Overview
overview
8Static
static
FortniteLauncher.exe
windows10-2004-x64
8SDL2.dll
windows10-2004-x64
1avcodec-58.dll
windows10-2004-x64
3avfilter-7.dll
windows10-2004-x64
1avformat-58.dll
windows10-2004-x64
3avutil-56.dll
windows10-2004-x64
3bass.dll
windows10-2004-x64
1bass_fx.dll
windows10-2004-x64
1bassmix.dll
windows10-2004-x64
1libveldrid-spirv.dll
windows10-2004-x64
3stbi.dll
windows10-2004-x64
1swscale-5.dll
windows10-2004-x64
3Analysis
-
max time kernel
499s -
max time network
508s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2023 23:37
Static task
static1
Behavioral task
behavioral1
Sample
FortniteLauncher.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral2
Sample
SDL2.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
avcodec-58.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral4
Sample
avfilter-7.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
avformat-58.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral6
Sample
avutil-56.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral7
Sample
bass.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral8
Sample
bass_fx.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral9
Sample
bassmix.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral10
Sample
libveldrid-spirv.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral11
Sample
stbi.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral12
Sample
swscale-5.dll
Resource
win10v2004-20221111-en
General
-
Target
FortniteLauncher.exe
-
Size
58.9MB
-
MD5
fb6b781b897c65227a1a2908493073a2
-
SHA1
955cb79e8acc3944b1b3b49ce9429dc96e261f0e
-
SHA256
b7dd1dfe4c77b7dda61d53945e4069a128b07a64916261ca04e776a7d2646c1d
-
SHA512
156158a05dc80df327414ab9e0fff50f573d3bdb9bf5a28b1e29825dedfaba0d53c262db026e91e2c4fbd23da95f88c17656d59e41174e3c0ea7f9a551e9ca95
-
SSDEEP
786432:AIXau2b1lTH8gtisALRwejAw/LSqacUOF8YhytBSN80xzbv5o/C6vSUdZA:VXvUtHfssgmepLSqaaSYhyKze/CUpdZA
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 29 IoCs
Processes:
msedgerecovery.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateSetup_X86_1.3.171.39.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exewindowsdesktop-runtime-6.0.13-win-x64.exewindowsdesktop-runtime-6.0.13-win-x64.exewindowsdesktop-runtime-6.0.13-win-x64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_109.0.1518.52.exesetup.exeMicrosoftEdgeUpdate.exepid process 2580 msedgerecovery.exe 4388 MicrosoftEdgeUpdateSetup.exe 1296 MicrosoftEdgeUpdate.exe 3432 MicrosoftEdgeUpdate.exe 2140 MicrosoftEdgeUpdate.exe 3476 MicrosoftEdgeUpdateComRegisterShell64.exe 2468 MicrosoftEdgeUpdateComRegisterShell64.exe 2268 MicrosoftEdgeUpdateComRegisterShell64.exe 1556 MicrosoftEdgeUpdate.exe 2648 MicrosoftEdgeUpdate.exe 4408 MicrosoftEdgeUpdate.exe 756 MicrosoftEdgeUpdate.exe 3704 MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe 2236 MicrosoftEdgeUpdate.exe 4900 MicrosoftEdgeUpdate.exe 2348 MicrosoftEdgeUpdate.exe 2288 MicrosoftEdgeUpdate.exe 3848 MicrosoftEdgeUpdateComRegisterShell64.exe 668 MicrosoftEdgeUpdateComRegisterShell64.exe 1780 MicrosoftEdgeUpdateComRegisterShell64.exe 1124 MicrosoftEdgeUpdate.exe 1044 windowsdesktop-runtime-6.0.13-win-x64.exe 3516 windowsdesktop-runtime-6.0.13-win-x64.exe 3056 windowsdesktop-runtime-6.0.13-win-x64.exe 1652 MicrosoftEdgeUpdate.exe 3156 MicrosoftEdgeUpdate.exe 3168 MicrosoftEdge_X64_109.0.1518.52.exe 3924 setup.exe 1020 MicrosoftEdgeUpdate.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe -
Sets file execution options in registry 2 TTPs 4 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
windowsdesktop-runtime-6.0.13-win-x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation windowsdesktop-runtime-6.0.13-win-x64.exe -
Loads dropped DLL 64 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exewindowsdesktop-runtime-6.0.13-win-x64.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeFortniteLauncher.exeWerFault.exepid process 1296 MicrosoftEdgeUpdate.exe 3432 MicrosoftEdgeUpdate.exe 2140 MicrosoftEdgeUpdate.exe 3476 MicrosoftEdgeUpdateComRegisterShell64.exe 2140 MicrosoftEdgeUpdate.exe 2468 MicrosoftEdgeUpdateComRegisterShell64.exe 2140 MicrosoftEdgeUpdate.exe 2268 MicrosoftEdgeUpdateComRegisterShell64.exe 2140 MicrosoftEdgeUpdate.exe 1556 MicrosoftEdgeUpdate.exe 2648 MicrosoftEdgeUpdate.exe 4408 MicrosoftEdgeUpdate.exe 4408 MicrosoftEdgeUpdate.exe 2648 MicrosoftEdgeUpdate.exe 756 MicrosoftEdgeUpdate.exe 2236 MicrosoftEdgeUpdate.exe 4900 MicrosoftEdgeUpdate.exe 2348 MicrosoftEdgeUpdate.exe 2288 MicrosoftEdgeUpdate.exe 3848 MicrosoftEdgeUpdateComRegisterShell64.exe 2288 MicrosoftEdgeUpdate.exe 668 MicrosoftEdgeUpdateComRegisterShell64.exe 2288 MicrosoftEdgeUpdate.exe 1780 MicrosoftEdgeUpdateComRegisterShell64.exe 2288 MicrosoftEdgeUpdate.exe 1124 MicrosoftEdgeUpdate.exe 3516 windowsdesktop-runtime-6.0.13-win-x64.exe 3156 MsiExec.exe 3156 MsiExec.exe 4000 MsiExec.exe 4000 MsiExec.exe 4904 MsiExec.exe 4904 MsiExec.exe 4736 MsiExec.exe 4736 MsiExec.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 3924 FortniteLauncher.exe 932 WerFault.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
msedge.exewindowsdesktop-runtime-6.0.13-win-x64.exesetup.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce windowsdesktop-runtime-6.0.13-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{96cf40b0-81d6-43ed-ad0e-611e67899196} = "\"C:\\ProgramData\\Package Cache\\{96cf40b0-81d6-43ed-ad0e-611e67899196}\\windowsdesktop-runtime-6.0.13-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exemsiexec.exesetup.exeMicrosoftEdgeUpdateSetup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\msedgeupdateres_cy.dll MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Net.Requests.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\PresentationFramework-SystemData.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\sl.pak setup.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ReachFramework.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_fa.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ru\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\zh-Hans\UIAutomationClientSideProviders.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.52\Trust Protection Lists\Sigma\Entities setup.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Reflection.