Malware Analysis Report

2025-05-28 17:25

Sample ID 230117-mm4qwaae4z
Target 1060.zip
SHA256 d69eed54c20aded9d472b36b71b604f724b90038776e8a9bb34d994c319fafc9
Tags
persistence purecrypter downloader loader asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d69eed54c20aded9d472b36b71b604f724b90038776e8a9bb34d994c319fafc9

Threat Level: Known bad

The file 1060.zip was found to be: Known bad.

Malicious Activity Summary

persistence purecrypter downloader loader asyncrat default rat

AsyncRat

PureCrypter

Purecrypter family

Async RAT payload

Registers COM server for autorun

Executes dropped EXE

Sets file execution options in registry

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in Program Files directory

Program crash

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Enumerates system info in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-17 10:35

Signatures

Purecrypter family

purecrypter

Analysis: behavioral4

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20220812-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe"

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_lo.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_en-GB.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ko.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_sr.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_az.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_fr-CA.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_quz.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeComRegisterShellARM64.exe C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_es.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_et.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ms.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_sk.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_sv.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ta.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_bn-IN.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_bs.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_sl.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_uk.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_bg.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_fi.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_is.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_pt-PT.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_as.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_mk.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\psmachine_arm64.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\psuser_64.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_gu.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdateOnDemand.exe C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\EdgeUpdate.dat C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_iw.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_pt-BR.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_te.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_tr.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\psmachine_64.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_nl.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ca-Es-VALENCIA.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ur.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_sq.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_tt.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_id.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_it.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdateBroker.exe C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_lt.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_cy.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a5485d24-1f0c-4f6b-9c89-6f6c58e00a11.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_am.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_es-419.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_hr.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_km.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdate.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_hu.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_gd.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ka.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_lv.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_vi.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_zh-TW.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_sr-Cyrl-RS.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230117113703.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\msedgerecovery.exe C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_gl.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_mi.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_sr-Cyrl-BA.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A
File created C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_nn.dll C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B} C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB} C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\MicrosoftEdgeUpdateOnDemand.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA} C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\MicrosoftEdgeUpdateOnDemand.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE} C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VERSIONINDEPENDENTPROGID C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "Microsoft Edge Update Legacy On Demand" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3} C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID\ = "MicrosoftEdgeUpdate.CoreMachineClass.1" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\Enabled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC} C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "ServiceModule" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\MicrosoftEdgeUpdateBroker.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1508 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1508 wrote to memory of 4600 N/A C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 3468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4600 wrote to memory of 4936 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe

"C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://paste2.org/DWeAUtKE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed9d646f8,0x7ffed9d64708,0x7ffed9d64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5212 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5792 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x270,0x274,0x278,0x24c,0x27c,0x7ff7ae865460,0x7ff7ae865470,0x7ff7ae865480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2100,11252664429717060176,9174849971175310085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\msedgerecovery.exe

"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.67 --sessionid={7f7e2269-4850-4e1a-9368-45cf2b946f06} --system

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe

"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNDcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjIyRTRDQkUtNTFEOC00QkQ1LUEyQUMtQTM4QjBFODFBOEFFfSIgdXNlcmlkPSJ7QTk3M0EyNjgtQkZGMy00QzU2LUFEMzAtMzZGRThGNzNERUE3fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezgwNDg2Qjk3LTI0QTEtNDRBRi05M0E5LTM3MjgxMDA0MjQ4Nn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7bTQ2SzVLNXoxdnZrTkxIcjRjMXgvaENqZTdaUUxkcUt5WjVOd2d6VjNBOD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE2OS4zMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU4OTcwOTI4MCIgaW5zdGFsbF90aW1lX21zPSIxMjE4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 keyauth.win udp
N/A 104.21.57.106:443 keyauth.win tcp
N/A 20.42.65.85:443 tcp
N/A 104.80.225.205:443 tcp
N/A 95.101.78.106:80 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp
N/A 8.8.8.8:53 nav.smartscreen.microsoft.com udp
N/A 20.73.130.64:443 nav.smartscreen.microsoft.com tcp
N/A 8.8.8.8:53 smartscreen-prod.microsoft.com udp
N/A 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
N/A 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
N/A 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
N/A 8.8.8.8:53 paste2.org udp
N/A 188.114.96.0:443 paste2.org tcp
N/A 188.114.96.0:443 paste2.org tcp
N/A 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
N/A 131.253.33.200:443 www.bing.com tcp
N/A 188.114.96.0:443 paste2.org udp
N/A 8.8.8.8:53 static.paste2.org udp
N/A 8.8.8.8:53 stats.paste2.org udp
N/A 8.8.8.8:53 www.effectivecreativeformats.com udp
N/A 192.243.59.20:443 www.effectivecreativeformats.com tcp
N/A 8.8.8.8:53 dns.google udp
N/A 8.8.8.8:443 dns.google tcp
N/A 8.8.8.8:443 dns.google tcp
N/A 8.8.8.8:53 apps.identrust.com udp
N/A 88.221.25.169:80 apps.identrust.com tcp
N/A 8.8.8.8:443 dns.google udp
N/A 52.22.199.149:443 tcp
N/A 192.243.59.20:443 www.effectivecreativeformats.com tcp
N/A 172.67.192.227:443 brousless.com tcp
N/A 172.67.192.227:443 tcp
N/A 20.73.130.64:443 smartscreen-prod.microsoft.com tcp
N/A 172.67.192.227:443 udp
N/A 142.234.204.80:443 tartator.com tcp
N/A 104.17.25.14:443 tcp
N/A 104.17.25.14:443 tcp
N/A 13.107.21.200:443 tcp
N/A 142.234.204.80:443 getsthis.com tcp
N/A 224.0.0.251:5353 udp
N/A 95.101.74.139:443 assets.msn.com tcp
N/A 95.101.74.139:443 assets.msn.com tcp
N/A 23.72.252.155:443 tcp
N/A 18.65.39.70:443 tcp
N/A 20.234.93.27:443 tcp
N/A 204.79.197.200:443 tcp
N/A 8.8.8.8:443 dns.google udp
N/A 204.79.197.239:443 tcp
N/A 131.253.33.239:443 tcp
N/A 23.39.244.146:443 ecn.dev.virtualearth.net tcp
N/A 23.200.87.20:443 deff.nelreports.net tcp
N/A 204.79.197.239:443 tcp
N/A 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
N/A 152.199.19.161:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp

Files

memory/1508-132-0x00000000008C0000-0x000000000092E000-memory.dmp

memory/1508-133-0x00000000052D0000-0x000000000536C000-memory.dmp

memory/1508-134-0x0000000005950000-0x0000000005EF4000-memory.dmp

memory/1508-135-0x0000000005440000-0x00000000054D2000-memory.dmp

memory/1508-136-0x00000000052C0000-0x00000000052CA000-memory.dmp

memory/1508-137-0x00000000054E0000-0x0000000005536000-memory.dmp

memory/1508-138-0x00000000053E0000-0x00000000053F2000-memory.dmp

memory/1508-139-0x00000000098F0000-0x000000000992C000-memory.dmp

memory/4600-140-0x0000000000000000-mapping.dmp

memory/4780-141-0x0000000000000000-mapping.dmp

memory/3548-143-0x0000000000000000-mapping.dmp

memory/3468-144-0x0000000000000000-mapping.dmp

\??\pipe\LOCAL\crashpad_4600_ZOUOIQTGUUUNICSE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4936-147-0x0000000000000000-mapping.dmp

memory/3420-149-0x0000000000000000-mapping.dmp

memory/2356-151-0x0000000000000000-mapping.dmp

memory/4080-153-0x0000000000000000-mapping.dmp

memory/1560-155-0x0000000000000000-mapping.dmp

memory/4296-157-0x0000000000000000-mapping.dmp

memory/1536-159-0x0000000000000000-mapping.dmp

memory/3868-161-0x0000000000000000-mapping.dmp

memory/4332-162-0x0000000000000000-mapping.dmp

memory/1056-163-0x0000000000000000-mapping.dmp

memory/3456-164-0x0000000000000000-mapping.dmp

memory/4668-166-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\1.3.169.31\recovery-component-inner.crx

MD5 dcb0ab396e869708ca1ca663c6697b50
SHA1 83d2d79250a470d8c140259688ee35e6019c60f0
SHA256 083c44f154565469a742fe081b09ab19eb5f2a986936dbcef55ddd21f79e6beb
SHA512 e598653b4e6fa16f7ca3a96b44cc279fb010555102c3b661a88e44f6750242e43293a54af25c187445a6f65f7979d556285c16a0294530978f97327f8c1bdd68

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\msedgerecovery.exe

MD5 3b2bd3e2b22afa49576723c819a1185b
SHA1 41a1590e22600c717acd9e376b9020b3021dada6
SHA256 b2900c435244e948491cfab330b570b4326d1879c5c2be2aa35ce8bd49446d05
SHA512 a411b00da74a6c90d0a60a0d9a024a430c2c7483416dc95634bd62c5c29b9c9d1fd3310911f2da85df66aac08e9026df4aad00c083781ca22802b0236652d1d5

memory/4692-168-0x0000000000000000-mapping.dmp

memory/3984-170-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe

MD5 f70962a7883fefe8defa224c1ffdadfa
SHA1 efd06b7c1b5ead8cec2cd029a8d8ccb0c46ee2da
SHA256 3e726854ff0a0046de458afc2cd58cfc37430b4c7969395111398f47d8f63bb4
SHA512 678c10874e6089acde5c57cdc64e11a76cbc9b3e7c882f9c1eaa619f897675c8f145e4be4825d8197edb2e645035a0953c3ed5a34da3e84d013fea5599699761

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir4612_1571876740\MicrosoftEdgeUpdateSetup.exe

MD5 f70962a7883fefe8defa224c1ffdadfa
SHA1 efd06b7c1b5ead8cec2cd029a8d8ccb0c46ee2da
SHA256 3e726854ff0a0046de458afc2cd58cfc37430b4c7969395111398f47d8f63bb4
SHA512 678c10874e6089acde5c57cdc64e11a76cbc9b3e7c882f9c1eaa619f897675c8f145e4be4825d8197edb2e645035a0953c3ed5a34da3e84d013fea5599699761

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdate.exe

MD5 7bcf03ae20f6b4aab6efda45f6a0fa01
SHA1 6f1a63a994568c7cac224c6f44d41d19fe24a2e4
SHA256 23387b13f6386a095ae8f178c261f6565e5828fd7e67ef0cbb10e07224149ba6
SHA512 615d130b2f87d3f2ec125cc97391c6b318359a78f0135f10d0ffd5085062cde39935823865f139d767f9d7992dfa926358442369ab424fbe1d54b2c915992c4b

memory/2488-173-0x0000000000000000-mapping.dmp

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdate.dll

MD5 5f4cdf4268be23a984ee0b2feaad3dd3
SHA1 cc5aabfc567971d7d2b7a0a206925a59de79dad5
SHA256 bb92222715061ddc89332668248c696348b953a0251893ec7d36597099308d92
SHA512 41803d549742f3b22521d6b645adfafdc477c3fc315a88056b111d54cb0ba677db4a8162b793a19619f672b3580736d939367649d3729c129ef871b55900f0cd

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdate.dll

MD5 5f4cdf4268be23a984ee0b2feaad3dd3
SHA1 cc5aabfc567971d7d2b7a0a206925a59de79dad5
SHA256 bb92222715061ddc89332668248c696348b953a0251893ec7d36597099308d92
SHA512 41803d549742f3b22521d6b645adfafdc477c3fc315a88056b111d54cb0ba677db4a8162b793a19619f672b3580736d939367649d3729c129ef871b55900f0cd

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 6890d92ce401cd11a94cb6f453c956ca
SHA1 ab2eb5f3a1e227c8f250f64a56081684cef190e9
SHA256 8cd3ba1db2e85dcc37de04172f07d2a091db694f09fef57f4233fd4914573aa8
SHA512 60a6112247635eb259d343891e57502130eca0b53e844c961fea3dab0ff09f7958507b600c4cd59d21cb176da0a9f9ae70fb3220d3502cd042ed862243eb4ae8

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_en.dll

MD5 ca88ea1e6a8ee2379ea2c8459c2b99e5
SHA1 dcf468473aa7ece0f106ab34bd7ae633097153d4
SHA256 1e61386dff70de6dabc71ec5d13f8d77ae7e1ac7350f6cc7977603415f29c46a
SHA512 d51e59ceb1e99f771ae7f45c986f77f9471e120b27f777056fb12e3b6add87e2540b838cf86ff5fcb76794f4eb5d922c72410204baa5ca3635f4f6157efc20b0

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdate.exe

MD5 7bcf03ae20f6b4aab6efda45f6a0fa01
SHA1 6f1a63a994568c7cac224c6f44d41d19fe24a2e4
SHA256 23387b13f6386a095ae8f178c261f6565e5828fd7e67ef0cbb10e07224149ba6
SHA512 615d130b2f87d3f2ec125cc97391c6b318359a78f0135f10d0ffd5085062cde39935823865f139d767f9d7992dfa926358442369ab424fbe1d54b2c915992c4b

