hxxps://privacytools[.]io

Analysis

max time kernel
1696s
max time network
1705s
platform
windows11_x64
resource
win11
submitted
07-11-2021 10:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://privacytools.io

Score

10^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

Processes:

msedgerecovery.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateSetup_X86_1.3.153.47.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdge_X64_95.0.1020.44.exesetup.exeMicrosoftEdge_X64_95.0.1020.44.exesetup.exe

pid	process
2640	msedgerecovery.exe
4644	MicrosoftEdgeUpdateSetup.exe
3188	MicrosoftEdgeUpdate.exe
4020	MicrosoftEdgeUpdateComRegisterShell64.exe
940	MicrosoftEdgeUpdateComRegisterShell64.exe
1348	MicrosoftEdgeUpdateComRegisterShell64.exe
4084	MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe
2748	MicrosoftEdgeUpdate.exe
4288	MicrosoftEdgeUpdateComRegisterShell64.exe
3116	MicrosoftEdgeUpdateComRegisterShell64.exe
132	MicrosoftEdgeUpdateComRegisterShell64.exe
2392	MicrosoftEdge_X64_95.0.1020.44.exe
3988	setup.exe
1716	MicrosoftEdge_X64_95.0.1020.44.exe
912	setup.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 36 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
3188	MicrosoftEdgeUpdate.exe
1620	MicrosoftEdgeUpdate.exe
2176	MicrosoftEdgeUpdate.exe
4020	MicrosoftEdgeUpdateComRegisterShell64.exe
2176	MicrosoftEdgeUpdate.exe
940	MicrosoftEdgeUpdateComRegisterShell64.exe
2176	MicrosoftEdgeUpdate.exe
1348	MicrosoftEdgeUpdateComRegisterShell64.exe
2176	MicrosoftEdgeUpdate.exe
1440	MicrosoftEdgeUpdate.exe
468	MicrosoftEdgeUpdate.exe
1716	MicrosoftEdgeUpdate.exe
4712	MicrosoftEdgeUpdate.exe
784	MicrosoftEdgeUpdate.exe
3924	MicrosoftEdgeUpdate.exe
3924	MicrosoftEdgeUpdate.exe
4712	MicrosoftEdgeUpdate.exe
4964	MicrosoftEdgeUpdate.exe
2748	MicrosoftEdgeUpdate.exe
2888	MicrosoftEdgeUpdate.exe
4884	MicrosoftEdgeUpdate.exe
4288	MicrosoftEdgeUpdateComRegisterShell64.exe
4884	MicrosoftEdgeUpdate.exe
3116	MicrosoftEdgeUpdateComRegisterShell64.exe
4884	MicrosoftEdgeUpdate.exe
132	MicrosoftEdgeUpdateComRegisterShell64.exe
4884	MicrosoftEdgeUpdate.exe
2520	MicrosoftEdgeUpdate.exe
2452	MicrosoftEdgeUpdate.exe
5100	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1248	MicrosoftEdgeUpdate.exe
1248	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1244	MicrosoftEdgeUpdate.exe
2652	MicrosoftEdgeUpdate.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

msedge.exesetup.exesetup.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in System32 directory 1 IoCs

Processes:

setup.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

Processes:

setup.exesetup.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdateSetup_X86_1.3.153.47.exeMicrosoftEdge_X64_95.0.1020.44.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\95.0.1020.44\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\it.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\95.0.1020.44\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\elevation_service.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\msedge_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\95.0.1020.44\MLModels\nexturl.ort	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\new_pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\wdag.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\identity_helper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\95.0.1020.44\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\95.0.1020.44\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{82B1F3C4-E28A-486F-9D27-50BC29D37D60}\EDGEMITMP_8C258.tmp\setup.exe	MicrosoftEdge_X64_95.0.1020.44.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_sr-Latn-RS.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\95.0.1020.44\Trust Protection Lists\Mu\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\msedgerecovery.exe	elevation_service.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_quz.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\kk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Installer\setup.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\libsmartscreen.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\95.0.1020.44\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_ms.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeUpdateSetup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\95.0.1020.44\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\msedge_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\95.0.1020.44\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\95.0.1020.44\Locales\fa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\msedgeupdateres_ro.dll	MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\ne.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\BHO\ie_to_edge_bho.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\swiftshader\libEGL.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\396f3ac9-e42b-448d-bfe3-c52cd1827eb7.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\nl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_km.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\msedgeupdateres_hr.dll	MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\95.0.1020.44\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\95.0.1020.44\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\95.0.1020.44\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\vcruntime140_1.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\libGLESv2.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\oneds.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Locales\fa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\95.0.1020.44\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Temp\source3988_991150622\msedge_7z.data	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\msedgeupdateres_ko.dll	MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\msedgeupdateres_sr-Latn-RS.dll	MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exesetup.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "3104454677"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\95.0.1020.44\\BHO"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "5140"	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\95.0.1020.44\\BHO"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "30921757"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.151.27\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ABD63202-F52F-4225-9C85-19DD88589B66}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9D48CE47-9E1C-4D41-B480-260563C0B724}\InProcServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.151.27\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{9D48CE47-9E1C-4D41-B480-260563C0B724}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\95.0.1020.44\\elevation_service.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine.1.0\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.47\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{B532B342-0E34-448B-9EDF-1D55C04041F8}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
2604	msedge.exe
2604	msedge.exe
1396	msedge.exe
1396	msedge.exe
2056	identity_helper.exe
2056	identity_helper.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
4388	msedge.exe
3188	MicrosoftEdgeUpdate.exe
3188	MicrosoftEdgeUpdate.exe
3188	MicrosoftEdgeUpdate.exe
3188	MicrosoftEdgeUpdate.exe
3188	MicrosoftEdgeUpdate.exe
3188	MicrosoftEdgeUpdate.exe
1716	MicrosoftEdgeUpdate.exe
1716	MicrosoftEdgeUpdate.exe
784	MicrosoftEdgeUpdate.exe
784	MicrosoftEdgeUpdate.exe
4712	MicrosoftEdgeUpdate.exe
4712	MicrosoftEdgeUpdate.exe
3924	MicrosoftEdgeUpdate.exe
3924	MicrosoftEdgeUpdate.exe
4964	MicrosoftEdgeUpdate.exe
4964	MicrosoftEdgeUpdate.exe
2748	MicrosoftEdgeUpdate.exe
2748	MicrosoftEdgeUpdate.exe
2452	MicrosoftEdgeUpdate.exe
2452	MicrosoftEdgeUpdate.exe
5100	MicrosoftEdgeUpdate.exe
5100	MicrosoftEdgeUpdate.exe
5100	MicrosoftEdgeUpdate.exe
5100	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1944	MicrosoftEdgeUpdate.exe
1248	MicrosoftEdgeUpdate.exe
1248	MicrosoftEdgeUpdate.exe
1244	MicrosoftEdgeUpdate.exe
1244	MicrosoftEdgeUpdate.exe
2652	MicrosoftEdgeUpdate.exe
2652	MicrosoftEdgeUpdate.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe

