d44772368ac7f09b61e8efabf5c31cc1bb1c5b5b87e8d4a8115c846b86098204

Analysis

max time kernel
129s
max time network
133s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
17/09/2023, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

589c9cca5b4d66802fc1e56e8755d57e_JC.exe
Size

1.6MB
MD5

589c9cca5b4d66802fc1e56e8755d57e
SHA1

62a93c1c8c9a86e2b282b45d2d25bb42a3cd6c08
SHA256

d44772368ac7f09b61e8efabf5c31cc1bb1c5b5b87e8d4a8115c846b86098204
SHA512

65a8cd05ffe27f118e17a392ae03fe725bf5d23326db5c04466ab61df0f7e233df84692b2aa1d9e9104a15e58c7e3794d3aba9db0899f673c3617fe2c87dd2f6
SSDEEP

49152:TS4eYJmnzBEsAh5rm6l6v7aAUAEyQBFni:TSQEzBEhVAEyeVi

Score

8^/10

discovery persistence spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Executes dropped EXE 15 IoCs

pid	Process
1368	B4uEGJ9h4dhYD6k.exe
2372	CTS.exe
2004	MicrosoftEdgeUpdate.exe
1432	MicrosoftEdgeUpdate.exe
2884	MicrosoftEdgeUpdate.exe
2888	MicrosoftEdgeUpdateComRegisterShell64.exe
2136	MicrosoftEdgeUpdateComRegisterShell64.exe
2316	MicrosoftEdgeUpdateComRegisterShell64.exe
1640	MicrosoftEdgeUpdate.exe
2200	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
836	MicrosoftEdgeUpdate.exe
2712	MicrosoftEdge_X64_109.0.1518.140.exe
2720	setup.exe
2584	MicrosoftEdgeUpdate.exe