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdateCore.exe

MD5 524a95f05f4c0def70fa61a5f0717e9c
SHA1 6ee3b87e60e865d21bc1b5e434fea12fe262c315
SHA256 e17a7d9e0dcb1a3d6a21009f8d9b41fe1986312d79ffc6728c6c3f500dd6434f
SHA512 cc5e21ce182489416c906fb3f16e808554b739908916682cef6afe11a748b02382bfb93d1359cdc0794c2fb4b6f3cb9d9c677215a904be79d4b1df573de99089

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

MD5 fccf8ebd72efacc9566b7849d59512aa
SHA1 2d0cc03e7912578d1c0a01e1d338290a0d1c157e
SHA256 a6a3b7b77ec3fcbdd07b516457fcc7368282ed84e04792316d2ceeeb3b6c84fb
SHA512 6e0b2e27ae19c3100b789b8b22eb307072a902878d92cea426ac02c07c8338934b49c57012a858e01816617ec6c41ef39b7a390e63c8975e56c4504faa8b6b3a

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\NOTICE.TXT

MD5 6dd5bf0743f2366a0bdd37e302783bcd
SHA1 e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA256 91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512 f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_af.dll

MD5 c7872f08802f693ed9fc16ea960789f6
SHA1 b0b8e4dfbe1dc76e4903216948374e1356d33e53
SHA256 de5d1223ffd38be89cd576b0de036760f8a84c231eb97f1d7f74dfcf4b41fb19
SHA512 339520bea363a1ea34e75755c70f4b1f6a189e7084ca9d5c6189d769965ae1fd0b093b948dffe3d256dd82591bdb2b3627ed20e747a2505377babc34eb94a0e6

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_am.dll

MD5 6dee4281b2d0dc43c8eac5afde5dc5b2
SHA1 35584539f94fa4a91229b8d810f1d5c0207d9ef8
SHA256 b0fc60e07fa8fcfa0a174f1f5fc3a303d5498669eba846d51731494e9f86e46e
SHA512 de6a54e08c1a7c2a77a26f9de11a8e25b30f3d275fd4b72fb068ec3a5c0fd2072cc02a33b4581ba0dd565963bb834c5da831013d9ffb4386d0fc59935c184079

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_bg.dll

MD5 83976f605267f63c512741c90085ef37
SHA1 e1907443ecf114b1b2d4b5fb622ca6fcba0d6b2c
SHA256 8e7bc240557c0f4058fb3380d01584eb5b9ad69ac5fd2f7a56bf2293dafd6069
SHA512 d5713af38add972fc04c1b1b7aca033532c50c31e8d1e3c0e889d69c94ff2d2ecdec95edabf4717a4bc649f2d68a5b1a77dac0355bf493eefe2cf86b7b53ba84

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

MD5 97fe80b8bc29698d3dd3912878d8a785
SHA1 580f290f32bf083f9485e06165fcc751ae181be0
SHA256 c382b8fe1abc83ebe97e66a3d4737ab66a7210a59fc0d18f9fc8b6735771b247
SHA512 08f56d8759721b0241d60a532e9634bc98aebcb7e7c251630adc1c93d28d40158a6f3bafc32f19cf9aa27ad5ba6e42f58bc2c8361e1ff97aa2ddf05c0147d248

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_en-GB.dll

MD5 162af0ee7f6257765264df1ae5cedf19
SHA1 b25132643b3153c764ee9a9443cf2ae2fb476029
SHA256 982e2f99ab53b7325a3be510c50dfb01ffeed1bf2e291253c8ad9de6497b6c89
SHA512 8c615ab0942da4265238f16f0e71a5e095f07af654377d170370e885516b049a4505ec9e44f73f1ee70eca278da0d9affd4c4c3c660676134b634a995b4490c6

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_gu.dll

MD5 c0184213a10033245208238df3485522
SHA1 95690861b76477aefcdaf6026d9dd12332ccbfed
SHA256 cbdc3c2243fc61e0dd2f786330b9f3763d77bccb94ff69fe6a0b59c76efb0444
SHA512 b87c0894d6295147938b1f9d652427c8af77a345947038bc279ada7fe0ef7387e0d5af4c0eb1f0691a9e626d9562aec13aa1fab1568fd4bc6c9df3ce65857a61

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_it.dll

MD5 77945e4eaee1ca21874c0509d4624927
SHA1 5d2901d6c44ec892c2757dfc23f3e9087bf7fa94
SHA256 3a45c63213e38ae2cfaf3d82d7c03712d800df03b88d70428dfcfed63d4b3934
SHA512 4c38b84bc99dd2b6a6e3b0b5de1c4a0c09068f71f43ce55bb7117f8ec21da38bc6db28b00c7ad0f68e1b4de1b491676790aeffa43ebf8426ad0297240c8ebf51

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_is.dll

MD5 291a4a3a7944bbe6b7effa7569df71fe
SHA1 9f0df015eaf5b3bc0187d8f93659391d1852c9aa
SHA256 67bf882ca9ba248b7d100786d216b88e620fcb084f9dcb47a1a85a89f68bd02c
SHA512 3081942d9a509047029892fa876e133381546760a47d1af873b47448d825312d035977dc5a530c567b77eaef15a6bbbef4bd294881cae974ff684e5beec49027

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_id.dll

MD5 e890fe81fbf16560a7cf5111f61dcd62
SHA1 aeb0e16937e6c13ac91aa3a0871c999460fffe93
SHA256 76e23a56819dc89bb675c96842bf347f212316604601e8f9fa7b4130f2133b73
SHA512 2b0311f41ef8c40e1fa284d1ac959ab8698a99de87f56827a91a3c055c58d242607cf597895ca01e8fb498d4356c676705dd3414f1757080d9929c667390d5df

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_hu.dll

MD5 8603e5be200d6c9412884423bf4bda49
SHA1 edb55f5dea1086e470bd279ad9221d981090551a
SHA256 f167b026326b379acbcd431992eb7fe4b1e260fdc3206194089b76f32d1a8c1b
SHA512 dec24a547d3ae77117a516db501ecd229b2caae1756338eaa48f5ba332a5d69df15db9c0cf2637974717afd6f0d0f974fc9e237737822a3d8b9ebf2f92a6d6f8

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_hr.dll

MD5 5cf8a74ce96a804ca12d121995ac1e28
SHA1 c37692154696e8bc3ca14c642b9517c39d9a23d6
SHA256 f894bbb95e81620ea6a298f26af27da6ee7ff4a69d9eccd09eb2094cc2948000
SHA512 d8770d30ce21df62013d94c705a7c9955c88508c8131a97d040e44bde1a6f02ae1d337c7f0633eaf2503ae879a5eda95bb5b7f161130ea88300c8765f816e55c