pid	process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

svchost.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_95.0.1020.44.exesetup.exeMicrosoftEdge_X64_95.0.1020.44.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	pid	process
Token: SeTcbPrivilege	3104	svchost.exe
Token: SeTcbPrivilege	3104	svchost.exe
Token: SeTcbPrivilege	3104	svchost.exe
Token: SeTcbPrivilege	3104	svchost.exe
Token: SeTcbPrivilege	3104	svchost.exe
Token: SeTcbPrivilege	3104	svchost.exe
Token: SeDebugPrivilege	3188	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	3188	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1716	MicrosoftEdgeUpdate.exe
Token: 33	468	MicrosoftEdgeUpdate.exe
Token: SeIncBasePriorityPrivilege	468	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	784	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4712	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	3924	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4964	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2748	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2452	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5100	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5100	MicrosoftEdgeUpdate.exe
Token: 33	5100	MicrosoftEdgeUpdate.exe
Token: SeIncBasePriorityPrivilege	5100	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1944	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1944	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1944	MicrosoftEdgeUpdate.exe
Token: 33	2392	MicrosoftEdge_X64_95.0.1020.44.exe
Token: SeIncBasePriorityPrivilege	2392	MicrosoftEdge_X64_95.0.1020.44.exe
Token: 33	3988	setup.exe
Token: SeIncBasePriorityPrivilege	3988	setup.exe
Token: 33	1716	MicrosoftEdge_X64_95.0.1020.44.exe
Token: SeIncBasePriorityPrivilege	1716	MicrosoftEdge_X64_95.0.1020.44.exe
Token: 33	912	setup.exe
Token: SeIncBasePriorityPrivilege	912	setup.exe
Token: SeDebugPrivilege	1248	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1244	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2652	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msedge.exe

pid process

1396 msedge.exe

pid	process
1396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exemsedge.exe

description	pid	process	target process
PID 5088 wrote to memory of 1396	5088	iexplore.exe	msedge.exe
PID 5088 wrote to memory of 1396	5088	iexplore.exe	msedge.exe
PID 1396 wrote to memory of 1772	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 1772	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 4040	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2604	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 2604	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe
PID 1396 wrote to memory of 3508	1396	msedge.exe	msedge.exe

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://privacytools.io
1⤵
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "https://privacytools.io/"
2⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.107 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.62 --initial-client-data=0x104,0x108,0x10c,0xa8,0x110,0x7ff9e7e546f8,0x7ff9e7e54708,0x7ff9e7e54718
3⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
3⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
3⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
3⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
3⤵
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
3⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
3⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
3⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6036 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1924 /prefetch:8
3⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1928 /prefetch:8
3⤵
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3940 /prefetch:8
3⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2816 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3940 /prefetch:8
3⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2052 /prefetch:8
3⤵
PID:2236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:8
3⤵
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,1951879749891586763,16604115223671695700,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4120 /prefetch:8
3⤵
PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3264

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.62\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:4012

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\msedgerecovery.exe
"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.62 --sessionid={2797642b-4e9e-43fd-a2d8-264913ecabc6} --system
2⤵
- Executes dropped EXE
PID:2640

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\MicrosoftEdgeUpdateSetup.exe
"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4644

C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
5⤵
- Loads dropped DLL
- Modifies registry class
PID:1620

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
5⤵
- Loads dropped DLL
- Modifies registry class
PID:2176

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4020

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:940

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.151.27\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1348

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzgxNDMxODAtNDE1Qi00QzY5LTk5NzMtNURCMjYzMzFCNDE2fSIgdXNlcmlkPSJ7MzFEOTU5RjQtMTc3Mi00ODlBLThGNzUtRjVGMzYyMzlENjIyfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0E2QzdDQzM3LTFFRDItNEIzMi04OUZBLTFFNTQ3QUZBOEU0QX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjAiIHNzZTQxPSIwIiBzc2U0Mj0iMCIgYXZ4PSIwIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE1MS4yNyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMTI1Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Loads dropped DLL
PID:1440

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:468

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1CF4305D-DDF0-4D22-AE3A-3C7F37E17B24}\MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1CF4305D-DDF0-4D22-AE3A-3C7F37E17B24}\MicrosoftEdgeUpdateSetup_X86_1.3.153.47.exe" /update /sessionid "{3A849356-C76D-443C-8208-9A8F48F8C4CF}"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4084

C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU655D.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{3A849356-C76D-443C-8208-9A8F48F8C4CF}"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
4⤵
- Loads dropped DLL
- Modifies registry class
PID:2888

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
4⤵
- Loads dropped DLL
- Modifies registry class
PID:4884

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4288

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3116

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.47\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:132