Loads dropped DLL 28 IoCs

pid	Process
2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe
1368	B4uEGJ9h4dhYD6k.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2884	MicrosoftEdgeUpdate.exe
2884	MicrosoftEdgeUpdate.exe
2888	MicrosoftEdgeUpdateComRegisterShell64.exe
2884	MicrosoftEdgeUpdate.exe
2884	MicrosoftEdgeUpdate.exe
2136	MicrosoftEdgeUpdateComRegisterShell64.exe
2884	MicrosoftEdgeUpdate.exe
2884	MicrosoftEdgeUpdate.exe
2316	MicrosoftEdgeUpdateComRegisterShell64.exe
2884	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
2200	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
2024	MicrosoftEdgeUpdate.exe
2712	MicrosoftEdge_X64_109.0.1518.140.exe
2720	setup.exe
2024	MicrosoftEdgeUpdate.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31D0E08E-1AC8-4B50-B591-25F091984A8C}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	589c9cca5b4d66802fc1e56e8755d57e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\eu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\identity_proxy\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\ne.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdateSetup.exe	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\identity_proxy\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\mojo_core.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\msedge.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Notifications\SoftLandingAssetDark.gif	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\psmachine.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Trust Protection Lists\Mu\LICENSE	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdateOnDemand.exe	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_pt-PT.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_af.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Locales\ja.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\zh-CN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\kok.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_iw.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Extensions\external_extensions.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\prefs_enclave_x64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\PdfPreview\PdfPreviewHandler.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\fi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\ta.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\msedge.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_gd.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\delegatedWebFeatures.sccd	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Locales\eu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\resources.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_es.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_it.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\msedgewebview2.exe.sig	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Notifications\SoftLandingAssetLight.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\sr-Latn-RS.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Locales\bg.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\msedge_7z.data	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\lb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\msedge_100_percent.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_sr-Latn-RS.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\msedge.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\msedge.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\hi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_lv.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Locales\hr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Trust Protection Lists\Sigma\Staging	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\el.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\hr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_fil.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_tr.dll	B4uEGJ9h4dhYD6k.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\telclient.dll	setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	589c9cca5b4d66802fc1e56e8755d57e_JC.exe
File created	C:\Windows\CTS.exe	CTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{032E80DE-01C0-450B-B4BF-1D0955361DF9}\WpadDecisionTime = 50c4f9d088e9d901	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{032E80DE-01C0-450B-B4BF-1D0955361DF9}\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-56-4f-1b-c2-b8\WpadDecisionTime = 7095c69a88e9d901	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{032E80DE-01C0-450B-B4BF-1D0955361DF9}\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-56-4f-1b-c2-b8\WpadDecisionTime = d069069f88e9d901	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-56-4f-1b-c2-b8\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{032E80DE-01C0-450B-B4BF-1D0955361DF9}\d6-56-4f-1b-c2-b8	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{032E80DE-01C0-450B-B4BF-1D0955361DF9}\WpadDecisionTime = d03ddbd788e9d901	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{032E80DE-01C0-450B-B4BF-1D0955361DF9}\WpadDecisionTime = d069069f88e9d901	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E60B56E2-490E-40FD-B21F-2791D0EA81F2}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "ServiceModule"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\CLSID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\CLSID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E60B56E2-490E-40FD-B21F-2791D0EA81F2}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ = "IPolicyStatus4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.55\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{31D0E08E-1AC8-4B50-B591-25F091984A8C}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe
2004	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe
Token: SeDebugPrivilege	2372	CTS.exe
Token: SeDebugPrivilege	2004	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2004	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1368	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	28
PID 2060 wrote to memory of 1368	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	28
PID 2060 wrote to memory of 1368	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	28
PID 2060 wrote to memory of 1368	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	28
PID 2060 wrote to memory of 1368	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	28
PID 2060 wrote to memory of 1368	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	28
PID 2060 wrote to memory of 1368	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	28
PID 2060 wrote to memory of 2372	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	29
PID 2060 wrote to memory of 2372	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	29
PID 2060 wrote to memory of 2372	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	29
PID 2060 wrote to memory of 2372	2060	589c9cca5b4d66802fc1e56e8755d57e_JC.exe	29
PID 1368 wrote to memory of 2004	1368	B4uEGJ9h4dhYD6k.exe	30
PID 1368 wrote to memory of 2004	1368	B4uEGJ9h4dhYD6k.exe	30
PID 1368 wrote to memory of 2004	1368	B4uEGJ9h4dhYD6k.exe	30
PID 1368 wrote to memory of 2004	1368	B4uEGJ9h4dhYD6k.exe	30
PID 1368 wrote to memory of 2004	1368	B4uEGJ9h4dhYD6k.exe	30
PID 1368 wrote to memory of 2004	1368	B4uEGJ9h4dhYD6k.exe	30
PID 1368 wrote to memory of 2004	1368	B4uEGJ9h4dhYD6k.exe	30
PID 2004 wrote to memory of 1432	2004	MicrosoftEdgeUpdate.exe	32
PID 2004 wrote to memory of 1432	2004	MicrosoftEdgeUpdate.exe	32
PID 2004 wrote to memory of 1432	2004	MicrosoftEdgeUpdate.exe	32
PID 2004 wrote to memory of 1432	2004	MicrosoftEdgeUpdate.exe	32
PID 2004 wrote to memory of 1432	2004	MicrosoftEdgeUpdate.exe	32
PID 2004 wrote to memory of 1432	2004	MicrosoftEdgeUpdate.exe	32
PID 2004 wrote to memory of 1432	2004	MicrosoftEdgeUpdate.exe	32
PID 2004 wrote to memory of 2884	2004	MicrosoftEdgeUpdate.exe	33
PID 2004 wrote to memory of 2884	2004	MicrosoftEdgeUpdate.exe	33
PID 2004 wrote to memory of 2884	2004	MicrosoftEdgeUpdate.exe	33
PID 2004 wrote to memory of 2884	2004	MicrosoftEdgeUpdate.exe	33
PID 2004 wrote to memory of 2884	2004	MicrosoftEdgeUpdate.exe	33
PID 2004 wrote to memory of 2884	2004	MicrosoftEdgeUpdate.exe	33
PID 2004 wrote to memory of 2884	2004	MicrosoftEdgeUpdate.exe	33
PID 2884 wrote to memory of 2888	2884	MicrosoftEdgeUpdate.exe	34
PID 2884 wrote to memory of 2888	2884	MicrosoftEdgeUpdate.exe	34
PID 2884 wrote to memory of 2888	2884	MicrosoftEdgeUpdate.exe	34
PID 2884 wrote to memory of 2888	2884	MicrosoftEdgeUpdate.exe	34
PID 2884 wrote to memory of 2136	2884	MicrosoftEdgeUpdate.exe	35
PID 2884 wrote to memory of 2136	2884	MicrosoftEdgeUpdate.exe	35
PID 2884 wrote to memory of 2136	2884	MicrosoftEdgeUpdate.exe	35
PID 2884 wrote to memory of 2136	2884	MicrosoftEdgeUpdate.exe	35
PID 2884 wrote to memory of 2316	2884	MicrosoftEdgeUpdate.exe	36
PID 2884 wrote to memory of 2316	2884	MicrosoftEdgeUpdate.exe	36
PID 2884 wrote to memory of 2316	2884	MicrosoftEdgeUpdate.exe	36
PID 2884 wrote to memory of 2316	2884	MicrosoftEdgeUpdate.exe	36
PID 2004 wrote to memory of 1640	2004	MicrosoftEdgeUpdate.exe	37
PID 2004 wrote to memory of 1640	2004	MicrosoftEdgeUpdate.exe	37
PID 2004 wrote to memory of 1640	2004	MicrosoftEdgeUpdate.exe	37
PID 2004 wrote to memory of 1640	2004	MicrosoftEdgeUpdate.exe	37
PID 2004 wrote to memory of 1640	2004	MicrosoftEdgeUpdate.exe	37
PID 2004 wrote to memory of 1640	2004	MicrosoftEdgeUpdate.exe	37
PID 2004 wrote to memory of 1640	2004	MicrosoftEdgeUpdate.exe	37
PID 2004 wrote to memory of 2200	2004	MicrosoftEdgeUpdate.exe	38
PID 2004 wrote to memory of 2200	2004	MicrosoftEdgeUpdate.exe	38
PID 2004 wrote to memory of 2200	2004	MicrosoftEdgeUpdate.exe	38
PID 2004 wrote to memory of 2200	2004	MicrosoftEdgeUpdate.exe	38
PID 2004 wrote to memory of 2200	2004	MicrosoftEdgeUpdate.exe	38
PID 2004 wrote to memory of 2200	2004	MicrosoftEdgeUpdate.exe	38
PID 2004 wrote to memory of 2200	2004	MicrosoftEdgeUpdate.exe	38
PID 2024 wrote to memory of 836	2024	MicrosoftEdgeUpdate.exe	40
PID 2024 wrote to memory of 836	2024	MicrosoftEdgeUpdate.exe	40
PID 2024 wrote to memory of 836	2024	MicrosoftEdgeUpdate.exe	40
PID 2024 wrote to memory of 836	2024	MicrosoftEdgeUpdate.exe	40
PID 2024 wrote to memory of 836	2024	MicrosoftEdgeUpdate.exe	40
PID 2024 wrote to memory of 836	2024	MicrosoftEdgeUpdate.exe	40

