remcos | a6bdc7d25ae942d15182d26e449c329340db53470a079647d3b6ddb06b7e28d5

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2023 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

3.3MB
MD5

2a0c96488c0bf6d685ffe058c1ebb06d
SHA1

9f1cfa7df0680a3b65a192ee8039465d129b62b7
SHA256

a6bdc7d25ae942d15182d26e449c329340db53470a079647d3b6ddb06b7e28d5
SHA512

072ce92f37756cc44d6bbc029446f40d451b5dff8fd188688185c7f405453d703b1c0654adb6ce4f1bb39a12e24450736925041f063df0d9b08e0fe72b280e5d
SSDEEP

24576:EAzFN9Z2XBQFio7Q0sE93KBLPdA6sU1rdUEHbR2XSQXuCRP7+jNJCRZgC/LUa9kJ:EA36kio7Q0sENKHi4wkhlKYQkjRj

Score

10^/10

remcos remotehost microsoft persistence phishing rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

rem.unionbindinqcompany.it:3361

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-F4O94O
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Downloads MZ/PE file

Executes dropped EXE 21 IoCs

Processes:

msedgerecovery.exeMicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateSetup_X86_1.3.171.39.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe

pid	process
5372	msedgerecovery.exe
5032	MicrosoftEdgeUpdateSetup.exe
4424	MicrosoftEdgeUpdate.exe
5468	MicrosoftEdgeUpdate.exe
5576	MicrosoftEdgeUpdate.exe
5404	MicrosoftEdgeUpdateComRegisterShell64.exe
4164	MicrosoftEdgeUpdateComRegisterShell64.exe
2420	MicrosoftEdgeUpdateComRegisterShell64.exe
2208	MicrosoftEdgeUpdate.exe
4960	MicrosoftEdgeUpdate.exe
5020	MicrosoftEdgeUpdate.exe
4880	MicrosoftEdgeUpdate.exe
1460	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
1852	MicrosoftEdgeUpdate.exe
1112	MicrosoftEdgeUpdate.exe
3516	MicrosoftEdgeUpdate.exe
1544	MicrosoftEdgeUpdate.exe
3388	MicrosoftEdgeUpdateComRegisterShell64.exe
3780	MicrosoftEdgeUpdateComRegisterShell64.exe
1616	MicrosoftEdgeUpdateComRegisterShell64.exe
2004	MicrosoftEdgeUpdate.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Loads dropped DLL 26 IoCs

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe

pid	process
4424	MicrosoftEdgeUpdate.exe
5468	MicrosoftEdgeUpdate.exe
5576	MicrosoftEdgeUpdate.exe
5404	MicrosoftEdgeUpdateComRegisterShell64.exe
5576	MicrosoftEdgeUpdate.exe
4164	MicrosoftEdgeUpdateComRegisterShell64.exe
5576	MicrosoftEdgeUpdate.exe
2420	MicrosoftEdgeUpdateComRegisterShell64.exe
5576	MicrosoftEdgeUpdate.exe
2208	MicrosoftEdgeUpdate.exe
4960	MicrosoftEdgeUpdate.exe
5020	MicrosoftEdgeUpdate.exe
5020	MicrosoftEdgeUpdate.exe
4960	MicrosoftEdgeUpdate.exe
4880	MicrosoftEdgeUpdate.exe
1852	MicrosoftEdgeUpdate.exe
1112	MicrosoftEdgeUpdate.exe
3516	MicrosoftEdgeUpdate.exe
1544	MicrosoftEdgeUpdate.exe
3388	MicrosoftEdgeUpdateComRegisterShell64.exe
1544	MicrosoftEdgeUpdate.exe
3780	MicrosoftEdgeUpdateComRegisterShell64.exe
1544	MicrosoftEdgeUpdate.exe
1616	MicrosoftEdgeUpdateComRegisterShell64.exe
1544	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

file.exefile.exe

description	pid	process	target process
PID 384 set thread context of 2128	384	file.exe	file.exe
PID 2128 set thread context of 4288	2128	file.exe	svchost.exe
PID 2128 set thread context of 3484	2128	file.exe	svchost.exe
PID 2128 set thread context of 1776	2128	file.exe	svchost.exe
PID 2128 set thread context of 3696	2128	file.exe	svchost.exe
PID 2128 set thread context of 5504	2128	file.exe	svchost.exe
PID 2128 set thread context of 6128	2128	file.exe	svchost.exe
PID 2128 set thread context of 5872	2128	file.exe	svchost.exe
PID 2128 set thread context of 5572	2128	file.exe	svchost.exe
PID 2128 set thread context of 2448	2128	file.exe	svchost.exe