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNDciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0E4NDkzNTYtQzc2RC00NDNDLTgyMDgtOUE4RjQ4RjhDNENGfSIgdXNlcmlkPSJ7MzFEOTU5RjQtMTc3Mi00ODlBLThGNzUtRjVGMzYyMzlENjIyfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7Mzk2MEFEMzUtQ0Q5Ni00NENBLUJFOTItMEFFRThBNDREMEI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC4xMDAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUxLjI3IiBuZXh0dmVyc2lvbj0iMS4zLjE1My40NyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjE0NVIiIGluc3RhbGxhZ2U9Ijk0IiBpbnN0YWxsZGF0ZXRpbWU9IjE2MjgxMjEzMTYiIGNvaG9ydD0icnJmQDAuMDkiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTEuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7M0E4NDkzNTYtQzc2RC00NDNDLTgyMDgtOUE4RjQ4RjhDNENGfSIgdXNlcmlkPSJ7MzFEOTU5RjQtMTc3Mi00ODlBLThGNzUtRjVGMzYyMzlENjIyfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0QxRDMyNUU4LTY4MTgtNEE1Ny05REM1LTM4NzI4QkEyNjA4OH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjAiIHNzZTQxPSIwIiBzc2U0Mj0iMCIgYXZ4PSIwIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuMTAwIiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE1MS4yNyIgbmV4dHZlcnNpb249IjEuMy4xNTMuNDciIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIxNDVSIiBpbnN0YWxsYWdlPSI5NCIgY29ob3J0PSJycmZAMC4wOSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzM3YzkxMDJlLThlMzktNDM5YS05ZjE2LWEzODY1ZWQyNjkxNj9QMT0xNjM2ODg3ODYxJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUczeWliakZLNUJvVGxhMExrRzU5aGRhUTRyaU9ZMlJkc2slMmJZa015cEduNHRNJTJmYmlTQXNUWXREMGNGNnZhdXVGS2h0UjhHNyUyZndkRmRpRUhkY2NEa1BRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBkb3dubG9hZGVkPSIxNzc3MDU2IiB0b3RhbD0iMTc3NzA1NiIgZG93bmxvYWRfdGltZV9tcz0iMzc0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxwaW5nIHI9Ijk1IiByZD0iNTMyOSIgcGluZ19mcmVzaG5lc3M9IntCQkVDNDVDQS1BNkNBLTRBMzYtOTg0RS00NUU4QjY1NEMxRjF9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjYyIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgbGFzdF9sYXVuY2hfdGltZT0iMTMyODA3NTY0OTU4MjU2NjQiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSIxMDQiIHI9Ijk1IiBhZD0iNTMyMCIgcmQ9IjUzMjkiIHBpbmdfZnJlc2huZXNzPSJ7MDZCNzg4OEEtQzcwMS00MkMyLTk5REEtNUZGRjhFNDU0NzE0fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42MiIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGNvaG9ydD0icnJmQDAuNDIiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMjcxNzQ1OTE1MDg5NTYyIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMCIgcj0iOTUiIHJkPSI1MzI5IiBwaW5nX2ZyZXNobmVzcz0ie0U4NjVEQ0MxLUJEMjUtNDI4Ni04NkU1LTE3MUM2NzYyOTIwRX0iLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Loads dropped DLL
PID:2520

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /c
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5100

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E4462031-50F2-4C10-A85B-0EC3E5A94A66}\MicrosoftEdge_X64_95.0.1020.44.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E4462031-50F2-4C10-A85B-0EC3E5A94A66}\MicrosoftEdge_X64_95.0.1020.44.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E4462031-50F2-4C10-A85B-0EC3E5A94A66}\EDGEMITMP_AADF8.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E4462031-50F2-4C10-A85B-0EC3E5A94A66}\EDGEMITMP_AADF8.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E4462031-50F2-4C10-A85B-0EC3E5A94A66}\EDGEMITMP_AADF8.tmp\MSEDGE.PACKED.7Z" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3988

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{82B1F3C4-E28A-486F-9D27-50BC29D37D60}\MicrosoftEdge_X64_95.0.1020.44.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{82B1F3C4-E28A-486F-9D27-50BC29D37D60}\MicrosoftEdge_X64_95.0.1020.44.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{82B1F3C4-E28A-486F-9D27-50BC29D37D60}\EDGEMITMP_8C258.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{82B1F3C4-E28A-486F-9D27-50BC29D37D60}\EDGEMITMP_8C258.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{82B1F3C4-E28A-486F-9D27-50BC29D37D60}\EDGEMITMP_8C258.tmp\MSEDGE.PACKED.7Z" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNDciIHNoZWxsX3ZlcnNpb249IjEuMy4xNDMuNTciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEY1MjE3QzktMEM4RC00QjNGLUI3NkQtMjVERTMwOTc0NDk5fSIgdXNlcmlkPSJ7MzFEOTU5RjQtMTc3Mi00ODlBLThGNzUtRjVGMzYyMzlENjIyfSIgaW5zdGFsbHNvdXJjZT0iY29yZSIgcmVxdWVzdGlkPSJ7RjBDRjUyMzQtQjQ1MS00RjQzLThDN0YtNjlFQUVGQzc4MjAzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMCIgc3NlNDE9IjAiIHNzZTQyPSIwIiBhdng9IjAiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC4xMDAiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTUzLjQ3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNocm9tZXJlYzM9MjAyMTQ1UiIgaW5zdGFsbGFnZT0iOTQiIGNvaG9ydD0icnJmQDAuMDkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjU0MjQiIHBpbmdfZnJlc2huZXNzPSJ7RUMwNUEyM0EtQzE2QS00QTI2LTk3QjUtNkVDNzZGNkZFMzg5fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42MiIgbmV4dHZlcnNpb249Ijk1LjAuMTAyMC40NCIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBsYXN0X2xhdW5jaF90aW1lPSIxMzI4MDc1NjQ5NTgyNTY2NCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvY2RjM2FmNGUtZTlmMy00MmVlLThkZTgtOWFjZmI4ZDkzZDk1P1AxPTE2MzY4ODc4NzEmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9YU9YYUV1OG1HdlRQZ2NFN2xoSDZTVE1jV0QlMmZ2WHUyJTJmUGl5WGpjRzJva000JTJiJTJmZnpvWUZmZjhlR2E3dnd0TU8ycXVSWmppYVk0VVdEVSUyZm5NanNrZUp3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9jZGMzYWY0ZS1lOWYzLTQyZWUtOGRlOC05YWNmYjhkOTNkOTU_UDE9MTYzNjg4Nzg3MSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1hT1hhRXU4bUd2VFBnY0U3bGhINlNUTWNXRCUyZnZYdTIlMmZQaXlYamNHMm9rTTQlMmIlMmZmem9ZRmZmOGVHYTd2d3RNTzJxdVJaamlhWTRVV0RVJTJmbk1qc2tlSnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGRvd25sb2FkZWQ9IjExMDMwMDU4NCIgdG90YWw9IjExMDMwMDU4NCIgZG93bmxvYWRfdGltZV9tcz0iMTAwNDEiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTMyOCIgZG93bmxvYWRfdGltZV9tcz0iMTI1MDIiIGRvd25sb2FkZWQ9IjExMDMwMDU4NCIgdG90YWw9IjExMDMwMDU4NCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMjI3MDQiLz48cGluZyBhY3RpdmU9IjAiIHJkPSI1NDI0IiBwaW5nX2ZyZXNobmVzcz0iezM4Njg2QTRFLUE5QkEtNEY0NS1BRUFDLTY2N0Y2QjlBNEMzMX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iOTIuMC45MDIuNjIiIG5leHR2ZXJzaW9uPSI5NS4wLjEwMjAuNDQiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgY29ob3J0PSJycmZAMC40MiIgbGFzdF9sYXVuY2hfdGltZT0iMTMyNzE3NDU5MTUwODk1NjIiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxMzQ0IiBkb3dubG9hZGVkPSIxMTAzMDA1ODQiIHRvdGFsPSIxMTAzMDA1ODQiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIyIiBpbnN0YWxsX3RpbWVfbXM9IjIwNzkiLz48cGluZyBhY3RpdmU9IjAiIHJkPSI1NDI0IiBwaW5nX2ZyZXNobmVzcz0ie0QwMTM1RDI3LUY4NTEtNDQ5MS05OTdGLUJBMEUyRjM3OUE1Q30iLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1244