C:\Users\Admin\AppData\Local\Temp\589c9cca5b4d66802fc1e56e8755d57e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\589c9cca5b4d66802fc1e56e8755d57e_JC.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\B4uEGJ9h4dhYD6k.exe
  C:\Users\Admin\AppData\Local\Temp\B4uEGJ9h4dhYD6k.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Modifies registry class
      PID:1432
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.55\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.55\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2888
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.55\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.55\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2136
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.55\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.55\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2316
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNDMDAzRDAtRjBDMi00REZBLUFEQzYtMjdCMjI1RkYxM0FFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezdDNzhGMDQ3LThGMDUtNEZFNC05NjExLUMwNzIzQUIzNUQ0OH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSIyIiBkaXNrX3R5cGU9IjAiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjEiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3My41NSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjA5ODA5MjAwMCIgaW5zdGFsbF90aW1lX21zPSIyMTk5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Executes dropped EXE
      Checks system information in the registry
      PID:1640
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{23C003D0-F0C2-4DFA-ADC6-27B225FF13AE}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2200
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2372

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNDMDAzRDAtRjBDMi00REZBLUFEQzYtMjdCMjI1RkYxM0FFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezY0RDlFRUEyLTIxMDgtNDgyOS1BMEQzLTM3NDIyNjA4MDJERn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSIyIiBkaXNrX3R5cGU9IjAiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjEiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjMiIHN5c3RlbV91cHRpbWVfdGlja3M9IjIxMDMyNDAwMDAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:836
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{54D38A2F-D73F-4003-9D4E-42B2C5A9796E}\MicrosoftEdge_X64_109.0.1518.140.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{54D38A2F-D73F-4003-9D4E-42B2C5A9796E}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2712
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{54D38A2F-D73F-4003-9D4E-42B2C5A9796E}\EDGEMITMP_24394.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{54D38A2F-D73F-4003-9D4E-42B2C5A9796E}\EDGEMITMP_24394.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{54D38A2F-D73F-4003-9D4E-42B2C5A9796E}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:2720
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjNDMDAzRDAtRjBDMi00REZBLUFEQzYtMjdCMjI1RkYxM0FFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezIzQkE2OEY1LUU5NzgtNDUyRC1CMEI3LTZFQ0ZENkMxQzk0N30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSIyIiBkaXNrX3R5cGU9IjAiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjYuMS43NjAxLjAiIHNwPSJTZXJ2aWNlIFBhY2sgMSIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjEiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTA5LjAuMTUxOC4xNDAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI1NDIyMjQwMDAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyNTQyMzgwMDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMjc5NjgxNjAwMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMGM0MDg0ZjMtMWJlZC00MjQ2LWI4ZWQtMjA2Y2NiZTYwZTNjP1AxPTE2OTU1NzQ5MjAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Y2RxSzZCb280RUpJdUNvNWVBYmJ1cFRUOThud1FveVglMmI0TG5ZJTJmVnhhcEFSMjdjN1lLOXdEcElUZjJIUmpIT3dxbldpNVprcGVUaXg3ZTFSUUIxcElRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTQwNjk2MDA4IiB0b3RhbD0iMTQwNjk2MDA4IiBkb3dubG9hZF90aW1lX21zPSIyMTQwNCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjI3OTY5NzIwMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIyODEyNTcyMDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA5IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIzMDM5NzA4MDAwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNTcxMCIgZG93bmxvYWRfdGltZV9tcz0iMjU0NTkiIGRvd25sb2FkZWQ9IjE0MDY5NjAwOCIgdG90YWw9IjE0MDY5NjAwOCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMjI3MTQiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Checks system information in the registry
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\109.0.1518.140\MicrosoftEdge_X64_109.0.1518.140.exe