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Net.Ping.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\es\System.Xaml.resources.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\bg.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\fr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Trust Protection Lists\Mu\Fingerprinting setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\ca-Es-VALENCIA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.52\Locales\am.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.52\Locales\pt-PT.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_ne.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\msedgeupdateres_en-GB.dll MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe File created C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\msedgeupdateres_lt.dll MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe File created C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\msedgeupdateres_quz.dll MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_km.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\MicrosoftEdgeUpdateCore.exe MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\System.Windows.Input.Manipulations.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\nacl_irt_x86_64.nexe setup.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-heap-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\PresentationUI.resources.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\or.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\VisualElements\LogoBeta.png setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\VisualElements\SmallLogo.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.52\Locales\ne.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_az.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\msedgeupdateres_sr-Latn-RS.dll MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.IO.UnmanagedMemoryStream.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-crt-math-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Data.Common.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\WindowsFormsIntegration.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\ja\PresentationCore.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Trust Protection Lists\Mu\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\gd.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_pt-PT.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\es\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\tr\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\de\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\sq.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\zh-CN.pak setup.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Net.WebClient.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\fr-CA.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\vcruntime140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.52\Locales\sl.pak setup.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Windows.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\Microsoft.DiaSymReader.Native.amd64.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\d3dcompiler_47.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\az.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\109.0.1518.52\identity_proxy\identity_helper.Sparse.Stable.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\2a1703be-65dc-4059-b4bc-3335e96fa47b.tmp setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_sr.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_ta.dll MicrosoftEdgeUpdateSetup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\MicrosoftEdgeComRegisterShellARM64.exe MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-crt-conio-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.13\pt-BR\PresentationUI.resources.dll msiexec.exe -
Drops file in Windows directory 31 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI8768.tmp msiexec.exe File created C:\Windows\Installer\e5a5f57.msi msiexec.exe File created C:\Windows\Installer\SourceHash{5F0DB006-2AE3-4D36-8077-65247FD687D4} msiexec.exe File created C:\Windows\Installer\e5a5f4b.msi msiexec.exe File created C:\Windows\Installer\e5a5f4f.msi msiexec.exe File created C:\Windows\Installer\SourceHash{8484730A-68A4-4C63-93B4-52628D3B488D} msiexec.exe File opened for modification C:\Windows\Installer\e5a5f48.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e5a5f48.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6A65.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a5f4c.msi msiexec.exe File created C:\Windows\Installer\e5a5f50.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8BDE.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8573.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI949A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7E4C.tmp msiexec.exe File opened for modification C:\Windows\Installer\e5a5f50.msi msiexec.exe File created C:\Windows\Installer\SourceHash{9511601E-12FF-4972-BF9C-2992F2CA5A32} msiexec.exe File created C:\Windows\Installer\e5a5f54.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI90A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI64A7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7B2E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{8CDACE3C-0064-4A17-A02C-49F831D5F73A} msiexec.exe File opened for modification C:\Windows\Installer\MSI7FF3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8246.tmp msiexec.exe File created C:\Windows\Installer\e5a5f4c.msi msiexec.exe File created C:\Windows\Installer\e5a5f53.msi msiexec.exe File opened for modification C:\Windows\Installer\e5a5f54.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA46A.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 932 3924 WerFault.exe FortniteLauncher.exe 4384 1800 WerFault.exe FortniteLauncher.exe 5068 4156 WerFault.exe FortniteLauncher.exe 3652 4980 WerFault.exe FortniteLauncher.exe 1800 4024 WerFault.exe FortniteLauncher.exe 4676 4772 WerFault.exe FortniteLauncher.exe 4964 1928 WerFault.exe FortniteLauncher.exe -
Checks SCSI registry key(s) 3 TTPs 31 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