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\MicrosoftEdgeUpdateSetup.exe
MD5
4488f766299c7fefe2a7038e3d0b7e6a

SHA1
04ec94e21ff2c4eb6c144f6c6241642c05f182b3

SHA256
8874fb15d446396d1740a3ed90a4643de9ba982d6fdfd61282d75e81efcc415b

SHA512
4a70adc8cfbef86745a7061bba71fb75fac0741db64bc27207e4b3d1855fbba710d024018bd31a31e01135efe425271bdd6be71261242b43df0b8e0e0fcf96d3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\MicrosoftEdgeUpdateSetup.exe
MD5
4488f766299c7fefe2a7038e3d0b7e6a

SHA1
04ec94e21ff2c4eb6c144f6c6241642c05f182b3

SHA256
8874fb15d446396d1740a3ed90a4643de9ba982d6fdfd61282d75e81efcc415b

SHA512
4a70adc8cfbef86745a7061bba71fb75fac0741db64bc27207e4b3d1855fbba710d024018bd31a31e01135efe425271bdd6be71261242b43df0b8e0e0fcf96d3

Download Submit
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4012_1286271648\msedgerecovery.exe
MD5
6de69804e275844266117f3f3016af57

SHA1
684e1f5f5d2d9c49c491ca2f6e5dd86e4489c812

SHA256
70928f78c5c52c98ff43f66b6d3b0ee0cb0e0460f0799007c970857539d5ba1c

SHA512
f172c0cd760c17dd04f7b08a90ad921f92e600e21f1aeb25f4338905f829a6a1077bde92b5183d7adf56b48ef772e05a1262498038e1fd5b9682afd18e42e9d2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\EdgeUpdate.dat
MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\MicrosoftEdgeComRegisterShellARM64.exe
MD5
e7ddb7d2103fd518652eca1328f21510

SHA1
36bf5749f398a586ec1481cc42a3a6f5deb3754b

SHA256
8666d49f5af22615eacbb8b389098c2e7276e6040c937aba970a1dd46fefa7d5

SHA512
66c44138de7053a38ed25a01d5c03b08b2d91b2845b54efe6e0be79f843fbd07a81aa0796965e8de027cfb3f9ba362fd34694535f5a72d8c0dd56ea5488b97f7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\MicrosoftEdgeUpdate.exe
MD5
3c2ec71dbec0629c92ee081fa5523190

SHA1
c34429bccfa61fc4d2bfc7be42227017fcefd4a9

SHA256
d357502511352995e9523c746131f8ed38457c38a77381c03dda1a1968abce42

SHA512
2a50c2c3b1391b0450cea7dd02b96046fed3e5467cc0e317b4950514fff46ed07a64fd48a917ebc1d86247f30d274bab9efafed2d4e05fc485d55e9c254bd448

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\MicrosoftEdgeUpdate.exe
MD5
3c2ec71dbec0629c92ee081fa5523190

SHA1
c34429bccfa61fc4d2bfc7be42227017fcefd4a9

SHA256
d357502511352995e9523c746131f8ed38457c38a77381c03dda1a1968abce42

SHA512
2a50c2c3b1391b0450cea7dd02b96046fed3e5467cc0e317b4950514fff46ed07a64fd48a917ebc1d86247f30d274bab9efafed2d4e05fc485d55e9c254bd448

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
MD5
9db970fa6963695477e8a3691c5d9940

SHA1
e5b57ead1f5d0fbc3185a3761103e55b69ca03d0

SHA256
d5d69fb701c077892a587f3ecbb1010ec0846f5046b05a653a7994154420c328

SHA512
fdfabf237fbb833f76c9968e99e887a6bc732b9be13bdb3723c472251b11faacc16eb73377ee5b532d2e6faa03e103106120d80b2d4ac0cc843c4c9951b310b8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\MicrosoftEdgeUpdateCore.exe
MD5
b6a524d1abeb4868b67e780ea6c2e267

SHA1
fbe541805bc0922f0a1c1eb9f09125a7f38a32a9

SHA256
113d781452ea8d2632d50a6c64c4b1728d8d158964c0ea99e6e0b23cc9861d89

SHA512
6a8df76159c0ed181e35084d75cf2edc36a0e16f93c1115d6c455b544cb2b409a447ecd1e7ae976cb2518a9cc1298df25d8ad946d4a2b89c1b3ee4b9f035c8ad

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\NOTICE.TXT
MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdate.dll
MD5
93d198acff9bb99fd6dd2f0b972a4172

SHA1
a1667b10a8536b773d0c0fc9dae19f0320f95336

SHA256
a88a49608b123e5241c4ebe8d69dfda70c0b3d87640c4d4a565c99b8ec00aa12

SHA512
b3e5fcbad61f038848dda8cbfc40664285aabce4fcbc0ede274a9d1296216a4ab3b6a3ead902f204dbeadf7d6cfabf56f50f277e18f47b399217087996c140eb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdate.dll
MD5
93d198acff9bb99fd6dd2f0b972a4172

SHA1
a1667b10a8536b773d0c0fc9dae19f0320f95336

SHA256
a88a49608b123e5241c4ebe8d69dfda70c0b3d87640c4d4a565c99b8ec00aa12

SHA512
b3e5fcbad61f038848dda8cbfc40664285aabce4fcbc0ede274a9d1296216a4ab3b6a3ead902f204dbeadf7d6cfabf56f50f277e18f47b399217087996c140eb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_af.dll
MD5
51e0f6293052a9ed32eebadb0e78dba2