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_hi.dll

MD5 92d4baaea4fb47acdda860eb6de1615e
SHA1 2ba501fa16637c299cc6666bb68d15f387cdc46e
SHA256 9d531c52ffe8c9655485c2d568cb81dafc2d0c7d9f8d0f05033a08263f123672
SHA512 a9a94782164f979ab946597f7cba8b2903466614b9645c97b54e19162256bc3bb0e2dc4deb4d42d954b474f66a3fcdaadf4339da8676453bdc379f28d6c1901e

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_gl.dll

MD5 199c4123ef874bd42b54d0c49d0b08aa
SHA1 e16a3d629ce1fca181c35f5c2e16497bf54941ae
SHA256 a2c22b7f9b1901407068df3ddb049a58b70218559d4cdd944328b9c23d8e5500
SHA512 662c91ea89c9f8fe05458301040136ff6e22c345bd25833cf7bb3b61ffa97c37c19bf5dac7fe68c4b0527ff718e05cc0476438e55a44ce0ed3a78358aea967bd

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_gd.dll

MD5 f976b60c6877ac880bf2bad3f3d20774
SHA1 d02ce01289cd2bac6becd1835e55bc6e60327e0b
SHA256 4859b9cad6e9b4e95adb96158bd4837192aba0fb8535696a23f942ddd1d93e35
SHA512 fb9054e0328211deb69d4c4fb3d03f075d03c2e198c51bb4d09006c87747c1dfc81a39072d2a5e8ba7e47e7e19be866d95b2444e0ff693c01f8afcbf0fdd1bca

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ga.dll

MD5 daa37ea0971c528fa497be4deb9e9e5c
SHA1 ea3678e1939b1d78271061937da64e7f91d690ce
SHA256 4e8dc4059e333ace71741fdd601e7420744e2f81bdf0dfccb7f8590d23622e3d
SHA512 7b9df2d7d0f607312e1a035cfb7848839ecd025f8fcb6b1e0b57c89c6e4f47c692db4b5669d384db15ef39e7726015cd5d7c608f16ca1f0d70461744c9492c3a

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_fr-CA.dll

MD5 85c1fd04d1b0bc0fa1e00559aeedd14f
SHA1 21b8a901a08a748f5c6483ab364c13a9a9ee6d79
SHA256 e7f16fc0c9060aa39521d2bb7c5f74e634c71a0f95ce62c89e018d8d1578b977
SHA512 824bb0be9c46e5074467f091b5cdb6968d3aa989b598d294932b10f254b5f0b4230da2ed86c9723068fb997b39d06f0ac3c67f98c0969227cb602e57603e9bff

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_fr.dll

MD5 1f446af97cc5b43c506505e07b0abe61
SHA1 3ed4be38abb4953d288d082578465b5ce92854c1
SHA256 10f6fe80963da0b757bde9781073df370be9b97301524838eac167787621118d
SHA512 d3215d7b15f2994a01b339053d976c8ad561b5324a9dbb269a5ac4668af917ae45dfe1c110855555c7855cf1c74ca38ec989beed91bb1d465c4304d888d6acf9

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_fil.dll

MD5 3cc0c1a7cece41adc97fff2f3366877d
SHA1 897a222da884641f32e374494b7348dd55627167
SHA256 565c9e8b60039a24e5bec0810917e64f32da727954b723dfc0be1983a0340957
SHA512 2d6f495cd9cf6d0ecafa41c37480e60f1e2ae1507e152b235a0e274f9db940810482224768490b3fa1193a926268fcab08c2602ae3167476b03ac4600fca96ff

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_fi.dll

MD5 70d809ac0e74e6ae8ba2bfef150d6e30
SHA1 6d799af22f709cf7e1c0028fe994d27a17269130
SHA256 f2e9ce01e00117fabb74dafae001059b3c032263cbad7f9076f009da4a8abc1b
SHA512 927d7abdb298088953029fba117b095f26fccfd6c543201687e3a69b9c97ea90a657ee43d4f412fc633ff36ed80f4ac7b374763c7e61a222c76fd92e5cc66b72

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_fa.dll

MD5 532b88ef925118e43b4ed556c5fdfc3c
SHA1 5c4990ace3c1abd89802a4f5a06e4dd3aa1afa92
SHA256 a8fc095c422a0c0dbde18fcd8292402eff23371f79b4092fed0b7d3f2d4a382f
SHA512 f547a65a154b9ab942b185f3c9e4b55dd5771b6cc4442bdbb66487e47f1c631a987bfbb327b71a822b362ae5df5720549c1164e2e49825f4823ca7f3d5d6771b

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_eu.dll

MD5 16c9a02f38925a4ebed9c1d1ba95f61b
SHA1 41d4e6d32bdcda0fe7f3c58253f2c5032cac346c
SHA256 da28ac726626540f08c4c881af38844108e2f878890316f588f62239f88bdc68
SHA512 84b544954553e198a1328968ac2bc86a9757d14dd4c304a1b4a55825d1d5dc42952fbd44df6c1c5951d95d430bfde78e60f750902c985877c6a6640c1aa3ab34

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_et.dll

MD5 ab288e21516f5001b120a6129e8c6b6e
SHA1 00e93428692465d5874ca879bae9fe4a61debbe6
SHA256 a3a74bc891e686c5350bb763b75717f00d34f9281f98081e49611419c999acf7
SHA512 9e89a37d34ae04678be70ef4b0e83886698e067fa578b4acfa13643557b31c718172defac1053ced3c2acff3def2bcaa9ed40fba65ccdd96f37e46098d975fdc

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_es-419.dll

MD5 d5f0c3f6a7f33abb613146888add7e1d
SHA1 01864e305dd70fbbd5aabaf5b9fb71dd235591f6
SHA256 d25b66f475c67394eed4c51c498f9e20dee225c3aaa9427281a2148cc760f46d
SHA512 ee4ad7416408b6fa5d07ed6b964101002de68d2a6e5206bbf5044c5d1323f8f3950e0d229f41b7b4c5389ff68deb890e5db1c2fbdd04c56dd247efe0648bb514

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_es.dll

MD5 a86027b5da426647253679150fe41c6d
SHA1 c5e06bdfc88a39b95e65ba9552c7204da5268564
SHA256 ab508539ad80b32dfeb2cbeb57ef31467f0a79ff095d2ff892c17e80356a60f9
SHA512 45217ac7e913175416a5a6e446c4081af401e361663e1e99409779a6f08040a4fe08b116056ab7d112f6d1a71f97a6d5e53f22f9d986754f98d177f79d72b773