FortniteLauncher.exeFortniteLauncher.exetaskmgr.exeFortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 FortniteLauncher.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 FortniteLauncher.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags FortniteLauncher.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString explorer.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MicrosoftEdgeUpdate.exemsiexec.exeMicrosoftEdgeUpdate.exesetup.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21 msiexec.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\MICROSOFTEDGEUPDATE.EXE MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\ = "PSFactoryBuffer" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine.dll" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.ProcessLauncher" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E45E8446-680D-4668-A46C-D13892D6B640}\InprocHandler32\ThreadingModel = "Both" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 741981.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 338572.crdownload:SmartScreen msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3288 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedge.exemsiexec.exemsedge.exetaskmgr.exepid process 1068 msedge.exe 1068 msedge.exe 2776 msedge.exe 2776 msedge.exe 1060 identity_helper.exe 1060 identity_helper.exe 4912 msedge.exe 4912 msedge.exe 1296 MicrosoftEdgeUpdate.exe 1296 MicrosoftEdgeUpdate.exe 1296 MicrosoftEdgeUpdate.exe 1296 MicrosoftEdgeUpdate.exe 1296 MicrosoftEdgeUpdate.exe 1296 MicrosoftEdgeUpdate.exe 2648 MicrosoftEdgeUpdate.exe 2648 MicrosoftEdgeUpdate.exe 2648 MicrosoftEdgeUpdate.exe 2648 MicrosoftEdgeUpdate.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4408 MicrosoftEdgeUpdate.exe 4408 MicrosoftEdgeUpdate.exe 4900 MicrosoftEdgeUpdate.exe 4900 MicrosoftEdgeUpdate.exe 1044 msedge.exe 1044 msedge.exe 4560 msiexec.exe 4560 msiexec.exe 1972 msedge.exe 1972 msedge.exe 4560 msiexec.exe 4560 msiexec.exe 4560 msiexec.exe 4560 msiexec.exe 4560 msiexec.exe 4560 msiexec.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid process 2852 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
Processes:
msedge.exepid process 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeAUDIODG.EXEwindowsdesktop-runtime-6.0.13-win-x64.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1296 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 1296 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 2648 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 4408 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 4900 MicrosoftEdgeUpdate.exe Token: 33 1512 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1512 AUDIODG.EXE Token: SeShutdownPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeIncreaseQuotaPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeSecurityPrivilege 4560 msiexec.exe Token: SeCreateTokenPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeAssignPrimaryTokenPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeLockMemoryPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeIncreaseQuotaPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeMachineAccountPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeTcbPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeSecurityPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeTakeOwnershipPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeLoadDriverPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeSystemProfilePrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeSystemtimePrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeProfSingleProcessPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeIncBasePriorityPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeCreatePagefilePrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeCreatePermanentPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeBackupPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeRestorePrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeShutdownPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeDebugPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeAuditPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeSystemEnvironmentPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeChangeNotifyPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeRemoteShutdownPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeUndockPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeSyncAgentPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeEnableDelegationPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeManageVolumePrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeImpersonatePrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeCreateGlobalPrivilege 3056 windowsdesktop-runtime-6.0.13-win-x64.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe Token: SeTakeOwnershipPrivilege 4560 msiexec.exe Token: SeRestorePrivilege 4560 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2776 msedge.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe 2852 taskmgr.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
FortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exeFortniteLauncher.exepid process 3924 FortniteLauncher.exe 1800 FortniteLauncher.exe 4156 FortniteLauncher.exe 4980 FortniteLauncher.exe 4024 FortniteLauncher.exe 4772 FortniteLauncher.exe 1928 FortniteLauncher.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