SHA1
b6f109d95760e6a8da19f760b54e35316d50db47

SHA256
65f20a53718c547b675f0ebd8ce406ae2dcbe242f50fbb631e0d052befaa1a87

SHA512
d4ca2fa4b832537d9dcdb6358aee50824085c4327957cfe6465e5af7ddc8245158959ecd6b7767686033c799df4deca06716d8bfdfb55d297436cf65769d1161

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_am.dll
MD5
a6c941f474e1c7266ab500cc932ad294

SHA1
cfff3bcf205666ca3b17b65d82a7aed01888af6c

SHA256
5ad20f36db95fabbb0f8c62b94bbd532db8083e0f380191180613bd2579a5481

SHA512
a7b36bef2929df59999a9fb32a0a2cd8982d90e552ceb29730ed544ba0009192659b360d02181a894943571030b5e0f7ee63b3449be489527718de318a1eaaca

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_ar.dll
MD5
ad19703ff751e308a0e64e5aa88e018d

SHA1
aec05b96d8a10a2d6f3b09691b1f2512af92948d

SHA256
13a26667a4fd42a7d9fe3b61fa5ddf959d93642b051a8ad43ef87d38619cdc82

SHA512
56f7599ec7ac2db9b6d8e7c632f1327caa97395c18f436052e7482fa9d12d65c14f84dfb9e6052529a133e36201cb76ee5cab37da5ad1bb8def1abbf885f3c5f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_as.dll
MD5
57147d7160d98f0e550abbe56f09e12e

SHA1
8463be34d9a2852f57ff18763d8ef7d2c070e544

SHA256
1ba80418686eea5fc7ece5d0d4f0dd4bcdda9df6abf5bf0e8bd941ee2972ac7b

SHA512
f1020a91b43c40eebd8f6f61dcba9588c6b4966bc5bd50fa806f3a0c55ec6f9921f44bf36915fcec541df540f40f2e6f3c073a9f1fc2b603db590887cf8b2dc9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_az.dll
MD5
033e5cfa0a2627efca17f13824ad5092

SHA1
9f7357fd9a06f4e59cbeb4492bbed4d364789e9f

SHA256
de0b777c86d95dc5e9d0614ac8a5dc1b559791a2fe11385d3758e6f7021d5cb4

SHA512
453508c01d40a9c6a7c4359ec991f94201be1090f663828f1f4b962734852c6ea761a75fa590669436ec0d74025d1654ec0d4dfa116d0a2f8680d54c6efb6662

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_bg.dll
MD5
b5c174c65533a224015e940453ebf7bd

SHA1
e812e228587a9c8eb7ec7e5d838da264fbd3eb9a

SHA256
f9b9730b97f160b22bb9e5f96c2fe623e4cd1ec8d58b36c05e62b92b6eed29e6

SHA512
0ca1668e224130c9b9638c979d1e833ff3e4452d9007f1748d4d126a0dd99d829e8dd46dcd0606f5202534e8e483d3af5f5b300d92063a8294338f2264c58ead

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_bn-IN.dll
MD5
03159478c2c5416cd03b90fdbb85f60b

SHA1
3015e5b79be506516f05366c36e885fa15675bc0

SHA256
ae58ce60a6171b2fbee56f58bfe6e38f5efe568af13355b1d3f6b6c66e5b7906

SHA512
38071382f91847641e19ed957e695f45b6b76fa4b91d90db1251dae00df07d6757a6e382098ec8afb35f04fd01c8dcbd661bf0b7a1bea1054b24fbc29a29cf6c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_bn.dll
MD5
ceb156024e4c9b36bc3e217201fc2322

SHA1
e126d7953d5c49b724617e1f8b81edb64a769dfc

SHA256
ff10d60ec3ff0cd35ce090823bcb2fdd18c825d7ee6ce17655431739e219c17e

SHA512
dc74407f6b2f237479d6fde428be3fa72be3e2efe4d8dfb8e5430c119deb39ea0c9d63cde654376e7a190be0a220eaab3343df76a01059316b5b6c444479abf9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_bs.dll
MD5
32018e13551cc7fabff9b9d281d3bea8

SHA1
49796fd79c9c76e45358f21d8f9fabbb81f928db

SHA256
6eab69d9cf28d403706e0dced218b3bfdce328cfed3103812388734bae98c693

SHA512
e960f0eeb0cbd3393b575b91c953ed5bd8c9146aa8b8aa113605d646e48b4c4ba4faa8987889fc72dc2d786c8c4200867689c1cd8867c3f3dd9a249537ddae4b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_ca-Es-VALENCIA.dll
MD5
37eb7b29ec5007edf219acb6779d791e

SHA1
4097b0b293e2e5c8908b8baa7bc41128ad4abaed

SHA256
e9b2d242cef0bf2f10824e9435eaa9cbe196c88c6692c0707bcb532580dafa8f

SHA512
e9a8a52b7e52e85468edc9503bc1970585c178bcf8c29c662b17bed4d4399ac0b756a67c926b79f2a409f91de3067fb39a4e7f36efd5fa7ea720b841f3d50371

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_ca.dll
MD5
13de822ff2627018bdb4c30c14463dcd

SHA1
9e09b285785ec4ccd6b307176212edba410b128a

SHA256
9871893788cb63a024923941c1ad02da611e27328745eab33f73b42d62c9eaa8

SHA512
e4e0d039f6250fd0ff78e34103909eaf13c45396900107342dc8b727b03c0e58aedad3deba7958f282e74e1a3ceb840c3cd38edf4ec10a1eabd768c1325b19b6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_cs.dll
MD5
dd7622f55ba5a8253f7140ed8619d71c

SHA1
0cc78f6db200f6da0d0c631e36335f9720fe4ae7

SHA256
90eaa4bf9fb360730d5d9567206f0740d77007492725973e4dfd3b934cae13f8

SHA512
aa46fb3b01045f2f04999e66ecbe17e43212287fa08f36e6197240fd4c1686411682d0a915d7d72ba105a350c22dd7b0e2690fded93742d027efe9bca37709e6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_cy.dll
MD5
7fa587fc34b1f4ccff8687202d5ceda8

SHA1
45a5c0ea96d729664401facb37bde3d764158c5e

SHA256
8dddfa9c3cb4a5f6d756b80c254e2c260cc902bc029e01708bb0828abb7ca0a6

SHA512
137d520fbeb25c8dae9717c2ec4ddff1a070af074d7586afbdaa8c069f62aeae1157cc8e1b08ba40db4729314e3beb0e6fb601f017ea7e8f885a948dfa454b03