Drops file in Program Files directory 64 IoCs

Processes:

MicrosoftEdgeUpdateSetup.exeMicrosoftEdgeUpdateSetup_X86_1.3.171.39.exesetup.exeelevation_service.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_sr-Latn-RS.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_fr.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_nn.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_el.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_ja.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_id.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_sv.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_am.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_ja.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_sr-Cyrl-RS.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\psmachine_arm64.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_lt.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_sr-Cyrl-BA.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_eu.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_fr.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_pl.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_et.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_lo.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_it.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_az.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\MicrosoftEdgeUpdateOnDemand.exe	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_km.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\psuser.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_de.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_gu.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_hu.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_ug.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_te.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_ne.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_sq.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_ka.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_km.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_pt-PT.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_gd.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_hr.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_vi.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_nb.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\psmachine_64.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_ta.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_th.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\9897aca2-538e-4ec4-beb1-7c7c7064eba8.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_nl.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_pa.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\psuser_arm64.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_da.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_te.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\recovery-component-inner.crx	elevation_service.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeUpdateOnDemand.exe	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\psuser_64.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_fil.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\msedgeupdateres_pl.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ProgID\ = "MicrosoftEdgeUpdate.CoreClass.1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\CurVer\ = "MicrosoftEdgeUpdate.Update3WebSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\CLSID\ = "{E421557C-0628-43FB-BF2B-7C9F8A4D067C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\AppID = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CurVer\ = "MicrosoftEdgeUpdate.CoreClass.1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

file.exemsedge.exemsedge.exeidentity_helper.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

pid	process
384	file.exe
384	file.exe
3956	msedge.exe
3956	msedge.exe
1672	msedge.exe
1672	msedge.exe
3164	identity_helper.exe
3164	identity_helper.exe
4424	MicrosoftEdgeUpdate.exe
4424	MicrosoftEdgeUpdate.exe
4424	MicrosoftEdgeUpdate.exe
4424	MicrosoftEdgeUpdate.exe
4424	MicrosoftEdgeUpdate.exe
4424	MicrosoftEdgeUpdate.exe
4960	MicrosoftEdgeUpdate.exe
4960	MicrosoftEdgeUpdate.exe
4960	MicrosoftEdgeUpdate.exe
4960	MicrosoftEdgeUpdate.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5376	msedge.exe
5020	MicrosoftEdgeUpdate.exe
5020	MicrosoftEdgeUpdate.exe
1112	MicrosoftEdgeUpdate.exe
1112	MicrosoftEdgeUpdate.exe

Suspicious behavior: MapViewOfSection 9 IoCs

Processes:

file.exe

pid process

2128 file.exe
2128 file.exe
2128 file.exe
2128 file.exe
2128 file.exe
2128 file.exe
2128 file.exe
2128 file.exe
2128 file.exe

pid	process
2128	file.exe
2128	file.exe
2128	file.exe
2128	file.exe
2128	file.exe
2128	file.exe
2128	file.exe
2128	file.exe
2128	file.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

Processes:

msedge.exe

pid	process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

file.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	pid	process
Token: SeDebugPrivilege	384	file.exe
Token: SeDebugPrivilege	4424	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4424	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	1112	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