Filesize
134.2MB

MD5
2351a10f63322e5c3ee8f44f4d0d6bba

SHA1
64012bc2d19c899c466b473f1984800870ec2fda

SHA256
70d496873a0a1ca14ae0a038d25856b2121b1b4b7bad9801ce639b144bac41f8

SHA512
692c0c9b9ed5bc8aaf0c751b9faf60729af79365781b51237e8dd57b57c49459d83dc2c44b093bca4092519d4c9ae712dab8073a7fe63245e405f17164b3c1d2

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
d7dec1752172a55a855da132e6b685cb

SHA1
ece34bdfee10b09c62fa52c205a47594e024eafe

SHA256
5dfc43333a2360ad916f67bf783d8260a32d811a738b3d2e58427b1b384ff9a3

SHA512
aff3de4e68f4266389d8ff58186bb2b7deef4cf09c05150fd7bef851685b25bff718c803cf19c32db1bd23e2f6ae5396f4d7611bd06f84c158e43b7600367e44

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Installer\msedge_7z.data

Filesize
3KB

MD5
bd70ed26e6e6f3193043ac09c58c6a1c

SHA1
d733a65e17f2851d5116598dd80533efc1656468

SHA256
7a474217d20b9a6fe3c3a46c0d6d5b2d2040fa790663f6da9202ee7cb07bb448

SHA512
3e2ecade6d687b0736d5eafd7527b24095b9c51f0c8ba99398b23da2d8843c49fc8c1fa37190d385b504d8224c8c517d78d44ae32e10e45d54b19477a6970756

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source2720_1253472600\109.0.1518.140\Installer\setup.exe

Filesize
3.8MB

MD5
3a92a61a6e01c80ecc7d9499abb901b7

SHA1
d89d05802d937f9c71ced14282b8a19623fca7c8

SHA256
b70b2ed82c7afde8003983992b74f8182f55080b43da3d96dd29e8c0c7e8b47e

SHA512
3867efbd984ddd1eec084c70a42104cbc0057c3bed222af8963051779b612b46bf4cea3311452f6564513d7558d49a1e66a9473ad53f1b2fb4c43a9d7d0fb47d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
2ea2a38eeec085cccce81efcf0aaa935

SHA1
e34877d621190761a044dad1a0cb3156aeded718

SHA256
c4392d342e0957aec69ea4cf61ee529ca33184f64682e6dff13908197e47de1d

SHA512
8d79a1a4933401ab9ad1bc39bec808cb95d4295e3755f4696fe0aeec46c6c5fb936a35c3e666d0e0bbe1b2f22a0a521c0c309658bb5563353d0b51065ec18676

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
d7dec1752172a55a855da132e6b685cb

SHA1
ece34bdfee10b09c62fa52c205a47594e024eafe

SHA256
5dfc43333a2360ad916f67bf783d8260a32d811a738b3d2e58427b1b384ff9a3

SHA512
aff3de4e68f4266389d8ff58186bb2b7deef4cf09c05150fd7bef851685b25bff718c803cf19c32db1bd23e2f6ae5396f4d7611bd06f84c158e43b7600367e44

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
d7dec1752172a55a855da132e6b685cb

SHA1
ece34bdfee10b09c62fa52c205a47594e024eafe

SHA256
5dfc43333a2360ad916f67bf783d8260a32d811a738b3d2e58427b1b384ff9a3

SHA512
aff3de4e68f4266389d8ff58186bb2b7deef4cf09c05150fd7bef851685b25bff718c803cf19c32db1bd23e2f6ae5396f4d7611bd06f84c158e43b7600367e44

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
43935be0f50ff815501a998039e29e08

SHA1
01005e0fe4225bd30877f3ad5768b4450e0f6ff8

SHA256
a7081bd1b6f55f357cb75f5174555081dcd4c207ccc954f53fd97776a36bf099

SHA512
6a023a7a2e1405e2bb833adbe28270822258ab4d099f9e732c287c50c412f596241468fbc462a88f62be1927f71944ea7d67e328fb5ce146f6def334b69c10fd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
2c3e39662f0133a970c2766190e4f84a

SHA1
341294810d14e19310907ef8e763bc7b70b256b4

SHA256
1d87553f4872e1dd46856eb492c06b280e57019f06609257cbe18226309d9264

SHA512
c046d10b70175022486a9ee66ced9e41ba0a6a1ccc0983b6cef7a3ddadacf73d158ad351721304f5e164a8a37f27c0a0a6a9d772ebfeb3962be3837864547552

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
fa3ab8067d5ca8429d04c00d2640a654

SHA1
b4425dc963b9852e2633a212166af5c2bfc77083

SHA256
35e5dc8c698a118017ef4fbc81fb78215b940450e1c5090429483e78ed51d8ac

SHA512
70057b38f5e322de634c4e5103e65b38f74947da3aecb12202de155d843863840915a1464a0b269bf6abf02a9f750f2301b3b5c9a4d76581529784ee02d3e90e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
81d6a33130e4fa2c86b2ec316f226841

