca
SHA51293a60d64933f9fec077e53b976a5095faad5aeb7afbc37092f9659f321c52fe7d8c46e3040150dcf16a0b70e0634ae92a49e72107c3637227a42506f464acf3b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
257fdfb4530ca68267904c518da2e7fc
SHA1f64aa9ba561c17dc3671b8adcdaf67bead04ba07
SHA2564791fb891894efbeaf6882194b498fe376d12c7fae08aac6127065247ea70eb0
SHA512f1e9fd5860a7105bcf4f67f62489f94590736aef76ce6da87c291e2ac910ed0e549e987a9ff0e2e524a34d40d5a1f6b54d80cb92c9a9a5a18ef9ffe72f1b0f35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157MD5
37fa12e96f9c14e0a708945c7b1324b7
SHA14afc6dd8d77ba6782c557eb56253a197fad23916
SHA2562a2c015184388086a0e2be80fe6b7add4241edb997278f55d48604f8a1d044f4
SHA5127376836a49e63ecf6a229e1b8ddd5be0ca7f773105abc7111264eba94bbbbcb6fee7bb3131e0a24cfc867d2b79fd272a3dc9529bceaf948546f1be67b9af1326
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63MD5
545b61f6000ba426e57995c045962a82
SHA19bc54836b43b06c6842923f1dc8571ff0491e399
SHA2560a137421fd57b779b6d34d633551d6a99d7d0515cda22c7a50c7184405167689
SHA512325e85b19a399e235460fcb1839baa7886ac38c72e34546f6e8fa0918f0687c25719737f46a5dcde97fe32579e296d655901ff9b5b36641530bc35467f8eaae6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\1.3.151.27\recovery-component-inner.crxMD5
b62629cb2f8f2566e417f8869373caab
SHA1d4b3aeeda75d7ba557d646d3100dc30a9be13b1c
SHA256e82878d45ab7120e9f58eabc9be08f7e25e34ed9a4728288d9275952416ad48e
SHA512192d578f2ea77a63e784834c8af63818ae465312e60c7d7614204a3200b1f013454e66c512d73c331de74718d6f4bce13e727d3d167ee49fbb977cad964a66ad
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2952_1855215468\0f099a6b-99e3-4382-8e66-3ed0ee4eee4dMD5
8c704fa59474b272a83cdb639559b091
SHA1b8b54514876e3036f7529aa7a70c9fb0a7e8e48e
SHA256dbbba5869c1d8946e5e23215c0404619fe82793d60eb89489b345ef55023e077
SHA512070615fac5acf29c34448b4d044f2d01580cb9e1d293d3cc7f60a7f0a84b983cfdebfbebd7c5a37fbe9b86bdf76cd2d88971e5a55c4f16c7b0e2e911b51449fe
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2952_32415271\94572367-7d87-41e1-bb79-e8c97147231aMD5
407544969500d8939f1d1657db5be5e1
SHA1823f80a02da568672f57fcaf7f1cd563b731192e
SHA25602be1bf447628cdc96ae2b6811bc38ac47cbb5059abd6f31e9b2933f969a46af
SHA51299d44a29cc47f7f0eecba729484f58c03cf1adc8308e0be6605f67d4aac7fc490d4f91e943c214d50fd61d677666b05e51c645432c96482fc2d55a51e66b3c73
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2952_674012441\11368293-08e5-433a-a3ff-336895b8894dMD5
f071c533f1e0a3bd21fec6905563a057
SHA11e3de9a9e1c1bccb5a5fe2deb53d364a7d7d9811
SHA256894308a5539891e3f2fad8e65820ea79d9fe86a6e71b290c3896f8cb8fcb254e
SHA51272b3b3abe800ccb837c83077c3cc3c8bba4a348de5b7b19b92b845a3bdf5370954df3b2fc2491f365a48e4f4416be7ec55597a08bf09b80341855fd200c1ea56
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2952_772440216\066a0908-c95c-4a25-85a2-8ad34b009ca3MD5
7a007f77bad40a7b235345d573f75971
SHA11a331305a9b9b212ac3771993df6c2f831d02712
SHA25638059acf4056b2f024fdb30fb4db82a6f99d13c7cc8e08beadffae52ee7c9650
SHA5128f96313dfa307696961726a2830dfc71c4a0937437c2899a32a8de888c7e3c06c76fd1ff73f199d160ab19f8976ce56750eecaf02f2d105c67d6920574c8722d
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2952_948799244\1d147c3b-6a51-425f-a960-c0159921df27MD5
22351f8e29208582a8c4a3be256433d7
SHA1f05a56b94cfaf46b1c74f815cc9b9d80784ffb7e
SHA2569ab1dc1c2c03aa5b274e583dc42891bc07dcceea577ac348940e112b48fa6006
SHA512e13bf84d66b5f067508f5a8fb92cbea9bde8ffa3cca9a72ef1baf30d4675807de90fb2b461ea8f5ede9e13003c9fa5f3f56213aa09e4d8a2294f1f08c110a731
-
C:\Users\Admin\AppData\Local\Temp\edge_BITS_2952_972807872\0a5f110e-e0a3-4b12-a860-a8e62e3be71fMD5
43456ea826951e20c9d0694a01f1886b
SHA19c848aa393d9ea2fd63873381e3af72b7a2e03f4