1672 msedge.exe
1672 msedge.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

file.exe

pid process

2128 file.exe

pid	process
2128	file.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

file.exefile.exesvchost.exemsedge.exe

description	pid	process	target process
PID 384 wrote to memory of 5072	384	file.exe	file.exe
PID 384 wrote to memory of 5072	384	file.exe	file.exe
PID 384 wrote to memory of 5072	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 384 wrote to memory of 2128	384	file.exe	file.exe
PID 2128 wrote to memory of 4288	2128	file.exe	svchost.exe
PID 2128 wrote to memory of 4288	2128	file.exe	svchost.exe
PID 2128 wrote to memory of 4288	2128	file.exe	svchost.exe
PID 2128 wrote to memory of 4288	2128	file.exe	svchost.exe
PID 4288 wrote to memory of 1672	4288	svchost.exe	msedge.exe
PID 4288 wrote to memory of 1672	4288	svchost.exe	msedge.exe
PID 1672 wrote to memory of 1840	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 1840	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 5100	1672	msedge.exe	msedge.exe
PID 1672 wrote to memory of 3956	1672	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
5⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2116 /prefetch:8
5⤵
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
5⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
5⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5200 /prefetch:8
5⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
5⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4232 /prefetch:8
5⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
5⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3792 /prefetch:1
5⤵
PID:816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
5⤵
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff7670a5460,0x7ff7670a5470,0x7ff7670a5480
6⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
5⤵
PID:1212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
5⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
5⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
5⤵
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
5⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
5⤵
PID:1912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2948 /prefetch:1
5⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
5⤵
PID:1008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
5⤵
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
5⤵
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
5⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7156 /prefetch:1
5⤵
PID:5364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
5⤵
PID:5564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7440 /prefetch:1
5⤵
PID:5592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
5⤵
PID:5780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:1
5⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7572 /prefetch:1
5⤵
PID:5948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
5⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
5⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7732 /prefetch:8
5⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
5⤵
PID:5488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
5⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:1
5⤵
PID:3076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
5⤵
PID:5696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
5⤵
PID:6032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7200 /prefetch:1
5⤵
PID:2076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
5⤵
PID:5500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8120 /prefetch:1
5⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8252 /prefetch:8
5⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8236 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8308 /prefetch:1
5⤵
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
5⤵
PID:4076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8480 /prefetch:1
5⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,9898781939741495816,4723035286171988818,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8864 /prefetch:1
5⤵
PID:5640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:4504

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x38,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:3108

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:1776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:2952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:4168

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:3696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:5232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:5488

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:5504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:6116

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:6128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:5544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:5580

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:5872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:6140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x108,0x10c,0x110,0xd8,0x114,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:3108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:5196

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:5572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=svchost.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.0
4⤵
PID:5552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe1a2546f8,0x7ffe1a254708,0x7ffe1a254718
5⤵
PID:5712

C:\Windows\SysWOW64\svchost.exe
svchost.exe
3⤵
PID:2448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:5216

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\msedgerecovery.exe
"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.67 --sessionid={29ac309a-be08-4238-9215-f53ba6704245} --system
2⤵
- Executes dropped EXE
PID:5372

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\MicrosoftEdgeUpdateSetup.exe
"C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5032

C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
4⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5468

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5576

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:5404

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:4164

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
6⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:2420

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qzk4REIxQTYtNjI5NC00QUQxLTk0QTItRTBCRDU2N0QwQTc5fSIgdXNlcmlkPSJ7N0VCMUE2MjYtNTIxQi00RTJDLTgwOTUtRjMzMjgxNTRGMTZCfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezQ3MTM1MDNGLUQ3NTItNDk3Qy1BODI0LTEyNkMxMDg0NEVDMX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7bTQ2SzVLNXoxdnZrTkxIcjRjMXgvaENqZTdaUUxkcUt5WjVOd2d6VjNBOD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE2OS4zMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTIzNTgyNTE2MCIgaW5zdGFsbF90aW1lX21zPSIxOTU3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjdFRkRCRDctOEQ4Qi00MDBFLUJDNzQtNjEzNTg5OTU2ODBBfSIgdXNlcmlkPSJ7N0VCMUE2MjYtNTIxQi00RTJDLTgwOTUtRjMzMjgxNTRGMTZCfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezNCMDU1RTIxLTBBNEUtNDgwMC1BNTgyLTJBRTQ5MTdDQjg1Rn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iODkuMC40Mzg5LjExNCIgbmV4dHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTI5NjY2MDA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4880