SHA1
e5cf892441e309eddfc175dc9395fcda53b79621

SHA256
d3b9b0e80a280171fcf098a5107ce3edb115254cb772c35a65a3106d56a50877

SHA512
806ba7d03d5b97c80c0f75a8807f08b7d705514e983a9db1b54b9fbca2b49b093e72c495718b72bb5801dde7ea0d834f4925bfff28d19910b29d608375dea818

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
a18f339faae3bad25394616307c7ce24

SHA1
43e4068c28f7e149d535448fc475685bda1a5edf

SHA256
2f0226e30a3b42a9d95a66a6ee657cf105b54e0c40508ed092b37a3f0a751900

SHA512
ac283d3fe01cb1c543ae0c552eb424f99fba4c38ad3ef05e27b47675e87741feba45b6a1b98d38b4cde07f07543a76edc0d660881bbe10136fb220613684ae33

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
8bcbb5d977876390837f3b5500bff0f9

SHA1
a00df822029124ec66ea4c9ee9a3c724468060b2

SHA256
d4c0efaa9d3596f0748e6b85e03377fe1e54f58494d61d61e579f6993f168e80

SHA512
ee0a08196643e9af16854895cfd22d4436845af8b50224e0140a5706b793e81b77c52bb78480f882fa2a7dd464b1658f04de4ef72de1ede972b389acb9bfd4bd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
60ea52dd241013ef388242999ba8f73f

SHA1
9b6d9d1119a656ecb24f12a17168626578956f99

SHA256
65cdf58c7aaa4911861b481b59c7b6596ebb6da6d3f23a7576263e73f64974cb

SHA512
206a213f6e2bfe7ff811a154e678928a740122c8ff4ba8a790f55bec6d0f69e360aed5dd814f01262bef34b1eb49d2de437963440a0a6fd63a82ba00490f9159

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
0754270c9c4b32b7bafdb2df30ff6770

SHA1
e7cf7ae4e7db85b266654bf8de356628922f9def

SHA256
3736071c6a94c9d1764db33916ff07a8f825f4ba23f5adaf583c1883dbb4d6e8

SHA512
adb3138f94e3aae97cbfea515c87182d4ce034d9fa63eb95f6e75a2ba5ecacb6886126654400def7eea80261ff5e7dca805149fe3e21d1333d311d9b05f4f2dc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
c494e91e4029ae95107c58699e3a3c51

SHA1
143ab229b4fcd1974f7847621e2dfb6b1e29eb3b

SHA256
0949f07de7c1bc5f5df5f45040457db5a65280439f6d71bd62f38f2c8f4272fe

SHA512
9f7842fe54225a48134ef9568a7edd31402cb6f3f75c50af44f17499a4a0673786c4178f7c6551bba8b014c8e6d98154bb0598fad76acc2fa9ff34566371a247

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
cd5059c506bf4492a036f36175e549dc

SHA1
6228dc08ec0247d675988d18923a026348f43620

SHA256
f9a5d9590f4a578cabb8e5e64294c1d6eb0df562ae9949dea7920e70c170b60e

SHA512
16b41e15fba70dba375005fbb1bc7bad52cd88dc171519dc45431601207dd8a6087406a58cb875a50d6e530f31446b4f8cf73430dfce5fba1a1f4c89e6e8d6c2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
5e6febda95cfb0044ce6c7e5e2fc5758

SHA1
128fa8e990b105bb6015e4b8d6af319c1f0c42af

SHA256
f5f5302d1e5be4c91789fc3b546dd43b474ea9ccfd9ab6c40530fc11ecc22fea

SHA512
777734c3acd9369ee89f5eb2c3fa3ee2ade636b5742ddf64545dd801331b5ea08ac6e9b3a59ab1344ccfc0c8cf65a150530680e8668170c60538e88940315dac

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
8f745e814b45a68742cbe73625040c5b

SHA1
adc05f35f0f0828a8b234ce00db344b889c45582

SHA256
2319ed5cb50ab53e1ae160c79e7374f9d42c6dd39c16d64e5905ed7e2d202f24

SHA512
e3d78a03373d3d66c86e3e190bccb95139d3b71e3b5e647d18a4d0c606b901c16bf9d13135fa97ca2c9f04dc4724c97c2623425fbc121f7b5929681afcb54eec

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
2b382cab295db6395a544baa607fe9c4

SHA1
a52192873d1ff318603acbcee3f6d33155517885

SHA256
88c3e2b075934f4f0cc1f2c7204a27ac12989756f6cc91146179f33bb5d81f9e

SHA512
14439905ffac71692a150072631d5506e11796c21fad049e851a41d822f3f4a7980cffdb7a28940a365e92321866ab6d00a62c955cf689c29320aff08a11db8c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
f0f002f841d7d73b660a75bf5103a051