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_el.dll

MD5 1a4700d41421d915d26ea36073467527
SHA1 3c657523c891dbff19676f1d3b471bc7beaa59f5
SHA256 0a6f96613229ffc6beb1b36c73cb52be4d68346fd08adbb89e95814ffdc78c6d
SHA512 d62cdcfcdb721bb72892a09763f6c97edd0a0b37123a8605d846b8ef8d09938d8c99c49f574e29f590d6528738ac92b8ba8c31cf337408434caf14716e790d57

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_de.dll

MD5 eadeb006461520d14aa2578af902773a
SHA1 f0a23049c073b8bb189dc38dc3d38c4603862754
SHA256 fe1573ff17ffd86d793aa1dd9fd36109961850bea883d2d3e6d8d3baa3a2e468
SHA512 608cd2b73f0b95a7b57f1e23e9da70c663fef20412c6612b58af953061b8c42c25b24d234b380cc86a5dfc166f3018a48aac2f5659434bd038d8a74a252bdf15

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_da.dll

MD5 0973e0fe9cdbb5133b27568795b7bf6b
SHA1 eaf2af3b576cffe390ef11c38a594a0a5880aa1c
SHA256 5772740a636254ee2967ca17a83d4b1b13934a4c2db7725115f8754a762cc734
SHA512 1a2346c569266085abef030a235ca83bc1e3249bd090823757495c71332546c6fc3692233415df9168b609820a0bca2ee22d8064e49c9c2aaf7b707e4f52c285

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_cy.dll

MD5 7df1f9bf10766cba6f2b6d48e4dae8e3
SHA1 0008dbaa46d83ffe8d4a9d536a61a5109d74ca8d
SHA256 18827570bad9f879f6853438bcd0e379518531bafbfac2bb626dc1cc13711596
SHA512 bd8ee85d664c1480240e89c05d3639b5650aecb056263b75d7d37168bf6b6dada04145f42075e5ef0841efa9417880e8f9697e4ca71f20eaecfebd98e6b61f1c

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_cs.dll

MD5 b09754ee0b3048dc68584bfe0f631ea1
SHA1 87a2426414fdd52fc39679f6958379482ca3dde4
SHA256 9dcf2f8fba4c3bf4b194e3b27e5ef572e573a638d5c71e3ae4a154ddb62a91a7
SHA512 5d0d9b653184a41cff580683c16b4f67514bfa04987ee650c1d9ade4b12f5eb125fe44aa6e1a5e689423f62e755c460fc4886eac08c0e72fbd64fd9573212d4c

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ca.dll

MD5 2293c9a1af6be53ef61f8fc168e181d7
SHA1 f37155a592bcb1cbaeb67509b36797087d228b8b
SHA256 0b00898937e1f40415a42a8aa4dcf4ea396c40083abfe04fd141edcdd1d35600
SHA512 ac4c27db8296283292d06e0d152434f18a227c4d68294ef52ca473736458724df374f20ce88d214486d7027696d081203e92fb98c682e531071b9ae6d9703d22

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_bs.dll

MD5 a2ae01f60764eb9717c2e843bdd40c43
SHA1 f611b0f880d1dc52a5ff996b5106c8c0bdd7cf68
SHA256 9542302df51fad8c1095f6068378608b8edc89a633b30d26cae0e0fcb4515da3
SHA512 e12d3634bd8738865ea210775d78e53c5a30e74dca39655882c2464d1f9a1ac4a96a7608e57a92ff3b7b6a77750ab24ff12df59e5006b18c1f83cc270760bad5

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_bn-IN.dll

MD5 055acbbed4580bb0c2b15ad8407f34c5
SHA1 cf7c3539d97090b33ea5cb7d4880dd1b28c259f3
SHA256 edb350193ce5ee7984cd11d446ee5848879e6447b08a6e9353a8310a1574bce7
SHA512 11e9e78b28e868781b355de473c157f4fbf1b8f30e3cae6f19aa895a456e7876827ff859ee4bc65215b73ed27eac67c139a1cfc887adee0f7fa1c2c446962311

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_bn.dll

MD5 89d1459c67621ae933ea973c36c86830
SHA1 7793109fad9c7d6e267046be6f188262d6655736
SHA256 faa59f14007729085711f504f3580b5d1f289d9d6b8a57ecaa6b7980d9b3b9e8
SHA512 95e333c1d28ba10df6e95e7bcf80fd1cd3fb7e32aa72b1749a4983c762fa227915d49547c5be114a471072d21a5f9c87c24bd6f45e8a711cbecc1074a3cefd7b

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_az.dll

MD5 34c97ccc6da86fa0fc6aca8102115683
SHA1 23c30d6f41bbfccb40d5209d70999384f3d59893
SHA256 205be42f8590a17ce1a0da594c818f84ef8cc19f8f54cd74acd16ddf7df11684
SHA512 7100e92fd948b75f7d134e813a836ce9691e6994f989b6d53255b17e3fca5be55cf69c50ef01e625a8f85a764bfafcf49bc5f82d229bf44168bf89b953c1642c

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_as.dll

MD5 f344ea79294c175a3233be3c7bd4f7ab
SHA1 42f4d616f0b48828b629ffb384249edc76fea3a9
SHA256 36551c9271d084f31facbd342a0a0b5e530a2070e7de34c42ef2987633134b99
SHA512 dac1c65916fbca857dc8b5a0a3ef9c6abd5090e2c99ada98809d6cf04d09d4b9d63256e4a57754960476896ea46027cfb06bbb3ae68df573b207ca267d4efe94

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\msedgeupdateres_ar.dll

MD5 c5e0d596829abbf221a7e2fcc3f37059
SHA1 2a55fc6e9110d0bc5d735bd98e56241e416dd5eb
SHA256 9e3a04823e12f15954f1082ec019e29e1821d03db69fbaf9c906be28c8cf4fcf
SHA512 518a004482c590d87e104be80dcb12455379ac855a53bdfb94023041fac16e4806e4c78f28716f179031d62b21912cdf4be8b43b2a13747acc8e9a745dd6333b

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\EdgeUpdate.dat

MD5 369bbc37cff290adb8963dc5e518b9b8
SHA1 de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA256 3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA512 4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

C:\Program Files (x86)\Microsoft\Temp\EUCA9E.tmp\MicrosoftEdgeComRegisterShellARM64.exe