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_da.dll
MD5
d02196748b8425bc2c8140f4e83a78d2

SHA1
0969bb02aae0ef1af7f96aba45f3941d088f9eb7

SHA256
2dfbb4caa84b3be64aa909d4cf63ff4efa02695d6a378e358943c623dbf2a178

SHA512
53df9dac034f7a2713b7030236c9d123f4ff2eb0fe8048f5c6902459fa812572b41b7f6c01c565cd3acb38c44ffaa2ef649dcfed76d4a2ecc6a7b22c3c53da26

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_de.dll
MD5
a8a9599b126dc0e904efd055f7137c6e

SHA1
061824f41d8a4d2f8ef8bef3ef2cf32a443aa326

SHA256
d97203d6a65b7069423228c962639a9b8772588515baf875ff3f4a3f5bc78726

SHA512
e7ad1f5c7e63cf6b3f819b8b690e078d7e7be2a4bc1df6c94132e4c3e46a4cb26b509c0f28a5647a2b1749ead70d3896f4ae4c5378f3542911a97a5842d98a61

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_el.dll
MD5
e14d69cce787e19d164c3f7c0ae61332

SHA1
d19d3856cf7caa2b725e1b83e861e2cd907128c0

SHA256
e8187fea1b82843af60eae0e49ba184e05d36f112024c029fa0125c5d7067a64

SHA512
26d984b35b12fbb416d5b27eeb8784bf5200e2d2ce618c6e2974e1336cab0f62ba82296494027ce3b73e402aa43d9b66abbe19107d74376d3490f012587c1b10

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_en-GB.dll
MD5
06e1502286ac9dc94e223f186df41132

SHA1
946166c0e8e57e17caedf5df17242e91f5772e81

SHA256
1ec5c1132baaf9732b5bc30e6d870d5537e6bf3baf9516f66f4bf0c95c1e8b6e

SHA512
9c5091c95c22d87070c6a750d66feea3e42b51cf474c5ae5566d4321acf64c7ecf37687dcc3eedeeafd568c608778b2b0e06e329ebc77c24997896b755b24ca1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_en.dll
MD5
c97f93ffe9d5e3e5bbc04b168650cd00

SHA1
fb035621aed66c60271df3111eecec2d178a021c

SHA256
6c9f604468d01e0db22903555ce58fba91b3bc1168057bc3cb0d056c4c785ba9

SHA512
b6c86093fb142af4c47b478920106eae03552ada516429bbdb249e51b4caa8a7ed49c741c8bd469c853a2e36f99b5c6a79a7414e7a7848d6027351216d6b7f27

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_es-419.dll
MD5
4bcd1fee36fe6a0cdaaada40907c3d8b

SHA1
51eb3487585e51c3c263089bad695e0922264a79

SHA256
a9b4c3aa17f41e577f3d8f47e7b1b0eb57e83a67e14f3b9796a6224f0bf13a9e

SHA512
f1ce2504c051301c361ba081b41b655e2a9f6add8152f5e93867dde1d2974c7723475b935ebe815c0bfcb97b9cbcb783e9c1141786a1445e8ec44bcce2e215cc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_es.dll
MD5
f3cad4dc9b85dfadd1a2f7f23f6a115a

SHA1
e6326bae48881a877b2ea0e7abad5ea8833b8aee

SHA256
cd0b3d6c02257f25cac07adbc2e04745afa7677e1546de60e445a1e1cde7a2dc

SHA512
e870f2a49e8f33ec90cbffd783c6bdeb8259afd0bd6851bb94f471c900e6f67e12e1da16d549564da15d65e7c517bac0f983ee3395770dc7f57a31158980bff4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_et.dll
MD5
5179538542bf7b9d09fed7c6ce5f36b6

SHA1
485a7ba019a79c9edf5170c66f20093a8e244054

SHA256
46a9baf759ff770d2abf7fd7f2dda8b1f3336f3dc477889a93b25a12e839d9d2

SHA512
0b60f7c21b9421c52caa00052d1c2c3c0b4bbdb2ece783e4c9dc4b288e56c21452040ab6f0e2a024e73f6fffd4bf0c5b348975bb73e197220082e4eaf55505ef

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_eu.dll
MD5
b2a5bfeb8421a42a6d4e4bbe0af1ff9d

SHA1
2949dacb397f669812acbd2a44d45b6fd87de110

SHA256
e9be16e58573ad3a66eac5330eeabde2e6b07d47862a78b4a4552cb04570488c

SHA512
a89ba89ce32116fd085bd11a2c5d164e6c37e5519a8547481eaa8e1b75837920831abe2f86b6454821c133f1a7d8c1ef3d0b7cacbcfb0570d88affdeea35c81b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_fa.dll
MD5
a6e0e94a5118406a49967eff69e5f95e

SHA1
cb97b85f6c45cb1635a05e2ae678861758ffb5dd

SHA256
3757d9f64dc9050b4b4a880be38c563202f5d4e9d4bf5c6209abfd4392aba906

SHA512
11d5d98ee13b6c9da1d69b6958adfd3b078e6e4c887b056e33c59893be044ebe6fe74b3367959cc8248c2067ba54220e4333f63942da78f9cd0eef56da5222de

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_fi.dll
MD5
5bcd5010264333cbfb0005678db9079c

SHA1
67049ceaee6f1021cd4cd7b2886c92aac5d6b047

SHA256
3e1325f1f1f95d9fffc554d656720e19499ad8f658b1ebbfd4e4d1623639a6fc

SHA512
f32a204d75683bf6a26a60e0ea41db3048dcbeb868955adde28b16786b6be8a91587cc8432a8d5a2de70b151d954543f0477fb56b26be5f0efbe25dff89fcbd5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_fil.dll
MD5
10bcbf6c7efd39b40c4d7819103f83d3

SHA1
dc870a07ab956e2bd519424553373e53dd50ff6c

SHA256
36ee1d98a48726048f1db8a34a474bd595d42836ef3c9f45ad8fc7876f6f5782

SHA512
cd4cafc77ba66912d3fd46fecc2eed59f4b19de1564c42948d01e0e8a5d1150f71d59827179eedcbe12cf4308fb13023eba30f1590cb70dbdf4df29eb9e495ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_fr-CA.dll
MD5
f443e9d9a090641a0108f2bac5f00332