SHA1
226cbe3a412329b65aae13cd7ee7073d4e1e2ba2

SHA256
05b62e8cbca0349981768c06d27a4e0c2af1d6c58b06240afecf294f22df7855

SHA512
346a1b09be2d7840728619125eb78796bd153612db6d5250a1f22929257d04b1c34b9be7a447be056e5e41ecafa98211d0a8a73753c1567dcdda067566942cbd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
4bbc1b54e60189cd5c48f2cb34e89831

SHA1
b062321f19a04a44a86d68b0e4500fc3dc750509

SHA256
06cafa5a81188e84c05af1f3f20c9d078f3f8211b5cbd7bfd06f6d6f9b352343

SHA512
91a80bca894c542aaa9b8c91225430e74e1c69a50e91ead2d7ceb9d4d54c1fb141a1a4f7d9d2f0f7537cd7162bd476bedcc4ec9669f2ab5213f86286e59dfbcc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
2669c3688d39fe32aaa1541f0fb41753

SHA1
b0462a961a3ff187f6830b2b00cf8884965f0cd4

SHA256
44a1db59ea7b0bb2b41983b972d8ccfa55eabda00c2f27596dc35e9b1bcc3c9d

SHA512
e4547b4637aec827f59cb024d43746706f4014fd9c7cce6b0c59e4164c5e10bdc5263a5b2d1422fc5c2a40b565da27d317abf77d042b1de2b887dd9885d79d53

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_da.dll

Filesize
28KB

MD5
55e7ed56fdad7015fadacc95f502d696

SHA1
7c92656547f16770de04b4c9f5f32e95f0b0925f

SHA256
a430dffa688ca050b542d35ed190074c0ff9050a89cfbf5b28b6ff8b41edfc6c

SHA512
cf1b0dcc4e201268ebb5443c54811a3837435877ff3764eb46f3f9456f59e93fe5a2d3b92ba94b9d9619eabef6e108fdbee715277a1ff665c95866d6b6a7fe5b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_de.dll

Filesize
30KB

MD5
a5747bb9fd358e3925184bc24ecfe639

SHA1
eed4d1d7581e096d6fe2a5e619b3ca83ba3b644a

SHA256
505596d1070d3f12ccc52fa02ff861d934f021e373d816fe39ae5e81029dd90c

SHA512
aa3da1a3552b92e803025ad422ddf077ff95706b9a04cc6e1bb7f21800e6a94a446d1a19dc477aa56e06bb6cf31fa6f480b5d54e6749dc311fde85f6a25222da

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_el.dll

Filesize
30KB

MD5
d63527a48a9a0a065380183a2b5ccf11

SHA1
fd54c529d09ab469dc92019b2989e89a9eda6450

SHA256
acefebba31f473bf7f1b81616f11072047c85ad732231bb29daa44052a89e58c

SHA512
9a8aa9387c57806a7fb32a1a1e1d22d62b7f735341ddfe8dda5bdc915a18be2d932c55e9dc78cefe53e173e0d0d2a8641e3f223fcbd188646291013f37dcb012

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
2e95efe88a47b3d059b8fdb76afa07eb

SHA1
189972422c8332704f3306a4bc6d957b4566e971

SHA256
7639bf73bbbbd333ba569a02ccf91c6e14fcb70e61d0dc5e0c2dba06d6ac9e44

SHA512
c2f23726752a292bc5a6f7fd54470bda1117bd31f21bfaefae94c8720f2f89ed32df50a5bd1fab93972927fc04f3f1abd3964506942e0413dc5ee9db5def10e5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
6fb527f8b56ae008dc5d26df9861a0c8

SHA1
8e4b97b29a2adb0ca5c43f4f152cb8ea5de8e0c2

SHA256
ffeb20f1ab5fecdfc965d543466a8ef6e5798477d429f01be5bf119aaf88e6ed

SHA512
a9747c5981e7440eb5d232fd1112b7e2f00fab83d02ee27f36125825cf5cf9aeeca7376e79c2a8ad646ff6c8c74d32b15dcc2d3138bfc61a2bbda2e150c2261e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
a98aa1c883edca985f7ba5e74e875ceb

SHA1
451a1db9c0910c2d5b582d695282556ac9f6ea41

SHA256
e802d53b03ccf3f98cb138e0015fcd6092ac85837872176edf80cfdad97f61c3

SHA512
bdc2a4512f3e60fd57b4eded935a4b6a64073c7818e25f4f6324420cee9f112d27d53ed9b6a79a8c9c9f2548e091b303a5a4e1a412b2d724d976bfa000ade5c2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_es.dll

Filesize
28KB

MD5
e092380f29d079cd661f4aaf366cc9b6

SHA1
ffc5895ec6474af17cd649ed65a03870e71832fc

SHA256
a88166522bd981a3be76617f444284c74d8631cb767413288947a1fac1c78871

SHA512
2db85ef403005fa9f0a25a369895d7386c6076fcc9fa6994f408824cbed1ad4330d14163aaad26f5a066e21caaf25f6dfde74afd509b51ca44c6ed15bee2baae