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{62D771D9-2B3C-4BA1-8A1A-C2B93B2759FF}\MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{62D771D9-2B3C-4BA1-8A1A-C2B93B2759FF}\MicrosoftEdgeUpdateSetup_X86_1.3.171.39.exe" /update /sessionid "{B7EFDBD7-8D8B-400E-BC74-61358995680A}"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1460

C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EUCEE4.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{B7EFDBD7-8D8B-400E-BC74-61358995680A}"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3516

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1544

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:3388

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:3780

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1616

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjdFRkRCRDctOEQ4Qi00MDBFLUJDNzQtNjEzNTg5OTU2ODBBfSIgdXNlcmlkPSJ7N0VCMUE2MjYtNTIxQi00RTJDLTgwOTUtRjMzMjgxNTRGMTZCfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7NzIyNzFFMUQtQzVGQi00QUFCLUIzQkUtQUU0RUE0NDRBMjU4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTY5LjMxIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjMwNVIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTY3NTI1NjIxMCI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU4MjAxMTg2NSIvPjwvYXBwPjwvcmVxdWVzdD4
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjdFRkRCRDctOEQ4Qi00MDBFLUJDNzQtNjEzNTg5OTU2ODBBfSIgdXNlcmlkPSJ7N0VCMUE2MjYtNTIxQi00RTJDLTgwOTUtRjMzMjgxNTRGMTZCfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0ie0VERTU3QkM3LUFENzktNEM1QS1BNkUwLUExRTQyQzZDNzYwRH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE2OS4zMSIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iUHJvZHVjdHNUb1JlZ2lzdGVyPSU3QkYzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNSU3RDtjaHJvbWVyZWMzPTIwMjMwNVIiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1NDAzNTU3NTkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU0MDU5NjMwOCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMCIgZXJyb3Jjb2RlPSItMjE0NzAyMzgzOCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU0OTU1MTgzNiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2RiOGM1YmY1LThmNmItNDMxMS1iMTU4LWI2YzRkYTNhZDBkMj9QMT0xNjc1ODYxMDQzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUNXTDZ5Z0xnRGw3N3FyJTJmVWltSWhRdGdNWlNISDVlaDU3QSUyZnVIalFaZk9mSDJncGlSJTJmb1BKQVpxMm9pTzMybnNleDBKVHN4R2hHd3BhZFNSN0tma0J3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU0OTU1MTgzNiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZGI4YzViZjUtOGY2Yi00MzExLWIxNTgtYjZjNGRhM2FkMGQyP1AxPTE2NzU4NjEwNDMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Q1dMNnlnTGdEbDc3cXIlMmZVaW1JaFF0Z01aU0hINWVoNTdBJTJmdUhqUVpmT2ZIMmdwaVIlMmZvUEpBWnEyb2lPMzJuc2V4MEpUc3hHaEd3cGFkU1I3S2ZrQnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNTg3MTYwIiB0b3RhbD0iMTU4NzE2MCIgZG93bmxvYWRfdGltZV9tcz0iNTA5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU1NDk3MDg5MDUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTU1NTQ4NzU2OCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxwaW5nIHI9IjE1MyIgcmQ9IjU3MjIiIHBpbmdfZnJlc2huZXNzPSJ7MzE0NzhEOTQtQzZCMS00NEFELUE3RjEtNDg4Njc1MEY0M0M1fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBsYXN0X2xhdW5jaF90aW1lPSIxMzMxOTcyOTgzOTU1MzAyMjAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSItMSIgcj0iMTUzIiBhZD0iLTEiIHJkPSI1NzIyIiBwaW5nX2ZyZXNobmVzcz0ie0YxMzI2NzMyLUU0MjctNENDNC04OTc0LUFBOTlDQjFBRTMyMH0iLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\MicrosoftEdgeUpdateSetup.exe
Filesize
1.5MB