MD5 b462ad181104b32ec56a6a1e1aa25622
SHA1 c26dbc70359be470fb63d50e12528e473749d9f7
SHA256 5b95e7e42a2df4c8cb8a1dfc9e71f81831ffc128408ad1a37f83ab76dcdf1afb
SHA512 5f6b37f4e88b617ca68762706423e38da4eccb820e82635eda3ed269efeb92ae3285e0b1285978f35dd8df004c801ebbca2f7c061ae055070bdbcba88c474e70

memory/4072-221-0x0000000000000000-mapping.dmp

memory/4560-222-0x0000000000000000-mapping.dmp

memory/2716-223-0x0000000000000000-mapping.dmp

memory/3636-224-0x0000000000000000-mapping.dmp

memory/2096-225-0x0000000000000000-mapping.dmp

memory/4424-226-0x0000000000000000-mapping.dmp

memory/2832-227-0x0000000000000000-mapping.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20220901-en

Max time kernel

47s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe

"C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 pastebin.com udp
N/A 104.20.67.143:443 pastebin.com tcp

Files

memory/2016-54-0x0000000001290000-0x00000000014C8000-memory.dmp

memory/2016-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

memory/2016-56-0x0000000004ED5000-0x0000000004EE6000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20221111-en

Max time kernel

130s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe

"C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp

Files

memory/1144-54-0x0000000000B80000-0x0000000000B88000-memory.dmp

memory/1144-55-0x0000000076041000-0x0000000076043000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20220901-en

Max time kernel

122s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe

"C:\Users\Admin\AppData\Local\Temp\1060\a4c4feb3d6679413553f96ab310e0a6d62f56a84b252a22d9d406f39cea5ea4b.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 cdn.discordapp.com udp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 20.42.72.131:443 tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 67.24.25.254:80 tcp
N/A 67.24.25.254:80 tcp
N/A 67.24.25.254:80 tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp
N/A 162.159.133.233:443 cdn.discordapp.com tcp

Files

memory/1628-132-0x0000000000200000-0x0000000000208000-memory.dmp

memory/1628-133-0x0000000004B70000-0x0000000004BD6000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20220812-en

Max time kernel

133s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe

"C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe"

Network

Country Destination Domain Proto
N/A 79.110.63.18:80 tcp
N/A 79.110.63.18:80 tcp
N/A 79.110.63.18:80 tcp

Files

memory/1644-54-0x00000000011D0000-0x00000000011D8000-memory.dmp

memory/1644-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Analysis: behavioral14

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20221111-en

Max time kernel

136s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\a5d4bab6184ba63aedcdbcb97666630f2b134de4a39ac0bcbcfe37b7a21b6416.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\a5d4bab6184ba63aedcdbcb97666630f2b134de4a39ac0bcbcfe37b7a21b6416.exe

"C:\Users\Admin\AppData\Local\Temp\1060\a5d4bab6184ba63aedcdbcb97666630f2b134de4a39ac0bcbcfe37b7a21b6416.exe"

Network

Country Destination Domain Proto
N/A 104.80.225.205:443 tcp
N/A 84.53.175.11:80 tcp
N/A 84.53.175.11:80 tcp
N/A 104.208.16.89:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/2212-132-0x0000000000A00000-0x0000000000C92000-memory.dmp

memory/2212-133-0x0000000005E30000-0x00000000063D4000-memory.dmp

memory/2212-134-0x0000000005690000-0x0000000005722000-memory.dmp

memory/2212-135-0x0000000005640000-0x000000000564A000-memory.dmp

memory/2212-136-0x0000000009440000-0x00000000094DC000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20221111-en

Max time kernel

149s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb80000000002000000000010660000000100002000000070924646b9ba013ba33d910ef5d63eb41c4a393dbfebc2051042e7a3bfb7d5d4000000000e80000000020000200000009eb126d8e7d5b29d77ed7c0206ec982b0eed006edcaec48ffc82774ac8b5f88c200000008897ae8fc2840258ab00d2e3e10352af44244c340d577824ec4d3a3decd44cb740000000ac8d1e6f6fca1bacd471483c38092b0882335a07b37c75e098e367541d642abbee03554bc73f8b62a6e9d433351ae509d10ab80a58cd8c01530e91ce62693a51 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20aecf0d682ad901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "380720381" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{39216E61-965B-11ED-A1D9-72598884447E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003bad9e5810411a41b405bdc87c3b0eb8000000000200000000001066000000010000200000000d983ffbc4499aa634927db574430d0bcc36a24b5a368678e7ce3702b58e3ca8000000000e8000000002000020000000a2925bbe1a69e43f32dfdbfa06c0a11477235f947475a81c772fe04d9966148d9000000013ba776a2c6de7678713e45335361389a4b1e253113c2d289d11c4d31ee9885455c3e3781f968f6c31ad6e5e5945aebad4583c5bc3120b4de794a0ea4f388b9044bc86838ed598dbbd10b7c12da12c2884a9ea01c2a52196f5edc2d37353b2f41853f2b11a36ccb8b5f8cd394917b78e8213379b8b055d85311a3c309103d6aa4f90f00084580f973586aafced9a8927400000004e7fd2f924a4b260adc0992b85ff05bc8f8ee6de2c7051719bde2dc24b9bb005b6d4052fa095f06068aefe42e0c017ec462735cdd114836c5b28bc9b8891d235 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1724 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 996 wrote to memory of 916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 916 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 1964 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 996 wrote to memory of 668 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe

"C:\Users\Admin\AppData\Local\Temp\1060\2b2bd717ef276aa3be519cb31fb4e498bb10242e110892bde18e28174bee5538.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://paste2.org/DWeAUtKE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:340994 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:996 CREDAT:668694 /prefetch:2

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 keyauth.win udp
N/A 188.114.96.0:443 keyauth.win tcp
N/A 8.8.8.8:53 paste2.org udp
N/A 188.114.97.0:443 paste2.org tcp
N/A 188.114.97.0:443 paste2.org tcp
N/A 8.8.8.8:53 static.paste2.org udp
N/A 8.8.8.8:53 stats.paste2.org udp
N/A 188.114.96.0:443 stats.paste2.org tcp
N/A 188.114.96.0:443 stats.paste2.org tcp
N/A 188.114.96.0:443 stats.paste2.org tcp
N/A 188.114.97.0:443 stats.paste2.org tcp
N/A 188.114.97.0:443 stats.paste2.org tcp
N/A 8.8.8.8:53 www.effectivecreativeformats.com udp
N/A 173.233.137.44:443 www.effectivecreativeformats.com tcp
N/A 173.233.137.44:443 www.effectivecreativeformats.com tcp
N/A 8.8.8.8:53 apps.identrust.com udp
N/A 8.8.8.8:53 apps.identrust.com udp
N/A 88.221.25.169:80 apps.identrust.com tcp
N/A 88.221.25.169:80 apps.identrust.com tcp
N/A 8.8.8.8:53 preventionconsciousflea.com udp
N/A 173.233.137.60:443 preventionconsciousflea.com tcp
N/A 173.233.137.60:443 preventionconsciousflea.com tcp
N/A 8.8.8.8:53 jennyvisits.com udp
N/A 192.243.61.227:443 jennyvisits.com tcp
N/A 192.243.61.227:443 jennyvisits.com tcp
N/A 8.8.8.8:53 adsblocks.shop udp
N/A 109.68.214.248:80 adsblocks.shop tcp
N/A 109.68.214.248:80 adsblocks.shop tcp
N/A 8.8.8.8:53 adsgoandway.xyz udp
N/A 89.223.67.221:443 adsgoandway.xyz tcp
N/A 89.223.67.221:443 adsgoandway.xyz tcp
N/A 45.138.26.146:80 tcp
N/A 45.138.26.146:80 45.138.26.146 tcp
N/A 45.138.26.146:80 tcp
N/A 45.138.26.146:80 45.138.26.146 tcp
N/A 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 8.8.8.8:53 www.microsoft.com udp