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
933f494bb5413d9ad7b45d7f504e34de

SHA1
ea54c003a07119c9a44fcd86c2670a0af7703155

SHA256
6bff7b9527c6e666cacb1a1fc2241c5ad81f813b8733a70b1ceeede21cd4d9d4

SHA512
a31aab226ed0c12ba55c9bf5f00b15970680b8b296820cd76eb54d46d86758a15441518f5b5926c2af05c25dc9171bf8b974808d79483dfb1031836bc34fa002

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_eu.dll

Filesize
28KB

MD5
e2999c0869b92ce59e001c2ac1f6c76e

SHA1
2ebe6a4ffdf72bbb52e59c202d5edeb41fbba149

SHA256
ac2dada274606cb0b8407f8d168451b31ec27176d21cc65f4b359bc1fe410ec8

SHA512
b28fde14c38f8a3accc50e5ee3821aa514988e743a428172aeaa649e9e8ffce85788bd0382199cdcce6002985c2533c1fa5e698725d6412f7b1c0d50e8be170d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_fa.dll

Filesize
27KB

MD5
a23ccfff79196364e7850335d45f8f31

SHA1
f4d144e540050e16118917693438c66061db37ad

SHA256
8967f05d23e744aa5e14780b7d64b483fe6d7559f1a19ee1f38131dac965506b

SHA512
aa68a9132b1e728e471def518632fc9745219a36ccd0cadfa0da9df1327046e45dbd4f5680e49cb36e547ec6a0cfba6643422a2520c1d8bf703a0469c2e638fd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
7044aec0a70ca261aeeaf523a79b9aef

SHA1
bc25b30b87f04f9b675437776826b61a17465f06

SHA256
db1cad4f42af0bf1b7c204ff8b938352d39c64f796539dedb175f2503701697d

SHA512
3e53d4353f76bd8e16a661e6c111fba03544c1868900831978cafef7c51b8627ecb5862637d8e3332758c1a17d38f33632ce01e4243e638902a322263dfe4d4a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
e4d75b4ce7e4249b1b90ec1ed3af4bd1

SHA1
1eb88320d7567650baa7f8119d9b18d4fda851ba

SHA256
b42a515f900f9cf9f18043500e4b2f1cfe7e4a2ff1eb3ddc6609d061c0726a41

SHA512
8fb362f3ac9edf063da885462cbd6f62eff541606d4099d68fe4c0d3be8990781433ce7dce767639669006a1ae3e39b9f7331212036f693477fdbafa92e33777

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
b7d40faa429447578b62996855775252

SHA1
c446eda92827687fa095f3fa7af2fb30d7d80122

SHA256
e50541c6311d7342e4d780b2bd226ad66e76fb7a422eacda0e09aad811896162

SHA512
c2e7df6cbaf98960486d60e7a74037d1224b78b5430fc7ddc31d4e77be8efbbedb34b96b81992c49f5c4834c7a745fe42001c4ac46976be4bb40120fe566f942

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
b1724ec1b84d12e733b960e6299b5c33

SHA1
51592505168ba39f379f529021c0cf1c4adb6e06

SHA256
79f74730a0d66c31f5fee85db9e306f6644c830040ba6b81f269178f3310c014

SHA512
4d9cc1f2778d1137677752504cf65bb38256c613b0619a09f511911e92b904fcf706a9849149653c2a749ca254b06af8e22eeeb6b779c916d9b7719836e4250c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_ga.dll

Filesize
28KB

MD5
935147c5e318c7ce3459a979853e1f8e

SHA1
e1876f74259337e1f90a45aa030d766f7cd2de40

SHA256
8bd651f282c9079c2c141ea0c3896c86d75d16bcc1e98d071abac522e13e4dbd

SHA512
259fae894b2ab9ab32d5a313cc321f8e9da645763d4a638f1252846889326e1b78ad02df9b8ad1e9ab49b72ea6db806e8dc995f9e9f64b7cbfceefb315b578b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
9b3532879ae184a6081956b51492d83f

SHA1
a89c76dce262989a41389ac6e6485ecbaaa53d93

SHA256
ac114b5ed44178f63949ff0458487b40a7b61be8e29127fdcc52aceb2da2df32

SHA512
43bf2d543495c164e4b124e653906e7ba8f4d432431fb970c5d302531d1f229ee238fd80b929bf0d07661b22a4f968619bcc573f943e5e30a754b01fdfa38f03

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_gl.dll

Filesize
28KB

MD5
404c1df88f57990945b19dcbd8cd3c26

SHA1
de187f3209d703a95a66ba17ee9fe6b2254feb31

SHA256
80fc8941044fc46907c481235470077cfc49ad5b331cde193da7c68a1e83c4d2

SHA512
d0f40c7db9888543a4a24635d8ada603ab73c6f818719ad22ae7357cfc4af4f73731febf329efb69148d4c06547054b8028afe2e1771f318d5c7ba5b0bd72460