MD5
f70962a7883fefe8defa224c1ffdadfa

SHA1
efd06b7c1b5ead8cec2cd029a8d8ccb0c46ee2da

SHA256
3e726854ff0a0046de458afc2cd58cfc37430b4c7969395111398f47d8f63bb4

SHA512
678c10874e6089acde5c57cdc64e11a76cbc9b3e7c882f9c1eaa619f897675c8f145e4be4825d8197edb2e645035a0953c3ed5a34da3e84d013fea5599699761

Download Submit
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\MicrosoftEdgeUpdateSetup.exe
Filesize
1.5MB

MD5
f70962a7883fefe8defa224c1ffdadfa

SHA1
efd06b7c1b5ead8cec2cd029a8d8ccb0c46ee2da

SHA256
3e726854ff0a0046de458afc2cd58cfc37430b4c7969395111398f47d8f63bb4

SHA512
678c10874e6089acde5c57cdc64e11a76cbc9b3e7c882f9c1eaa619f897675c8f145e4be4825d8197edb2e645035a0953c3ed5a34da3e84d013fea5599699761

Download Submit
C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir5216_44203700\msedgerecovery.exe
Filesize
1.1MB

MD5
3b2bd3e2b22afa49576723c819a1185b

SHA1
41a1590e22600c717acd9e376b9020b3021dada6

SHA256
b2900c435244e948491cfab330b570b4326d1879c5c2be2aa35ce8bd49446d05

SHA512
a411b00da74a6c90d0a60a0d9a024a430c2c7483416dc95634bd62c5c29b9c9d1fd3310911f2da85df66aac08e9026df4aad00c083781ca22802b0236652d1d5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeComRegisterShellARM64.exe
Filesize
172KB

MD5
b462ad181104b32ec56a6a1e1aa25622

SHA1
c26dbc70359be470fb63d50e12528e473749d9f7

SHA256
5b95e7e42a2df4c8cb8a1dfc9e71f81831ffc128408ad1a37f83ab76dcdf1afb

SHA512
5f6b37f4e88b617ca68762706423e38da4eccb820e82635eda3ed269efeb92ae3285e0b1285978f35dd8df004c801ebbca2f7c061ae055070bdbcba88c474e70

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeUpdate.exe
Filesize
200KB

MD5
7bcf03ae20f6b4aab6efda45f6a0fa01

SHA1
6f1a63a994568c7cac224c6f44d41d19fe24a2e4

SHA256
23387b13f6386a095ae8f178c261f6565e5828fd7e67ef0cbb10e07224149ba6

SHA512
615d130b2f87d3f2ec125cc97391c6b318359a78f0135f10d0ffd5085062cde39935823865f139d767f9d7992dfa926358442369ab424fbe1d54b2c915992c4b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeUpdate.exe
Filesize
200KB

MD5
7bcf03ae20f6b4aab6efda45f6a0fa01

SHA1
6f1a63a994568c7cac224c6f44d41d19fe24a2e4

SHA256
23387b13f6386a095ae8f178c261f6565e5828fd7e67ef0cbb10e07224149ba6

SHA512
615d130b2f87d3f2ec125cc97391c6b318359a78f0135f10d0ffd5085062cde39935823865f139d767f9d7992dfa926358442369ab424fbe1d54b2c915992c4b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe
Filesize
205KB

MD5
fccf8ebd72efacc9566b7849d59512aa

SHA1
2d0cc03e7912578d1c0a01e1d338290a0d1c157e

SHA256
a6a3b7b77ec3fcbdd07b516457fcc7368282ed84e04792316d2ceeeb3b6c84fb

SHA512
6e0b2e27ae19c3100b789b8b22eb307072a902878d92cea426ac02c07c8338934b49c57012a858e01816617ec6c41ef39b7a390e63c8975e56c4504faa8b6b3a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\MicrosoftEdgeUpdateCore.exe
Filesize
250KB

MD5
524a95f05f4c0def70fa61a5f0717e9c

SHA1
6ee3b87e60e865d21bc1b5e434fea12fe262c315

SHA256
e17a7d9e0dcb1a3d6a21009f8d9b41fe1986312d79ffc6728c6c3f500dd6434f

SHA512
cc5e21ce182489416c906fb3f16e808554b739908916682cef6afe11a748b02382bfb93d1359cdc0794c2fb4b6f3cb9d9c677215a904be79d4b1df573de99089