FortniteLauncher.exemsedge.exedescription pid process target process PID 5040 wrote to memory of 2776 5040 FortniteLauncher.exe msedge.exe PID 5040 wrote to memory of 2776 5040 FortniteLauncher.exe msedge.exe PID 2776 wrote to memory of 312 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 312 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 5112 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 1068 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 1068 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe PID 2776 wrote to memory of 808 2776 msedge.exe msedge.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FortniteLauncher.exe"C:\Users\Admin\AppData\Local\Temp\FortniteLauncher.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.10&gui=true2⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8356e46f8,0x7ff8356e4708,0x7ff8356e47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5408 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5348 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5952 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6000 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6720 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff643d75460,0x7ff643d75470,0x7ff643d754804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6720 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3948 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4124 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3212 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1272 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5296 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3812 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6300 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6864 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1072 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3572 /prefetch:83⤵
-
C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x64.exe"C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x64.exe"3⤵
- Executes dropped EXE
-
C:\Windows\Temp\{44A84C12-F219-4907-B580-E6A01D4EDDCE}\.cr\windowsdesktop-runtime-6.0.13-win-x64.exe"C:\Windows\Temp\{44A84C12-F219-4907-B580-E6A01D4EDDCE}\.cr\windowsdesktop-runtime-6.0.13-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.13-win-x64.exe" -burn.filehandle.attached=560 -burn.filehandle.self=5684⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Windows\Temp\{CDB06F7C-DFC2-4A82-BE69-7A3A9B52F9EB}\.be\windowsdesktop-runtime-6.0.13-win-x64.exe"C:\Windows\Temp\{CDB06F7C-DFC2-4A82-BE69-7A3A9B52F9EB}\.be\windowsdesktop-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{51FEFE74-FD9D-469D-A578-255ECACD59A6} {67E8B175-A0D2-4702-A28E-16DF73CE4C94} 35165⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6960 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6456 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3776 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,12541268314167657530,13424225195116016718,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4664 /prefetch:83⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir572_255400487\msedgerecovery.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir572_255400487\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.67 --sessionid={32f2a93c-6284-4030-a79c-6a934caae2b9} --system2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir572_255400487\MicrosoftEdgeUpdateSetup.exe"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir572_255400487\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent4⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkJDODI0M0EtRkEwOS00MjlFLTk2NjUtMTk3ODFGNTYyMTM2fSIgdXNlcmlkPSJ7NTI0N0FBMzktNTQxOS00Njk5LUJCMUUtNTYxNkE2QzBCMUU2fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezQ4M0E3MDQ0LTBENkYtNDQ5QS04NkJCLTc2OEM0OTNFRUEyNH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7bTQ2SzVLNXoxdnZrTkxIcjRjMXgvaENqZTdaUUxkcUt5WjVOd2d6VjNBOD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE2OS4zMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTM3MjIzOTcwNyIgaW5zdGFsbF90aW1lX21zPSI4MzEiLz48L2FwcD48L3JlcXVlc3Q-5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjAwRkY3NTctODQyRS00QkI5LUFEN0EtQUU4OTgxOEJENzVEfSIgdXNlcmlkPSJ7NTI0N0FBMzktNTQxOS00Njk5LUJCMUUtNTYxNkE2QzBCMUU2fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0NCM0QxQkIyLTJGOEMtNEE2RS05ODBCLTE0QkRGN0Q5QUU5MH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iODkuMC40Mzg5LjExNCIgbmV4dHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NjQ1NjQzNDk2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9EEE24D2-A1A4-4AA1-8E91-FC2E1DFA5BCF}\MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9EEE24D2-A1A4-4AA1-8E91-FC2E1DFA5BCF}\MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe" /update /sessionid "{B00FF757-842E-4BB9-AD7A-AE89818BD75D}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUFC0E.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{B00FF757-842E-4BB9-AD7A-AE89818BD75D}"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjAwRkY3NTctODQyRS00QkI5LUFEN0EtQUU4OTgxOEJENzVEfSIgdXNlcmlkPSJ7NTI0N0FBMzktNTQxOS00Njk5LUJCMUUtNTYxNkE2QzBCMUU2fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7MjJCQTVDMDMtNzU0Ny00ODI5LUJBMTctQUUyNDA4QjNEMjE3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTY5LjMxIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjMwM1IiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTY3NDI1ODA0MCI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTcwNzg0MDYzOSIvPjwvYXBwPjwvcmVxdWVzdD44⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjAwRkY3NTctODQyRS00QkI5LUFEN0EtQUU4OTgxOEJENzVEfSIgdXNlcmlkPSJ7NTI0N0FBMzktNTQxOS00Njk5LUJCMUUtNTYxNkE2QzBCMUU2fSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezgzOEREQ0RBLUI5NjEtNDJCMC05Njg4LTM0QkJENEU0QTM4Mn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE2OS4zMSIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iUHJvZHVjdHNUb1JlZ2lzdGVyPSU3QkYzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNSU3RDtjaHJvbWVyZWMzPTIwMjMwM1IiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2NTk4NTA0MTEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTY2MDAwNTg5OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTY2NzM2MjA3NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2RiOGM1YmY1LThmNmItNDMxMS1iMTU4LWI2YzRkYTNhZDBkMj9QMT0xNjc0ODYyODcyJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpiWWVHcnlLMiUyYkp5OW15dXN2dE9KN1BJVE1McEZwTUNnTW5jTTZXYzhpUmhTVmFTZ2d2TmRHRG5OaUJtVlN4c2FkQTJPekVvcmxHQXZHd0lDNzdQUnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iNSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NjY3MzYyMDc3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9kYjhjNWJmNS04ZjZiLTQzMTEtYjE1OC1iNmM0ZGEzYWQwZDI_UDE9MTY3NDg2Mjg3MiZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1KYlllR3J5SzIlMmJKeTlteXVzdnRPSjdQSVRNTHBGcE1DZ01uY002V2M4aVJoU1ZhU2dndk5kR0RuTmlCbVZTeHNhZEEyT3pFb3JsR0F2R3dJQzc3UFJ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTU4NzE2MCIgdG90YWw9IjE1ODcxNjAiIGRvd25sb2FkX3RpbWVfbXM9IjI4MSIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NjY3NTE4NjU4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU2NzI4MjM0NjYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48cGluZyByPSIxNDEiIHJkPSI1NzIyIiBwaW5nX2ZyZXNobmVzcz0iezMxNDc4RDk0LUM2QjEtNDRBRC1BN0YxLTQ4ODY3NTBGNDNDNX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMTg3MzE1MzU1MzgzNTcwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9IjE0MSIgYWQ9Ii0xIiByZD0iNTcyMiIgcGluZ19mcmVzaG5lc3M9IntGMTMyNjczMi1FNDI3LTRDQzQtODk3NC1BQTk5Q0IxQUUzMjB9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x424 