SHA25668715ca8cdd03437049d6d9d2ceb47584b886a7807bc9b2b483e3faa174694df
SHA5121c102ac415d393754e3ab07b5ffe6ebc60ad4888072bf194d85c57da07eef58fa7ba21ee2a6a45a287540325da1a72c9de362526fc62f122c340021d80ea0d74
-
C:\Windows\Panther\UnattendGC\diagerr.xmlMD5
a1016423071a3b60559a284cf8f1eac6
SHA123c16221e153ccda4b26ab3dbdf5d6abf2cbe28d
SHA25666d330693a82ee50136be12b81dd915da5a9841a402d02db27dd9dc41112d8bb
SHA51236a4e05b1deca7e93a284a652b7ccf362f2b72a96e1113e88be957f67e51210cdd6fd03947a403071ff1dbbaf3ab24fc2834ab75a6492b54695aa22b691d715a
-
C:\Windows\Panther\UnattendGC\diagwrn.xmlMD5
a34fdd127f20a5810dbfc2666ff71cbc
SHA1d34f9d4d305e4fc53f9c9b6de00502e930dc3bf6
SHA256cfe4b22bb92de48c04bb6aa328989b9524b8dee900961005ad7588f4f81ac337
SHA51291647932dabd8dcc557c2870b53123bfdc4472179bbeb6a005d4a5968492253c962adf30649ed6131f35af16eff6f874d8c57a6886f6e7496e615bb319e407d8
-
\??\pipe\LOCAL\crashpad_2952_IVMBQSIDKMMIALUIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/408-343-0x0000000000000000-mapping.dmp
-
memory/604-426-0x0000000000000000-mapping.dmp
-
memory/648-437-0x0000000000000000-mapping.dmp
-
memory/720-430-0x0000000000000000-mapping.dmp
-
memory/736-480-0x0000000000000000-mapping.dmp
-
memory/968-199-0x0000000000000000-mapping.dmp
-
memory/968-200-0x000001F677F40000-0x000001F677F42000-memory.dmpFilesize
8KB
-
memory/968-201-0x000001F677F40000-0x000001F677F42000-memory.dmpFilesize
8KB
-
memory/1168-429-0x0000000000000000-mapping.dmp
-
memory/1200-378-0x0000000000000000-mapping.dmp
-
memory/1212-425-0x0000000000000000-mapping.dmp
-
memory/1416-193-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-188-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-154-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-155-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-157-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-152-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-151-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-149-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-156-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-150-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-158-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-159-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-196-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-146-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-194-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-148-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-192-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-190-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-189-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-153-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-187-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-160-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-186-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-184-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-183-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-182-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-179-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-162-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-178-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-176-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-175-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-147-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-165-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-166-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-170-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-169-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1416-168-0x00007FF867B50000-0x00007FF867BB5000-memory.dmpFilesize
404KB
-