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\NOTICE.TXT
Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdate.dll
Filesize
2.0MB

MD5
5f4cdf4268be23a984ee0b2feaad3dd3

SHA1
cc5aabfc567971d7d2b7a0a206925a59de79dad5

SHA256
bb92222715061ddc89332668248c696348b953a0251893ec7d36597099308d92

SHA512
41803d549742f3b22521d6b645adfafdc477c3fc315a88056b111d54cb0ba677db4a8162b793a19619f672b3580736d939367649d3729c129ef871b55900f0cd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdate.dll
Filesize
2.0MB

MD5
5f4cdf4268be23a984ee0b2feaad3dd3

SHA1
cc5aabfc567971d7d2b7a0a206925a59de79dad5

SHA256
bb92222715061ddc89332668248c696348b953a0251893ec7d36597099308d92

SHA512
41803d549742f3b22521d6b645adfafdc477c3fc315a88056b111d54cb0ba677db4a8162b793a19619f672b3580736d939367649d3729c129ef871b55900f0cd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU45BE.tmp\msedgeupdateres_en.dll
Filesize
27KB

MD5
ca88ea1e6a8ee2379ea2c8459c2b99e5

SHA1
dcf468473aa7ece0f106ab34bd7ae633097153d4

SHA256
1e61386dff70de6dabc71ec5d13f8d77ae7e1ac7350f6cc7977603415f29c46a

SHA512
d51e59ceb1e99f771ae7f45c986f77f9471e120b27f777056fb12e3b6add87e2540b838cf86ff5fcb76794f4eb5d922c72410204baa5ca3635f4f6157efc20b0

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log
Filesize
117KB

MD5
298910a9444e74b3a4cfce68b1e373a4

SHA1
ed47ca9d0799ad9319f960098e58a76e5b5adf2a

SHA256
03b5a72c8f248d4c91ab94f1876dd7db9f4ecc7fd0e2702486ff5d8305470fa3

SHA512
02a0a54cbae1ccc59a1d0edcb76ed8ccd89a073c7845218372dd5a49be11e02e01cbb22127f88337cb2a99e06139a39c1183ca7803058592a4e01082cb94d8ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
248831967cd174eeb5bb5eba173da6a5

SHA1
81c9c24d106aeb26f4ae1dcd0866ec7ed6d81d99

SHA256
3752c2ea4a6ba3d1a5b7545246c430a37cc79c8fdd60c82b4d0200ce083cf9c3

SHA512
07cd5594939f896098976a4fec9dd1005fa031637697187f9a038b65ecb46d9d9d5fab3e51f7eade64c369e8a885c0c8e9b76efc71e3ed3c4e613c623b09425d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RecoveryImproved\1.3.169.31\recovery-component-inner.crx
Filesize
1.9MB

MD5
dcb0ab396e869708ca1ca663c6697b50

SHA1
83d2d79250a470d8c140259688ee35e6019c60f0

SHA256
083c44f154565469a742fe081b09ab19eb5f2a986936dbcef55ddd21f79e6beb

SHA512
e598653b4e6fa16f7ca3a96b44cc279fb010555102c3b661a88e44f6750242e43293a54af25c187445a6f65f7979d556285c16a0294530978f97327f8c1bdd68

Download Submit
\??\pipe\LOCAL\crashpad_1672_ICKCIXOEOIOFDYJC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/384-132-0x00000000003A0000-0x00000000006F6000-memory.dmp

Filesize
3.3MB

Download
memory/384-181-0x0000000000000000-mapping.dmp

Download
memory/384-133-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/816-163-0x0000000000000000-mapping.dmp