0x4101⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0.10&gui=true2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8356e46f8,0x7ff8356e4708,0x7ff8356e47183⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EC8D53AF2B4180763B57C4269B4996272⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C887AA1F3E26C8E954AC3CC1F4E05CC82⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 81ECF7F852ED5F09EE4EC8BAE70EABF72⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C7664E7996807AE306B44A3AC71FA6FE2⤵
- Loads dropped DLL
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3924 -s 20522⤵
- Loads dropped DLL
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 444 -p 3924 -ip 39241⤵
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1800 -s 20562⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 440 -p 1800 -ip 18001⤵
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4156 -s 20122⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 556 -p 4156 -ip 41561⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4980 -s 20642⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 4980 -ip 49801⤵
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4024 -s 20042⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 552 -p 4024 -ip 40241⤵
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" SYSTEM1⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\system32\pcwrun.exeC:\Windows\system32\pcwrun.exe "C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe" ContextMenu1⤵
-
C:\Windows\System32\msdt.exeC:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW29C2.xml /skip TRUE2⤵
-
C:\Windows\System32\sdiagnhost.exeC:\Windows\System32\sdiagnhost.exe -Embedding1⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vsw5arfp\vsw5arfp.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES327C.tmp" "c:\Users\Admin\AppData\Local\Temp\vsw5arfp\CSC62F6D4CCD6604B3697EFA622EA74ADAB.TMP"3⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hh3jtqif\hh3jtqif.cmdline"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3338.tmp" "c:\Users\Admin\AppData\Local\Temp\hh3jtqif\CSC6A42BE24C1214EAA8AE12C2D527A651.TMP"3⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SDRSVC1⤵
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F092F3C3-1199-4C28-8166-F0D024212D96}\MicrosoftEdge_X64_109.0.1518.52.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F092F3C3-1199-4C28-8166-F0D024212D96}\MicrosoftEdge_X64_109.0.1518.52.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F092F3C3-1199-4C28-8166-F0D024212D96}\EDGEMITMP_31910.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F092F3C3-1199-4C28-8166-F0D024212D96}\EDGEMITMP_31910.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F092F3C3-1199-4C28-8166-F0D024212D96}\MicrosoftEdge_X64_109.0.1518.52.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MkE1NkI5NzUtOUZGQy00QUUwLTkzOUEtNENBRUJEQjU1RjYzfSIgdXNlcmlkPSJ7NTI0N0FBMzktNTQxOS00Njk5LUJCMUUtNTYxNkE2QzBCMUU2fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins5RUYyNjNCQi1GQjc1LTRCODYtQjU0MC02RUQ2RTMyNTUyMDZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOS4wLjE1MTguNTIiIGxhbmc9IiIgYnJhbmQ9IkVVRkkiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NzA4MTExODM0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODcwODIwMDA1NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4OTEwOTkyMjMwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvYzNhNDg5YTgtNmQxNy00MTBlLTg0MmEtMzkzNDI2NjdmYjIyP1AxPTE2NzQ4NjMxNzcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9WWppS1lxNUNuNEQzT0gzMVFTU1FPcElkQ0RZbUZHMyUyYkRmTUlpN1pjbVVoR2NGUEdPQVZwZzUlMmJCZkRKcUhzNzU3JTJmUyUyZnNvUldFeUlmVEMlMmJVMzF5cDBRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4OTExMDM1MzcwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuYi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9jM2E0ODlhOC02ZDE3LTQxMGUtODQyYS0zOTM0MjY2N2ZiMjI_UDE9MTY3NDg2MzE3NyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1ZamlLWXE1Q240RDNPSDMxUVNTUU9wSWRDRFltRkczJTJiRGZNSWk3WmNtVWhHY0ZQR09BVnBnNSUyYkJmREpxSHM3NTclMmZTJTJmc29SV0V5SWZUQyUyYlUzMXlwMFElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNDA2NTkxMjgiIHRvdGFsPSIxNDA2NTkxMjgiIGRvd25sb2FkX3RpbWVfbXM9IjE1OTQwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODkxMTQ0Mjc0NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg5MzQ0MjM0MTQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDgiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkyMDI3NTMyMzQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI5NTgiIGRvd25sb2FkX3RpbWVfbXM9IjIwMjkzIiBkb3dubG9hZGVkPSIxNDA2NTkxMjgiIHRvdGFsPSIxNDA2NTkxMjgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjI2ODI4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4772 -s 20802⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 496 -p 4772 -ip 47721⤵
-
C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"C:\Users\Admin\Desktop\bacano\FortniteLauncher.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1928 -s 20762⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 1928 -ip 19281⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir572_255400487\MicrosoftEdgeUpdateSetup.exeFilesize
1.5MB
MD5f70962a7883fefe8defa224c1ffdadfa
SHA1efd06b7c1b5ead8cec2cd029a8d8ccb0c46ee2da
SHA2563e726854ff0a0046de458afc2cd58cfc37430b4c7969395111398f47d8f63bb4
SHA512678c10874e6089acde5c57cdc64e11a76cbc9b3e7c882f9c1eaa619f897675c8f145e4be4825d8197edb2e645035a0953c3ed5a34da3e84d013fea5599699761
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir572_255400487\MicrosoftEdgeUpdateSetup.exeFilesize
1.5MB
MD5f70962a7883fefe8defa224c1ffdadfa
SHA1efd06b7c1b5ead8cec2cd029a8d8ccb0c46ee2da
SHA2563e726854ff0a0046de458afc2cd58cfc37430b4c7969395111398f47d8f63bb4