SHA1
6e8efd1f83dc26490920f0135f36f2e91df08c8b

SHA256
ec194ff30119639d586d6bed4a57fa16cc7d1024f09313c55f54311f123bcb88

SHA512
892323d6497ab36a049f59e49de8c23e5ce880aca811c3423621585838bbdb64c0e95f62f22d9353ad3efc84383be52eab2797b8067fba66689763d0a9287f63

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_fr.dll
MD5
d60d8b7d2861cb74672a085694c4a080

SHA1
c4be46de53e224e53db055d17b3393edecdaa7bb

SHA256
ccdda5523459637f0d7b8766fd282b70c2849185dff5935dc2dce1cac89b0e80

SHA512
6836a47ab09acfbd526d0dedd46c16b7879138d2511afdb8321c615d122f3a7c51997fab1cb9407cc6ac6ad19862e25035b133f30e0e74cff50e7a0ea4b3baa3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_ga.dll
MD5
13eb51cc09c9f16c2744daee640a5cbd

SHA1
eee30a7fd1fccf3dbae9c1dfa6d77122cb05536c

SHA256
9ccb338c76156396388f1bdcdd8ab56dddd3e7d0c9e58ad0d36f749a3edb6ec8

SHA512
6fe703743bc6db042561a9d84a4dc3219fbcf4b362808979adf8e89bac7a89ba39d5d4e72137dc74ac7406a89a057001b2cfe84715a5e26a7790353c56acf748

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_gd.dll
MD5
000f0f4c7002bcf241d5d4a93bdfced3

SHA1
826c174c8ccdc75455bf4a68051ad0850be05593

SHA256
2faa96d51684d46d93bfb700d518144bdb50cbdd73fe18e24a1f47d769cd097b

SHA512
7f83df76b5fa87311157a5388440b2737197381a4153c0f3ede0774fc9dc545875ebb5f3c274fde3e428b0e8c067663fed95c25be8be8e8c2de97d1d761027f7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_gl.dll
MD5
82583acb95a791851f88d38726823703

SHA1
fa7da649160bb78939193f159060d6bcede11527

SHA256
b76cf107610560354caee4c9519b3e8a94376394a4abaa32fcec5ab1d83f976d

SHA512
d62868ea81a124bb07a655c3f6be7723977171102ae160b48460c2e466f2206ea98a68b64cc8e5e0a8a7dac1fcb10ef7c7fbdaaa4b67a2ff6feeea368e2969f9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_gu.dll
MD5
b18de93a0ab6c5150128c1ce85871960

SHA1
82639dc738bb9b9bdaf37b1e487b51517e819cbb

SHA256
d598eb005612e0a84ebb5a6b38bb3b963ef10d3c97bc27d6b31d2a5225fc239f

SHA512
84454597904b5c20edf356a706621f2434c70cf22edd2367b20d6d3417112c8341d7aa4e9b46a9473311727288298bbdefce3118838588082f92a6a348efd2dd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_hi.dll
MD5
a77de8d46c5da2a1d07af61bee8923d5

SHA1
752a6202592f979edb850f9cd48667cff85eea4a

SHA256
5a8471a73dcf56c3e65ef855c6c559ce36a52c40f061902106ed9ee1c80600b1

SHA512
76dd9ff39e8bb06583ed2547dd6f42b29346b2ddf9b4ad5aae19182e7f6b0aa491a71758cdf08bcee2f071ab477f6f22d0793ce5d41c83c267daf2a1823bc051

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_hr.dll
MD5
80af740b5c50c78d3f9821f3e8638660

SHA1
629c5ebb042870b650b6f78223b70ccf3cc39e84

SHA256
6b30deee4522880198b706250c919c4ce2f8b63481489f309b7fe5014ee655d2

SHA512
cba44d0d42292660a7a27f5b5f3781b353d4131d3eb3e4c74e08455f8dda64143b7757b2b0c62ac839984beecc4617a7e836f286de4d75d6d2ec458f334dfb3b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_hu.dll
MD5
1e959547bab52467f7c7bfe671ae2f20

SHA1
40f98aa0e71d40333e9b45ebfb18440e4a9eb0c8

SHA256
6048c07a850c8378268d7331ed804ec2fbbaa0659553382f72a423ff738df9b1

SHA512
3442ec3f25c2e9b0441d8e6dc2aeb8efffdeb646d8b1d2c0125490d3d59551d11a60827d0b7beb8fd1cb5c41af73100d44edfa01e5dd42b53d05f738a7ee538c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_id.dll
MD5
b6e391edc3d1a78dea08f684d06b1b24

SHA1
6167d7bf6df527354e3f4201510472b677c00bec

SHA256
5351fc8c0e42c1c4e33b5a04c24109398bf5a025ada9379d9a7b408c0623e261

SHA512
4fe94f41583f1d5638a59efdabaf44b32e1f83b0dc39d068261f7c1e663682ef9dea3e01466005faff9340eca75c0f2fa3ac65903133c82d44a5cabb0101cec4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_is.dll
MD5
89067e8802d0ad17c733a647f0f68f39

SHA1
f06dc0f692b894964c6a2884c1e52032f3f25c2f

SHA256
aa80041ef7b479789fc61cc85c82a340d36ebfe40f849e914ca2a86332167e6f

SHA512
307d443ee5753066051d907339e6c4de9b2e2b18f33c2fece7a6c78ac26af9d1ed40c631baf86e4e724e5825856b68ae58cc307b21a2c723f8ca783348824a4d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF07B.tmp\msedgeupdateres_it.dll
MD5
abd3a4a91ac6a253a658495fb7f6ea60

SHA1
ea00d0f58a9324a9b33c1b0840a330d529df27a7

SHA256
b4d1a7bc6fd4606b7dbc95d817202bd01493205daa10a930e2cc2b18d7604c73

SHA512
da1d32215921f6127658923137ad735e803e47b7ec70cdc0bb98ef738a2ff568c6d652ec12cdd41de6b2d6ab311df948b88927da009172d246a9c353145ecb59

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
MD5
6ca717d5f66f800876eb0137557ec7a3