memory/1648-463-0x0000000000000000-mapping.dmp
-
memory/1904-324-0x0000000000000000-mapping.dmp
-
memory/1908-440-0x0000000000000000-mapping.dmp
-
memory/2116-451-0x0000000000000000-mapping.dmp
-
memory/2148-208-0x000002121E210000-0x000002121E212000-memory.dmpFilesize
8KB
-
memory/2148-211-0x000002121E210000-0x000002121E212000-memory.dmpFilesize
8KB
-
memory/2184-210-0x00000146037E0000-0x00000146037E2000-memory.dmpFilesize
8KB
-
memory/2184-206-0x00000146037E0000-0x00000146037E2000-memory.dmpFilesize
8KB
-
memory/2184-203-0x0000000000000000-mapping.dmp
-
memory/2184-202-0x0000014603724000-0x0000014603725000-memory.dmpFilesize
4KB
-
memory/2184-205-0x00007FF887000000-0x00007FF887001000-memory.dmpFilesize
4KB
-
memory/2216-363-0x0000000000000000-mapping.dmp
-
memory/2232-284-0x0000000000000000-mapping.dmp
-
memory/2244-204-0x0000000000000000-mapping.dmp
-
memory/2244-209-0x0000020AED7F0000-0x0000020AED7F2000-memory.dmpFilesize
8KB
-
memory/2244-207-0x0000020AED7F0000-0x0000020AED7F2000-memory.dmpFilesize
8KB
-
memory/2588-381-0x0000000000000000-mapping.dmp
-
memory/2628-427-0x0000000000000000-mapping.dmp
-
memory/2796-422-0x0000000000000000-mapping.dmp
-
memory/2852-347-0x0000000000000000-mapping.dmp
-
memory/2912-369-0x0000000000000000-mapping.dmp
-
memory/2952-195-0x0000000000000000-mapping.dmp
-
memory/2952-198-0x00000199D1B80000-0x00000199D1B82000-memory.dmpFilesize
8KB
-
memory/2952-197-0x00000199D1B80000-0x00000199D1B82000-memory.dmpFilesize
8KB
-
memory/3284-428-0x0000000000000000-mapping.dmp
-
memory/3352-337-0x0000000000000000-mapping.dmp
-
memory/3392-421-0x0000000000000000-mapping.dmp
-
memory/3404-296-0x0000000000000000-mapping.dmp
-
memory/3708-355-0x0000000000000000-mapping.dmp
-
memory/4148-424-0x0000000000000000-mapping.dmp
-
memory/4344-287-0x0000000000000000-mapping.dmp
-
memory/4372-423-0x0000000000000000-mapping.dmp
-
memory/4456-225-0x0000000000000000-mapping.dmp
-
memory/4468-420-0x0000000000000000-mapping.dmp
-
memory/4548-443-0x0000000000000000-mapping.dmp
-
memory/4584-232-0x0000000000000000-mapping.dmp
-
memory/4696-164-0x00000223A44A0000-0x00000223A44B0000-memory.dmpFilesize
64KB
-
memory/4696-167-0x00000223A68B0000-0x00000223A68B4000-memory.dmpFilesize
16KB
-
memory/4696-163-0x00000223A4260000-0x00000223A4270000-memory.dmpFilesize
64KB
-
memory/4828-222-0x0000000000000000-mapping.dmp
-
memory/5012-214-0x0000000000000000-mapping.dmp
-
memory/5064-433-0x0000000000000000-mapping.dmp
-
memory/5208-464-0x0000000000000000-mapping.dmp
-
memory/5212-321-0x0000000000000000-mapping.dmp
-
memory/5248-304-0x0000000000000000-mapping.dmp
-
memory/5312-473-0x0000000000000000-mapping.dmp
-
memory/5412-416-0x0000000000000000-mapping.dmp
-
memory/5412-307-0x0000000000000000-mapping.dmp
-
memory/5428-415-0x0000000000000000-mapping.dmp
-
memory/5452-412-0x0000000000000000-mapping.dmp
-
memory/5540-431-0x0000000000000000-mapping.dmp
-
memory/5580-376-0x0000000000000000-mapping.dmp
-
memory/5620-460-0x0000000000000000-mapping.dmp
-
memory/5620-309-0x0000000000000000-mapping.dmp
-
memory/5660-329-0x0000000000000000-mapping.dmp
-
memory/5696-310-0x0000000000000000-mapping.dmp
-
memory/5748-311-0x0000000000000000-mapping.dmp
-
memory/5812-417-0x0000000000000000-mapping.dmp
-
memory/5864-446-0x0000000000000000-mapping.dmp
-
memory/5888-314-0x0000000000000000-mapping.dmp
-
memory/5924-466-0x0000000000000000-mapping.dmp
-
memory/5924-419-0x0000000000000000-mapping.dmp
-
memory/5936-413-0x0000000000000000-mapping.dmp
-
memory/5968-418-0x0000000000000000-mapping.dmp
-
memory/5972-462-0x0000000000000000-mapping.dmp
-
memory/5980-414-0x0000000000000000-mapping.dmp
-
memory/6060-320-0x0000000000000000-mapping.dmp
-
memory/6072-449-0x0000000000000000-mapping.dmp