SHA512678c10874e6089acde5c57cdc64e11a76cbc9b3e7c882f9c1eaa619f897675c8f145e4be4825d8197edb2e645035a0953c3ed5a34da3e84d013fea5599699761
-
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir572_255400487\msedgerecovery.exeFilesize
1.1MB
MD53b2bd3e2b22afa49576723c819a1185b
SHA141a1590e22600c717acd9e376b9020b3021dada6
SHA256b2900c435244e948491cfab330b570b4326d1879c5c2be2aa35ce8bd49446d05
SHA512a411b00da74a6c90d0a60a0d9a024a430c2c7483416dc95634bd62c5c29b9c9d1fd3310911f2da85df66aac08e9026df4aad00c083781ca22802b0236652d1d5
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\EdgeUpdate.datFilesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\MicrosoftEdgeComRegisterShellARM64.exeFilesize
172KB
MD5b462ad181104b32ec56a6a1e1aa25622
SHA1c26dbc70359be470fb63d50e12528e473749d9f7
SHA2565b95e7e42a2df4c8cb8a1dfc9e71f81831ffc128408ad1a37f83ab76dcdf1afb
SHA5125f6b37f4e88b617ca68762706423e38da4eccb820e82635eda3ed269efeb92ae3285e0b1285978f35dd8df004c801ebbca2f7c061ae055070bdbcba88c474e70
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\MicrosoftEdgeUpdate.exeFilesize
200KB
MD57bcf03ae20f6b4aab6efda45f6a0fa01
SHA16f1a63a994568c7cac224c6f44d41d19fe24a2e4
SHA25623387b13f6386a095ae8f178c261f6565e5828fd7e67ef0cbb10e07224149ba6
SHA512615d130b2f87d3f2ec125cc97391c6b318359a78f0135f10d0ffd5085062cde39935823865f139d767f9d7992dfa926358442369ab424fbe1d54b2c915992c4b
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\MicrosoftEdgeUpdate.exeFilesize
200KB
MD57bcf03ae20f6b4aab6efda45f6a0fa01
SHA16f1a63a994568c7cac224c6f44d41d19fe24a2e4
SHA25623387b13f6386a095ae8f178c261f6565e5828fd7e67ef0cbb10e07224149ba6
SHA512615d130b2f87d3f2ec125cc97391c6b318359a78f0135f10d0ffd5085062cde39935823865f139d767f9d7992dfa926358442369ab424fbe1d54b2c915992c4b
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\MicrosoftEdgeUpdateComRegisterShell64.exeFilesize
205KB
MD5fccf8ebd72efacc9566b7849d59512aa
SHA12d0cc03e7912578d1c0a01e1d338290a0d1c157e
SHA256a6a3b7b77ec3fcbdd07b516457fcc7368282ed84e04792316d2ceeeb3b6c84fb
SHA5126e0b2e27ae19c3100b789b8b22eb307072a902878d92cea426ac02c07c8338934b49c57012a858e01816617ec6c41ef39b7a390e63c8975e56c4504faa8b6b3a
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\MicrosoftEdgeUpdateCore.exeFilesize
250KB
MD5524a95f05f4c0def70fa61a5f0717e9c
SHA16ee3b87e60e865d21bc1b5e434fea12fe262c315
SHA256e17a7d9e0dcb1a3d6a21009f8d9b41fe1986312d79ffc6728c6c3f500dd6434f
SHA512cc5e21ce182489416c906fb3f16e808554b739908916682cef6afe11a748b02382bfb93d1359cdc0794c2fb4b6f3cb9d9c677215a904be79d4b1df573de99089
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\NOTICE.TXTFilesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdate.dllFilesize
2.0MB
MD55f4cdf4268be23a984ee0b2feaad3dd3
SHA1cc5aabfc567971d7d2b7a0a206925a59de79dad5
SHA256bb92222715061ddc89332668248c696348b953a0251893ec7d36597099308d92
SHA51241803d549742f3b22521d6b645adfafdc477c3fc315a88056b111d54cb0ba677db4a8162b793a19619f672b3580736d939367649d3729c129ef871b55900f0cd
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdate.dllFilesize
2.0MB
MD55f4cdf4268be23a984ee0b2feaad3dd3
SHA1cc5aabfc567971d7d2b7a0a206925a59de79dad5
SHA256bb92222715061ddc89332668248c696348b953a0251893ec7d36597099308d92
SHA51241803d549742f3b22521d6b645adfafdc477c3fc315a88056b111d54cb0ba677db4a8162b793a19619f672b3580736d939367649d3729c129ef871b55900f0cd
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_af.dllFilesize
28KB
MD5c7872f08802f693ed9fc16ea960789f6
SHA1b0b8e4dfbe1dc76e4903216948374e1356d33e53
SHA256de5d1223ffd38be89cd576b0de036760f8a84c231eb97f1d7f74dfcf4b41fb19
SHA512339520bea363a1ea34e75755c70f4b1f6a189e7084ca9d5c6189d769965ae1fd0b093b948dffe3d256dd82591bdb2b3627ed20e747a2505377babc34eb94a0e6
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_am.dllFilesize
24KB
MD56dee4281b2d0dc43c8eac5afde5dc5b2
SHA135584539f94fa4a91229b8d810f1d5c0207d9ef8
SHA256b0fc60e07fa8fcfa0a174f1f5fc3a303d5498669eba846d51731494e9f86e46e
SHA512de6a54e08c1a7c2a77a26f9de11a8e25b30f3d275fd4b72fb068ec3a5c0fd2072cc02a33b4581ba0dd565963bb834c5da831013d9ffb4386d0fc59935c184079
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_ar.dllFilesize
26KB
MD5c5e0d596829abbf221a7e2fcc3f37059
SHA12a55fc6e9110d0bc5d735bd98e56241e416dd5eb
SHA2569e3a04823e12f15954f1082ec019e29e1821d03db69fbaf9c906be28c8cf4fcf
SHA512518a004482c590d87e104be80dcb12455379ac855a53bdfb94023041fac16e4806e4c78f28716f179031d62b21912cdf4be8b43b2a13747acc8e9a745dd6333b
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_as.dllFilesize
28KB
MD5f344ea79294c175a3233be3c7bd4f7ab
SHA142f4d616f0b48828b629ffb384249edc76fea3a9
SHA25636551c9271d084f31facbd342a0a0b5e530a2070e7de34c42ef2987633134b99
SHA512dac1c65916fbca857dc8b5a0a3ef9c6abd5090e2c99ada98809d6cf04d09d4b9d63256e4a57754960476896ea46027cfb06bbb3ae68df573b207ca267d4efe94
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_az.dllFilesize
29KB
MD534c97ccc6da86fa0fc6aca8102115683
SHA123c30d6f41bbfccb40d5209d70999384f3d59893
SHA256205be42f8590a17ce1a0da594c818f84ef8cc19f8f54cd74acd16ddf7df11684
SHA5127100e92fd948b75f7d134e813a836ce9691e6994f989b6d53255b17e3fca5be55cf69c50ef01e625a8f85a764bfafcf49bc5f82d229bf44168bf89b953c1642c
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_bg.dllFilesize
29KB
MD583976f605267f63c512741c90085ef37
SHA1e1907443ecf114b1b2d4b5fb622ca6fcba0d6b2c
SHA2568e7bc240557c0f4058fb3380d01584eb5b9ad69ac5fd2f7a56bf2293dafd6069
SHA512d5713af38add972fc04c1b1b7aca033532c50c31e8d1e3c0e889d69c94ff2d2ecdec95edabf4717a4bc649f2d68a5b1a77dac0355bf493eefe2cf86b7b53ba84
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_bn-IN.dllFilesize
29KB
MD5055acbbed4580bb0c2b15ad8407f34c5
SHA1cf7c3539d97090b33ea5cb7d4880dd1b28c259f3
SHA256edb350193ce5ee7984cd11d446ee5848879e6447b08a6e9353a8310a1574bce7
SHA51211e9e78b28e868781b355de473c157f4fbf1b8f30e3cae6f19aa895a456e7876827ff859ee4bc65215b73ed27eac67c139a1cfc887adee0f7fa1c2c446962311
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_bn.dllFilesize
29KB
MD589d1459c67621ae933ea973c36c86830
SHA17793109fad9c7d6e267046be6f188262d6655736
SHA256faa59f14007729085711f504f3580b5d1f289d9d6b8a57ecaa6b7980d9b3b9e8
SHA51295e333c1d28ba10df6e95e7bcf80fd1cd3fb7e32aa72b1749a4983c762fa227915d49547c5be114a471072d21a5f9c87c24bd6f45e8a711cbecc1074a3cefd7b
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_bs.dllFilesize