SHA1
a35515b829a471a116436475ab62a89f6d85953b

SHA256
bd3444c1251cc0ecd362e9efe1d36d22077321da9389ade5b84e6f8d3e0ca313

SHA512
66d128cd4c6a6286ac087fc845cd903450ada1f4cfe47553c8df9d6c613e3c8ca9cd8c22fa1b02cd74423146a9f4dcf2bb61913c3d34972764296da6f31a223c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\1.3.151.27\recovery-component-inner.crx
MD5
b62629cb2f8f2566e417f8869373caab

SHA1
d4b3aeeda75d7ba557d646d3100dc30a9be13b1c

SHA256
e82878d45ab7120e9f58eabc9be08f7e25e34ed9a4728288d9275952416ad48e

SHA512
192d578f2ea77a63e784834c8af63818ae465312e60c7d7614204a3200b1f013454e66c512d73c331de74718d6f4bce13e727d3d167ee49fbb977cad964a66ad

Download Submit
\??\pipe\LOCAL\crashpad_1396_EVXWWLFUSVRWLRFP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/132-360-0x0000000000000000-mapping.dmp

Download
memory/468-339-0x0000000000000000-mapping.dmp

Download
memory/784-342-0x0000000000000000-mapping.dmp

Download
memory/912-373-0x0000000000000000-mapping.dmp

Download
memory/940-337-0x0000000000000000-mapping.dmp

Download
memory/1032-234-0x0000000000000000-mapping.dmp

Download
memory/1244-376-0x0000000000000000-mapping.dmp

Download
memory/1348-338-0x0000000000000000-mapping.dmp

Download
memory/1396-193-0x000001C79A180000-0x000001C79A182000-memory.dmp

Filesize
8KB

Download
memory/1396-194-0x000001C79A180000-0x000001C79A182000-memory.dmp

Filesize
8KB

Download
memory/1396-192-0x0000000000000000-mapping.dmp

Download
memory/1500-217-0x0000000000000000-mapping.dmp

Download
memory/1620-334-0x0000000000000000-mapping.dmp

Download
memory/1708-253-0x0000000000000000-mapping.dmp

Download
memory/1716-370-0x0000000000000000-mapping.dmp

Download
memory/1716-340-0x0000000000000000-mapping.dmp

Download
memory/1772-196-0x0000000000000000-mapping.dmp

Download
memory/1772-197-0x000001E1CFD70000-0x000001E1CFD72000-memory.dmp

Filesize
8KB

Download
memory/1772-198-0x000001E1CFD70000-0x000001E1CFD72000-memory.dmp

Filesize
8KB

Download
memory/1944-363-0x0000000000000000-mapping.dmp

Download
memory/2056-244-0x0000000000000000-mapping.dmp

Download
memory/2176-335-0x0000000000000000-mapping.dmp

Download
memory/2208-220-0x0000000000000000-mapping.dmp

Download
memory/2236-274-0x0000000000000000-mapping.dmp

Download
memory/2392-364-0x0000000000000000-mapping.dmp

Download
memory/2452-361-0x0000000000000000-mapping.dmp

Download
memory/2604-206-0x0000018243840000-0x0000018243842000-memory.dmp

Filesize
8KB

Download
memory/2604-201-0x0000000000000000-mapping.dmp

Download
memory/2604-204-0x0000018243840000-0x0000018243842000-memory.dmp

Filesize
8KB

Download
memory/2640-281-0x0000000000000000-mapping.dmp

Download
memory/2652-377-0x0000000000000000-mapping.dmp

Download
memory/2668-269-0x0000000000000000-mapping.dmp

Download
memory/2748-355-0x0000000000000000-mapping.dmp

Download
memory/2888-356-0x0000000000000000-mapping.dmp

Download
memory/3116-359-0x0000000000000000-mapping.dmp

Download
memory/3188-286-0x0000000000000000-mapping.dmp

Download
memory/3408-248-0x0000000000000000-mapping.dmp

Download
memory/3508-212-0x00000282CB7F0000-0x00000282CB7F2000-memory.dmp

Filesize
8KB

Download
memory/3508-213-0x00000282CB7F0000-0x00000282CB7F2000-memory.dmp

Filesize
8KB

Download
memory/3508-209-0x0000000000000000-mapping.dmp

Download
memory/3832-258-0x0000000000000000-mapping.dmp

Download
memory/3988-367-0x0000000000000000-mapping.dmp

Download
memory/4020-336-0x0000000000000000-mapping.dmp

Download
memory/4040-214-0x00000161AABA0000-0x00000161AABA2000-memory.dmp

Filesize
8KB

Download
memory/4040-200-0x0000000000000000-mapping.dmp

Download
memory/4040-203-0x00000161AABA0000-0x00000161AABA2000-memory.dmp

Filesize
8KB

Download
memory/4040-202-0x00007FFA098C0000-0x00007FFA098C1000-memory.dmp

Filesize
4KB

Download
memory/4040-205-0x00000161AABA0000-0x00000161AABA2000-memory.dmp

Filesize
8KB

Download
memory/4040-211-0x00000161AABA0000-0x00000161AABA2000-memory.dmp

Filesize
8KB

Download
memory/4040-215-0x00000161AABA0000-0x00000161AABA2000-memory.dmp

Filesize
8KB

Download
memory/4040-199-0x00000161AAAEF000-0x00000161AAAF0000-memory.dmp

Filesize
4KB

Download
memory/4084-353-0x0000000000000000-mapping.dmp

Download
memory/4288-358-0x0000000000000000-mapping.dmp

Download
memory/4388-262-0x0000000000000000-mapping.dmp

Download
memory/4556-344-0x0000000000000000-mapping.dmp

Download
memory/4644-283-0x0000000000000000-mapping.dmp

Download
memory/4712-341-0x0000000000000000-mapping.dmp

Download
memory/4748-349-0x0000000000000000-mapping.dmp

Download
memory/4752-231-0x0000000000000000-mapping.dmp

Download
memory/4884-357-0x0000000000000000-mapping.dmp

Download
memory/4964-354-0x0000000000000000-mapping.dmp

Download
memory/5088-179-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-173-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-162-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-160-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-159-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-158-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-157-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-156-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-155-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-154-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-164-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-165-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-166-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-153-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-152-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-151-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-167-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-172-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-150-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-163-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-175-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-176-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-180-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-181-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-183-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-184-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-185-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-186-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-149-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-187-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-195-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-189-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-190-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-191-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-146-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-148-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5088-147-0x00007FF9F1F00000-0x00007FF9F1F65000-memory.dmp

Filesize
404KB

Download
memory/5100-362-0x0000000000000000-mapping.dmp

Download