Download
memory/1008-196-0x0000000000000000-mapping.dmp

Download
memory/1212-172-0x0000000000000000-mapping.dmp

Download
memory/1420-174-0x0000000000000000-mapping.dmp

Download
memory/1516-159-0x0000000000000000-mapping.dmp

Download
memory/1604-148-0x0000000000000000-mapping.dmp

Download
memory/1636-194-0x0000000000000000-mapping.dmp

Download
memory/1644-176-0x0000000000000000-mapping.dmp

Download
memory/1672-141-0x0000000000000000-mapping.dmp

Download
memory/1776-184-0x0000000000000000-mapping.dmp

Download
memory/1840-142-0x0000000000000000-mapping.dmp

Download
memory/1912-189-0x0000000000000000-mapping.dmp

Download
memory/2128-157-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2128-140-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2128-138-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2128-137-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2128-136-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2128-135-0x0000000000000000-mapping.dmp

Download
memory/2232-150-0x0000000000000000-mapping.dmp

Download
memory/2808-154-0x0000000000000000-mapping.dmp

Download
memory/2952-190-0x0000000000000000-mapping.dmp

Download
memory/3108-183-0x0000000000000000-mapping.dmp

Download
memory/3164-170-0x0000000000000000-mapping.dmp

Download
memory/3260-236-0x0000000000000000-mapping.dmp

Download
memory/3484-166-0x0000000000000000-mapping.dmp

Download
memory/3552-182-0x0000000000000000-mapping.dmp

Download
memory/3696-200-0x0000000000000000-mapping.dmp

Download
memory/3728-156-0x0000000000000000-mapping.dmp

Download
memory/3800-202-0x0000000000000000-mapping.dmp

Download
memory/3816-164-0x0000000000000000-mapping.dmp

Download
memory/3956-145-0x0000000000000000-mapping.dmp

Download
memory/3964-234-0x0000000000000000-mapping.dmp

Download
memory/3964-175-0x0000000000000000-mapping.dmp

Download
memory/4068-191-0x0000000000000000-mapping.dmp

Download
memory/4168-198-0x0000000000000000-mapping.dmp

Download
memory/4288-139-0x0000000000000000-mapping.dmp

Download
memory/4392-152-0x0000000000000000-mapping.dmp

Download
memory/4424-245-0x0000000000000000-mapping.dmp

Download
memory/4504-165-0x0000000000000000-mapping.dmp

Download
memory/4540-204-0x0000000000000000-mapping.dmp

Download
memory/4848-187-0x0000000000000000-mapping.dmp

Download
memory/4944-169-0x0000000000000000-mapping.dmp

Download
memory/4968-161-0x0000000000000000-mapping.dmp

Download
memory/4996-179-0x0000000000000000-mapping.dmp

Download
memory/5008-197-0x0000000000000000-mapping.dmp

Download
memory/5032-242-0x0000000000000000-mapping.dmp

Download
memory/5072-134-0x0000000000000000-mapping.dmp

Download
memory/5100-144-0x0000000000000000-mapping.dmp

Download
memory/5116-168-0x0000000000000000-mapping.dmp

Download
memory/5192-238-0x0000000000000000-mapping.dmp

Download
memory/5216-205-0x0000000000000000-mapping.dmp

Download
memory/5232-206-0x0000000000000000-mapping.dmp

Download
memory/5284-209-0x0000000000000000-mapping.dmp

Download
memory/5364-211-0x0000000000000000-mapping.dmp

Download
memory/5372-240-0x0000000000000000-mapping.dmp

Download
memory/5472-212-0x0000000000000000-mapping.dmp

Download
memory/5488-213-0x0000000000000000-mapping.dmp

Download
memory/5504-214-0x0000000000000000-mapping.dmp

Download
memory/5564-217-0x0000000000000000-mapping.dmp

Download
memory/5592-219-0x0000000000000000-mapping.dmp

Download
memory/5780-221-0x0000000000000000-mapping.dmp

Download
memory/5852-222-0x0000000000000000-mapping.dmp

Download
memory/5868-223-0x0000000000000000-mapping.dmp

Download
memory/5924-226-0x0000000000000000-mapping.dmp

Download
memory/5948-228-0x0000000000000000-mapping.dmp

Download
memory/6096-229-0x0000000000000000-mapping.dmp

Download
memory/6116-230-0x0000000000000000-mapping.dmp

Download
memory/6128-231-0x0000000000000000-mapping.dmp

Download