Files

memory/1724-54-0x0000000000C10000-0x0000000000C7E000-memory.dmp

memory/1724-55-0x0000000075E01000-0x0000000075E03000-memory.dmp

memory/1724-56-0x0000000004F55000-0x0000000004F66000-memory.dmp

memory/1724-57-0x0000000004F55000-0x0000000004F66000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e46b4c4b873c7833a31c81e380099197
SHA1 3b6af59c435fad022dd8856b741d880f9e5b54e1
SHA256 b05699ba87e43a46b03027cd0a3f74029e5055a2d7e146f8aaaf589721c68b4c
SHA512 d280c20bb49f6beda727a7b9c6520ffb0ea3281f5b6f3ed10d90b64dd5071b5a6b783a682eddbe9795367c6e17ae7fec795d205e25345a415bb8700780780757

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4155480a3c1ba1fb59057fe99424b02
SHA1 0bcc9c513e557f6e82fe0dc078696eeb408e5b1f
SHA256 e46b3f0ab5c00f37aa6f5699d51ce93616dc49469b7947c68be341611c993235
SHA512 7721e1060b892070885b5686b0acb2bb01431aeaebd3cc0e7de22a761d125839405ab84b9817349b7322a3bfa167c8a29cedaea160ec907e411f27f3cb31626d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\32L0DHYP.txt

MD5 80decda3273101d973768f6952d3c738
SHA1 97d8ee05dd569df2c0f840562d13c3dfd21b3018
SHA256 1c2970b4c2f8c61a7812e08370d2968e06f1bc9c86839c03c0a6b967b13a7e47
SHA512 3a63c85d664d4c6fd908dccbcd71f98cbcee74d096c21d74d3d76ffa6715b6a0d9d04653a6b54f428339ccb801caf89c383a15b58b6dd1cf9dcb251d8a888fe5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\46XILC9P\4Z9E626S.htm

MD5 2db16f6f35ed28e938c5c153a3a6297d
SHA1 44aad1c754462a3c9cb4dfb21e8eff04f6201b65
SHA256 f24abc7a4de62c178793b1d060ffbff65912e860b5b05886641ff8ac1e3107a3
SHA512 561d8fc3d54caf1f2e010ce01aad0b85c3384db65a6da9a1bff1211001aba7c50a74c5c2d45f682333177de1057390b3f7a7c56794c463edad2748ce638c6434

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C9YCYMMP.txt

MD5 4d3655f3e035c90bf68ca70b8a37f8b5
SHA1 18658b0d4c4b9e60e5a90ca2ec5a3a2dbb2b4851
SHA256 50c9e329fc004ddbd12268f37f541ad464bedafbf7d8cea10546d681fef7c247
SHA512 11c92d5807763de2bd4ebe011910da58292ed8b16a5aff7c2efc2324b028ed743af4b05741fb88639d2bf3385291b161645dda1269b58878c5c500309325d400

Analysis: behavioral8

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe

"C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe"

Network

Country Destination Domain Proto
N/A 52.182.141.63:443 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp

Files

memory/2008-132-0x0000000000840000-0x000000000088A000-memory.dmp

memory/2008-133-0x0000000005800000-0x0000000005DA4000-memory.dmp

memory/2008-134-0x0000000005DB0000-0x0000000005E4C000-memory.dmp

memory/2008-135-0x0000000005E50000-0x0000000005EE2000-memory.dmp

memory/2008-136-0x0000000005770000-0x000000000577A000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20221111-en

Max time kernel

138s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe

"C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe"

Network

Country Destination Domain Proto
N/A 40.125.122.151:443 tcp
N/A 20.189.173.4:443 tcp
N/A 8.8.8.8:53 97.97.242.52.in-addr.arpa udp
N/A 67.27.154.126:80 tcp
N/A 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
N/A 96.16.53.137:80 tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 a.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa udp

Files

memory/5008-132-0x0000000000D60000-0x0000000000D6A000-memory.dmp

memory/5008-133-0x0000000005C80000-0x00000000062A8000-memory.dmp

memory/5008-134-0x00000000056D0000-0x0000000005706000-memory.dmp

memory/5008-135-0x0000000005690000-0x000000000569A000-memory.dmp

memory/5008-136-0x0000000005B40000-0x0000000005B5A000-memory.dmp

memory/5008-137-0x0000000006930000-0x0000000006FAA000-memory.dmp

memory/5008-138-0x00000000062B0000-0x0000000006346000-memory.dmp

memory/5008-139-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

memory/5008-140-0x0000000006350000-0x00000000063B6000-memory.dmp

memory/5008-141-0x0000000007560000-0x0000000007B04000-memory.dmp

memory/5008-142-0x00000000063C0000-0x00000000063DE000-memory.dmp

memory/5008-143-0x0000000006430000-0x000000000647A000-memory.dmp

memory/5008-144-0x00000000080E0000-0x0000000008146000-memory.dmp

memory/5008-145-0x00000000080B0000-0x00000000080D2000-memory.dmp

Analysis: behavioral17

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20220901-en

Max time kernel

113s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe

"C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe"

Network

Country Destination Domain Proto
N/A 185.246.220.210:80 tcp
N/A 185.246.220.210:80 tcp
N/A 185.246.220.210:80 tcp

Files

memory/856-54-0x00000000013D0000-0x00000000013D8000-memory.dmp

memory/856-55-0x0000000075711000-0x0000000075713000-memory.dmp

Analysis: behavioral18

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20221111-en

Max time kernel

124s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe"

Signatures

PureCrypter

loader downloader purecrypter

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe

"C:\Users\Admin\AppData\Local\Temp\1060\eb417ff8f23a6f69a05e39264cccd83c38e44cbdf4e90c5a6455800eb3d9c09c.exe"