28KB
MD5a2ae01f60764eb9717c2e843bdd40c43
SHA1f611b0f880d1dc52a5ff996b5106c8c0bdd7cf68
SHA2569542302df51fad8c1095f6068378608b8edc89a633b30d26cae0e0fcb4515da3
SHA512e12d3634bd8738865ea210775d78e53c5a30e74dca39655882c2464d1f9a1ac4a96a7608e57a92ff3b7b6a77750ab24ff12df59e5006b18c1f83cc270760bad5
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_ca-Es-VALENCIA.dllFilesize
29KB
MD597fe80b8bc29698d3dd3912878d8a785
SHA1580f290f32bf083f9485e06165fcc751ae181be0
SHA256c382b8fe1abc83ebe97e66a3d4737ab66a7210a59fc0d18f9fc8b6735771b247
SHA51208f56d8759721b0241d60a532e9634bc98aebcb7e7c251630adc1c93d28d40158a6f3bafc32f19cf9aa27ad5ba6e42f58bc2c8361e1ff97aa2ddf05c0147d248
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_ca.dllFilesize
30KB
MD52293c9a1af6be53ef61f8fc168e181d7
SHA1f37155a592bcb1cbaeb67509b36797087d228b8b
SHA2560b00898937e1f40415a42a8aa4dcf4ea396c40083abfe04fd141edcdd1d35600
SHA512ac4c27db8296283292d06e0d152434f18a227c4d68294ef52ca473736458724df374f20ce88d214486d7027696d081203e92fb98c682e531071b9ae6d9703d22
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_cs.dllFilesize
28KB
MD5b09754ee0b3048dc68584bfe0f631ea1
SHA187a2426414fdd52fc39679f6958379482ca3dde4
SHA2569dcf2f8fba4c3bf4b194e3b27e5ef572e573a638d5c71e3ae4a154ddb62a91a7
SHA5125d0d9b653184a41cff580683c16b4f67514bfa04987ee650c1d9ade4b12f5eb125fe44aa6e1a5e689423f62e755c460fc4886eac08c0e72fbd64fd9573212d4c
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_cy.dllFilesize
28KB
MD57df1f9bf10766cba6f2b6d48e4dae8e3
SHA10008dbaa46d83ffe8d4a9d536a61a5109d74ca8d
SHA25618827570bad9f879f6853438bcd0e379518531bafbfac2bb626dc1cc13711596
SHA512bd8ee85d664c1480240e89c05d3639b5650aecb056263b75d7d37168bf6b6dada04145f42075e5ef0841efa9417880e8f9697e4ca71f20eaecfebd98e6b61f1c
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_da.dllFilesize
28KB
MD50973e0fe9cdbb5133b27568795b7bf6b
SHA1eaf2af3b576cffe390ef11c38a594a0a5880aa1c
SHA2565772740a636254ee2967ca17a83d4b1b13934a4c2db7725115f8754a762cc734
SHA5121a2346c569266085abef030a235ca83bc1e3249bd090823757495c71332546c6fc3692233415df9168b609820a0bca2ee22d8064e49c9c2aaf7b707e4f52c285
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_de.dllFilesize
30KB
MD5eadeb006461520d14aa2578af902773a
SHA1f0a23049c073b8bb189dc38dc3d38c4603862754
SHA256fe1573ff17ffd86d793aa1dd9fd36109961850bea883d2d3e6d8d3baa3a2e468
SHA512608cd2b73f0b95a7b57f1e23e9da70c663fef20412c6612b58af953061b8c42c25b24d234b380cc86a5dfc166f3018a48aac2f5659434bd038d8a74a252bdf15
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_el.dllFilesize
30KB
MD51a4700d41421d915d26ea36073467527
SHA13c657523c891dbff19676f1d3b471bc7beaa59f5
SHA2560a6f96613229ffc6beb1b36c73cb52be4d68346fd08adbb89e95814ffdc78c6d
SHA512d62cdcfcdb721bb72892a09763f6c97edd0a0b37123a8605d846b8ef8d09938d8c99c49f574e29f590d6528738ac92b8ba8c31cf337408434caf14716e790d57
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_en-GB.dllFilesize
27KB
MD5162af0ee7f6257765264df1ae5cedf19
SHA1b25132643b3153c764ee9a9443cf2ae2fb476029
SHA256982e2f99ab53b7325a3be510c50dfb01ffeed1bf2e291253c8ad9de6497b6c89
SHA5128c615ab0942da4265238f16f0e71a5e095f07af654377d170370e885516b049a4505ec9e44f73f1ee70eca278da0d9affd4c4c3c660676134b634a995b4490c6
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_en.dllFilesize
27KB
MD5ca88ea1e6a8ee2379ea2c8459c2b99e5
SHA1dcf468473aa7ece0f106ab34bd7ae633097153d4
SHA2561e61386dff70de6dabc71ec5d13f8d77ae7e1ac7350f6cc7977603415f29c46a
SHA512d51e59ceb1e99f771ae7f45c986f77f9471e120b27f777056fb12e3b6add87e2540b838cf86ff5fcb76794f4eb5d922c72410204baa5ca3635f4f6157efc20b0
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_es-419.dllFilesize
29KB
MD5d5f0c3f6a7f33abb613146888add7e1d
SHA101864e305dd70fbbd5aabaf5b9fb71dd235591f6
SHA256d25b66f475c67394eed4c51c498f9e20dee225c3aaa9427281a2148cc760f46d
SHA512ee4ad7416408b6fa5d07ed6b964101002de68d2a6e5206bbf5044c5d1323f8f3950e0d229f41b7b4c5389ff68deb890e5db1c2fbdd04c56dd247efe0648bb514
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_es.dllFilesize
28KB
MD5a86027b5da426647253679150fe41c6d
SHA1c5e06bdfc88a39b95e65ba9552c7204da5268564
SHA256ab508539ad80b32dfeb2cbeb57ef31467f0a79ff095d2ff892c17e80356a60f9
SHA51245217ac7e913175416a5a6e446c4081af401e361663e1e99409779a6f08040a4fe08b116056ab7d112f6d1a71f97a6d5e53f22f9d986754f98d177f79d72b773
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_et.dllFilesize
28KB
MD5ab288e21516f5001b120a6129e8c6b6e
SHA100e93428692465d5874ca879bae9fe4a61debbe6
SHA256a3a74bc891e686c5350bb763b75717f00d34f9281f98081e49611419c999acf7
SHA5129e89a37d34ae04678be70ef4b0e83886698e067fa578b4acfa13643557b31c718172defac1053ced3c2acff3def2bcaa9ed40fba65ccdd96f37e46098d975fdc
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_eu.dllFilesize
28KB
MD516c9a02f38925a4ebed9c1d1ba95f61b
SHA141d4e6d32bdcda0fe7f3c58253f2c5032cac346c
SHA256da28ac726626540f08c4c881af38844108e2f878890316f588f62239f88bdc68
SHA51284b544954553e198a1328968ac2bc86a9757d14dd4c304a1b4a55825d1d5dc42952fbd44df6c1c5951d95d430bfde78e60f750902c985877c6a6640c1aa3ab34
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_fa.dllFilesize
27KB
MD5532b88ef925118e43b4ed556c5fdfc3c
SHA15c4990ace3c1abd89802a4f5a06e4dd3aa1afa92
SHA256a8fc095c422a0c0dbde18fcd8292402eff23371f79b4092fed0b7d3f2d4a382f
SHA512f547a65a154b9ab942b185f3c9e4b55dd5771b6cc4442bdbb66487e47f1c631a987bfbb327b71a822b362ae5df5720549c1164e2e49825f4823ca7f3d5d6771b
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_fi.dllFilesize
28KB
MD570d809ac0e74e6ae8ba2bfef150d6e30
SHA16d799af22f709cf7e1c0028fe994d27a17269130
SHA256f2e9ce01e00117fabb74dafae001059b3c032263cbad7f9076f009da4a8abc1b
SHA512927d7abdb298088953029fba117b095f26fccfd6c543201687e3a69b9c97ea90a657ee43d4f412fc633ff36ed80f4ac7b374763c7e61a222c76fd92e5cc66b72
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_fil.dllFilesize
29KB
MD53cc0c1a7cece41adc97fff2f3366877d
SHA1897a222da884641f32e374494b7348dd55627167
SHA256565c9e8b60039a24e5bec0810917e64f32da727954b723dfc0be1983a0340957
SHA5122d6f495cd9cf6d0ecafa41c37480e60f1e2ae1507e152b235a0e274f9db940810482224768490b3fa1193a926268fcab08c2602ae3167476b03ac4600fca96ff
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_fr-CA.dllFilesize
30KB
MD585c1fd04d1b0bc0fa1e00559aeedd14f
SHA121b8a901a08a748f5c6483ab364c13a9a9ee6d79
SHA256e7f16fc0c9060aa39521d2bb7c5f74e634c71a0f95ce62c89e018d8d1578b977
SHA512824bb0be9c46e5074467f091b5cdb6968d3aa989b598d294932b10f254b5f0b4230da2ed86c9723068fb997b39d06f0ac3c67f98c0969227cb602e57603e9bff
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_fr.dllFilesize
30KB
MD51f446af97cc5b43c506505e07b0abe61
SHA13ed4be38abb4953d288d082578465b5ce92854c1
SHA25610f6fe80963da0b757bde9781073df370be9b97301524838eac167787621118d
SHA512d3215d7b15f2994a01b339053d976c8ad561b5324a9dbb269a5ac4668af917ae45dfe1c110855555c7855cf1c74ca38ec989beed91bb1d465c4304d888d6acf9
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_ga.dllFilesize
28KB
MD5daa37ea0971c528fa497be4deb9e9e5c
SHA1ea3678e1939b1d78271061937da64e7f91d690ce
SHA2564e8dc4059e333ace71741fdd601e7420744e2f81bdf0dfccb7f8590d23622e3d
SHA5127b9df2d7d0f607312e1a035cfb7848839ecd025f8fcb6b1e0b57c89c6e4f47c692db4b5669d384db15ef39e7726015cd5d7c608f16ca1f0d70461744c9492c3a
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_gd.dllFilesize
30KB
MD5f976b60c6877ac880bf2bad3f3d20774
SHA1d02ce01289cd2bac6becd1835e55bc6e60327e0b
SHA2564859b9cad6e9b4e95adb96158bd4837192aba0fb8535696a23f942ddd1d93e35
SHA512fb9054e0328211deb69d4c4fb3d03f075d03c2e198c51bb4d09006c87747c1dfc81a39072d2a5e8ba7e47e7e19be866d95b2444e0ff693c01f8afcbf0fdd1bca
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_gl.dllFilesize
28KB
MD5199c4123ef874bd42b54d0c49d0b08aa
SHA1e16a3d629ce1fca181c35f5c2e16497bf54941ae
SHA256a2c22b7f9b1901407068df3ddb049a58b70218559d4cdd944328b9c23d8e5500
SHA512662c91ea89c9f8fe05458301040136ff6e22c345bd25833cf7bb3b61ffa97c37c19bf5dac7fe68c4b0527ff718e05cc0476438e55a44ce0ed3a78358aea967bd
-
C:\Program Files (x86)\Microsoft\Temp\EU7E72.tmp\msedgeupdateres_gu.dllFilesize
28KB
MD5c0184213a10033245208238df3485522
SHA195690861b76477aefcdaf6026d9dd12332ccbfed
SHA256cbdc3c2243fc61e0dd2f786330b9f3763d77bccb94ff69fe6a0b59c76efb0444
SHA512b87c0894d6295147938b1f9d652427c8af77a345947038bc279ada7fe0ef7387e0d5af4c0eb1f0691a9e626d9562aec13aa1fab1568fd4bc6c9df3ce65857a61
-
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logFilesize
117KB
MD51a83120fa460f06bd6a08de6f2b807ea
SHA106315b9775bda10380db605a5b5a1f575f12cb0c
SHA256adae379b5a1e741a14f41ba0cf4074cb0fe5eff299375a7f7e39dc8b8886bbdd
SHA512bc42d4009ee1e0138bef5e0083579829c3482420641e2ac60a584e0972f28b28cf0a2561bc9d954298f954d181e87ee3aec81a57b33ed42d9c4bec29c037b12f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\1.3.169.31\recovery-component-inner.crxFilesize
1.9MB
MD5dcb0ab396e869708ca1ca663c6697b50
SHA183d2d79250a470d8c140259688ee35e6019c60f0
SHA256083c44f154565469a742fe081b09ab19eb5f2a986936dbcef55ddd21f79e6beb
SHA512e598653b4e6fa16f7ca3a96b44cc279fb010555102c3b661a88e44f6750242e43293a54af25c187445a6f65f7979d556285c16a0294530978f97327f8c1bdd68
-
\??\pipe\LOCAL\crashpad_2776_DZWOOTWVOIFPHTEIMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/312-133-0x0000000000000000-mapping.dmp
-
memory/668-235-0x0000000000000000-mapping.dmp
-
memory/728-153-0x0000000000000000-mapping.dmp
-
memory/756-226-0x0000000000000000-mapping.dmp
-
memory/808-139-0x0000000000000000-mapping.dmp
-
memory/960-254-0x0000000000000000-mapping.dmp
-
memory/1044-248-0x0000000000000000-mapping.dmp
-
memory/1044-261-0x0000000000000000-mapping.dmp
-
memory/1060-162-0x0000000000000000-mapping.dmp
-
memory/1060-155-0x0000000000000000-mapping.dmp
-
memory/1068-136-0x0000000000000000-mapping.dmp
-
memory/1124-237-0x0000000000000000-mapping.dmp
-
memory/1184-165-0x0000000000000000-mapping.dmp
-
memory/1296-176-0x0000000000000000-mapping.dmp
-
memory/1556-223-0x0000000000000000-mapping.dmp
-
memory/1640-245-0x0000000000000000-mapping.dmp
-
memory/1748-260-0x0000000000000000-mapping.dmp
-
memory/1780-236-0x0000000000000000-mapping.dmp
-
memory/1868-258-0x0000000000000000-mapping.dmp
-
memory/1928-145-0x0000000000000000-mapping.dmp
-
memory/1972-161-0x0000000000000000-mapping.dmp
-
memory/1972-265-0x0000000000000000-mapping.dmp
-
memory/2140-219-0x0000000000000000-mapping.dmp
-
memory/2236-230-0x0000000000000000-mapping.dmp
-
memory/2268-222-0x0000000000000000-mapping.dmp
-
memory/2288-233-0x0000000000000000-mapping.dmp
-
memory/2348-232-0x0000000000000000-mapping.dmp
-
memory/2384-273-0x00007FF820B60000-0x00007FF821621000-memory.dmpFilesize
10.8MB
-
memory/2384-271-0x000002366B1C0000-0x000002366B1E2000-memory.dmpFilesize
136KB
-
memory/2384-272-0x00007FF820B60000-0x00007FF821621000-memory.dmpFilesize
10.8MB
-
memory/2468-221-0x0000000000000000-mapping.dmp
-
memory/2580-171-0x0000000000000000-mapping.dmp
-
memory/2648-224-0x0000000000000000-mapping.dmp
-
memory/2724-239-0x0000000000000000-mapping.dmp
-
memory/2776-132-0x0000000000000000-mapping.dmp
-
memory/2796-251-0x0000000000000000-mapping.dmp
-
memory/2852-167-0x0000000000000000-mapping.dmp
-
memory/3056-263-0x0000000000000000-mapping.dmp
-
memory/3092-247-0x0000000000000000-mapping.dmp
-
memory/3140-169-0x0000000000000000-mapping.dmp
-
memory/3144-160-0x0000000000000000-mapping.dmp
-
memory/3156-264-0x0000000000000000-mapping.dmp
-
memory/3268-147-0x0000000000000000-mapping.dmp
-
memory/3360-256-0x0000000000000000-mapping.dmp
-
memory/3404-228-0x0000000000000000-mapping.dmp
-
memory/3432-218-0x0000000000000000-mapping.dmp
-
memory/3476-220-0x0000000000000000-mapping.dmp
-
memory/3516-262-0x0000000000000000-mapping.dmp
-
memory/3704-229-0x0000000000000000-mapping.dmp
-
memory/3848-234-0x0000000000000000-mapping.dmp
-
memory/3956-149-0x0000000000000000-mapping.dmp
-
memory/4000-266-0x0000000000000000-mapping.dmp
-
memory/4084-157-0x0000000000000000-mapping.dmp
-
memory/4216-243-0x0000000000000000-mapping.dmp
-
memory/4388-173-0x0000000000000000-mapping.dmp
-
memory/4504-143-0x0000000000000000-mapping.dmp
-
memory/4580-141-0x0000000000000000-mapping.dmp
-
memory/4592-252-0x0000000000000000-mapping.dmp
-
memory/4736-241-0x0000000000000000-mapping.dmp
-
memory/4804-151-0x0000000000000000-mapping.dmp
-
memory/4872-159-0x0000000000000000-mapping.dmp
-
memory/4900-231-0x0000000000000000-mapping.dmp
-
memory/4904-267-0x0000000000000000-mapping.dmp
-
memory/4912-163-0x0000000000000000-mapping.dmp
-
memory/4928-225-0x0000000000000000-mapping.dmp
-
memory/4944-250-0x0000000000000000-mapping.dmp
-
memory/5112-135-0x0000000000000000-mapping.dmp