Network

Country Destination Domain Proto
N/A 185.246.220.210:80 tcp
N/A 93.184.220.29:80 tcp
N/A 93.184.220.29:80 tcp
N/A 67.26.105.254:80 tcp
N/A 8.253.208.121:80 tcp
N/A 13.78.111.198:443 tcp
N/A 67.26.105.254:80 tcp
N/A 67.26.105.254:80 tcp
N/A 209.197.3.8:80 tcp
N/A 104.80.225.205:443 tcp
N/A 185.246.220.210:80 tcp
N/A 185.246.220.210:80 tcp

Files

memory/4200-132-0x00000000004D0000-0x00000000004D8000-memory.dmp

memory/4200-133-0x0000000004E30000-0x0000000004E96000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20220812-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe

"C:\Users\Admin\AppData\Local\Temp\1060\a50efe1f4ff14d891c56d3d15d60954945d3cfdac28d893ea14806ab17a147ab.exe"

Network

Country Destination Domain Proto
N/A 79.110.63.18:80 tcp
N/A 104.46.162.226:443 tcp
N/A 79.110.63.18:80 tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 67.24.171.254:80 tcp
N/A 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
N/A 79.110.63.18:80 tcp
N/A 79.110.63.18:80 tcp

Files

memory/2564-132-0x00000000007E0000-0x00000000007E8000-memory.dmp

memory/2564-133-0x0000000005710000-0x0000000005CB4000-memory.dmp

memory/2564-134-0x0000000005200000-0x0000000005292000-memory.dmp

memory/2564-135-0x00000000051A0000-0x00000000051AA000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20220812-en

Max time kernel

142s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe

"C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe"

Network

Country Destination Domain Proto
N/A 87.4.136.146:2306 tcp
N/A 87.4.136.146:2306 tcp
N/A 127.0.0.1:2306 tcp
N/A 87.4.136.146:2306 tcp
N/A 87.4.136.146:2306 tcp
N/A 127.0.0.1:2306 tcp
N/A 87.4.136.146:2306 tcp

Files

memory/1708-54-0x00000000001A0000-0x00000000001E2000-memory.dmp

memory/1708-55-0x0000000076121000-0x0000000076123000-memory.dmp

memory/1708-56-0x00000000002B0000-0x00000000002C2000-memory.dmp

memory/1708-57-0x0000000004E35000-0x0000000004E46000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20220812-en

Max time kernel

139s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe

"C:\Users\Admin\AppData\Local\Temp\1060\2c062e6674533b55f8fbcb316674ecd2a1ce8f71dacb55a2cebe248fc7445334.exe"

Network

Country Destination Domain Proto
N/A 52.109.77.0:443 tcp
N/A 8.8.8.8:53 pastebin.com udp
N/A 104.20.67.143:443 pastebin.com tcp
N/A 172.67.34.170:443 pastebin.com tcp
N/A 20.42.72.131:443 tcp
N/A 8.253.135.241:80 tcp
N/A 20.190.159.0:443 tcp
N/A 104.20.68.143:443 pastebin.com tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.253.135.241:80 tcp

Files

memory/5108-132-0x0000000000170000-0x00000000003A8000-memory.dmp

memory/5108-133-0x0000000004D30000-0x0000000004DCC000-memory.dmp

memory/5108-134-0x0000000005380000-0x0000000005924000-memory.dmp

memory/5108-135-0x0000000004E70000-0x0000000004F02000-memory.dmp

memory/5108-136-0x0000000004DF0000-0x0000000004DFA000-memory.dmp

memory/5108-137-0x0000000005030000-0x0000000005086000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20220812-en

Max time kernel

43s

Max time network

46s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe

"C:\Users\Admin\AppData\Local\Temp\1060\d71d4f7a18e93069f0ad7c6631f49e122710fd4c66e4e91aa8c7c03dd4bc0d2a.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1976 -s 548

Network

N/A

Files

memory/1976-54-0x00000000000A0000-0x00000000000AA000-memory.dmp

memory/1732-55-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win10v2004-20220812-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe"

Signatures

AsyncRat

rat asyncrat

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe

"C:\Users\Admin\AppData\Local\Temp\1060\0763daa2ef0dfb890d90bfd3f21e7a4252fb5c30a51e49904344a36012a79bac.exe"

Network

Country Destination Domain Proto
N/A 93.184.220.29:80 tcp
N/A 127.0.0.1:2306 tcp
N/A 87.4.136.146:2306 tcp
N/A 52.168.112.66:443 tcp
N/A 87.4.136.146:2306 tcp
N/A 8.252.51.254:80 tcp
N/A 127.0.0.1:2306 tcp
N/A 104.80.225.205:443 tcp
N/A 87.4.136.146:2306 tcp
N/A 87.4.136.146:2306 tcp
N/A 127.0.0.1:2306 tcp
N/A 87.4.136.146:2306 tcp

Files

memory/5012-132-0x0000000000830000-0x0000000000872000-memory.dmp

memory/5012-133-0x0000000005260000-0x00000000052FC000-memory.dmp

memory/5012-134-0x00000000058B0000-0x0000000005E54000-memory.dmp

memory/5012-135-0x0000000005300000-0x0000000005392000-memory.dmp

memory/5012-136-0x0000000005220000-0x000000000522A000-memory.dmp

memory/5012-137-0x0000000005510000-0x0000000005566000-memory.dmp

memory/5012-138-0x0000000008F80000-0x0000000008FE6000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20221111-en

Max time kernel

23s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe

"C:\Users\Admin\AppData\Local\Temp\1060\364fb9545112672897e074456abf73a6031b313b2939d8eecec0813a5f096dba.exe"

Network

N/A

Files

memory/2032-54-0x0000000001290000-0x00000000012DA000-memory.dmp

memory/2032-55-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

memory/2032-56-0x0000000000C10000-0x0000000000C5A000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-01-17 10:35

Reported

2023-01-17 10:38

Platform

win7-20221111-en

Max time kernel

26s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1060\a5d4bab6184ba63aedcdbcb97666630f2b134de4a39ac0bcbcfe37b7a21b6416.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1060\a5d4bab6184ba63aedcdbcb97666630f2b134de4a39ac0bcbcfe37b7a21b6416.exe

"C:\Users\Admin\AppData\Local\Temp\1060\a5d4bab6184ba63aedcdbcb97666630f2b134de4a39ac0bcbcfe37b7a21b6416.exe"

Network

N/A

Files

memory/2036-54-0x0000000000090000-0x0000000000322000-memory.dmp

memory/2036-55-0x0000000076391000-0x0000000076393000-memory.dmp

memory/2036-56-0x0000000005180000-0x0000000005556000-memory.dmp

memory/2036-57-0x0000000004C55000-0x0000000004C66000-memory.dmp