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_gu.dll

Filesize
28KB

MD5
3610daa3d09ea7d57c80c425555b1a37

SHA1
400ed7c58fc33b3b29431840fe9a25cee3e09bc9

SHA256
cc27a1d1d7d95044bd66716a473ddd0aec3e7894d582dd87eaab650f17e096ad

SHA512
1c2713ac698e00907c633ba71f890af73e3320cf8ce675a29d385fd5c59d2084b5d5b0acaf5566cd57a3b917d62d739d5b65ddc3375f32087334e414719b1118

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_hi.dll

Filesize
28KB

MD5
d45546a5b6f4c34004c134c155a10630

SHA1
1d81c2e7d7a9517ad0aa87ad1f3c91fa4916c4b3

SHA256
be190f32658d003797912437e9e0a5ca33a866dad76ba355b184786e8a895810

SHA512
aa9830f5cd7eb28c0c35bfc112129237fa0ee38a2d244833fb30be638ba9f555005b6e757ddb8187751a3d9531218411393b9061ff801506fa1ce532e8823b4f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
d66ae10cdb163d742b68951715a3c1d0

SHA1
10d11768d44ea3ab1a487624700acf4ea9a004e6

SHA256
a3ffd4440f988c77e3946f5fabd2bb042c8d9453843bb8cfe9cceb49993a86dc

SHA512
a2383bdf9c95320f91c3a5d2fd18977160ec0412ad2849aa996981c190e6d215c2bfb5c04b1283d0ff043f4c8b1a5a8bc3c3894bc3f6042145f69b4aebf4a186

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
1d5faceb0528b1db843d434f09a84c7d

SHA1
face290bbed2b1c87fe550e0b92e5199c6a2c3db

SHA256
b9b38d08d8f8deac80160861c7a791b15fc3c896a3faacd9cc6dad90e6f54f3d

SHA512
eeb117098ddf1004e5d3946ebd46a6d4ba56ae64750bacb1ca8c3d4a46119d51a8c19282089c500763f3bd3960a04ce520ea2386da8b21fbb1ba6e9ab4b8ec32

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_id.dll

Filesize
27KB

MD5
929dacb042451c666412573020cdef32

SHA1
40d439470e3406c75ef66d79bf67fa2d79363343

SHA256
d4a2729198562158253bc987abc189fac03dc1a53c60c903318f21eac4892ba6

SHA512
53f14b8f9237a618ddaad920e019e923b64795fb359dad3a8d63bdf61fca84d23aa07e0f02bc559c277838daddaccd5e10483decb0a6800cbafcf69ed8659529

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
ffe4d317e7af1a63d82f4ef956f09430

SHA1
f3460f60ac91b2a17a330283e244bb258ebb9472

SHA256
14ad84c1b224bddb0f27a836ad3a6bf08bb6418ed8c886c3270e7d5f15e0ebb9

SHA512
f2713169ae552f395526c6a7b164ca94916b6b5a55b9a78ce31cee224d16ee6a332abe8fcfcf181057158f0e868c73f0ae34af050068052ec32b650bba5a5f53

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
19712c70834e8ae1714980f9a8d023bb

SHA1
4b5501e91e18176bfddc58d112f854a5d592a02c

SHA256
9ab32fbc6230afae8a403817634198f5311f42c55734e0e3e37d728e179090dd

SHA512
1d7f9c961f047c00e73d1d29e12e60135c393876c52f4e08d052b71977ea54ee8fbe82939d9bc4bdeec68318d1d5b4a7611c87a41aae591721862609de301503

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
8ef584e67c9c6fa8323f2f3ba7671ef8

SHA1
962814cf434780a66be65afd1e7e598ffef5dc30

SHA256
37b6ab76a005b73c7e45866aab38b615e496e28cb685066d0c424012580c475f

SHA512
189a1125606ab5b40dfbbd98e1796a18b541caa6e2f48582c196adae518fdd21f918a3c82d7f4503d3e340eef56ca8461497e2c923bc6b583753b00896b39f91

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
03a2240625a4e08bcd76dc1dcd279aee

SHA1
f3cd257fdeb920504a405363731bd57006d15853

SHA256
801abe8ac7a89939df5c61d06b489e715d61303f01330daafcc5f461cbe81858

SHA512
355d6968c862a633fb6c820b5ddbfb42d8974b28b3afc48be3e2198c96d05c1f3f35d4a6fc57a3db3b3035d031250bfcb960c357dc8e52e8b2ad280c52c1f2b0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
ebf1d2c3cdbb4af1ba54c6fcf1cad0d2

SHA1
04bc0339b5626231dbd88c7d48ff183b0e824bac

SHA256
ba0949d350d20b597e005463b37e7fd35c16775bdd14e098bc118b3f939d2566

SHA512
a3e9543421ba238a8f59bfada248aa8cd222eee03f15ddde5c1bce9231ded44710bf7d77c6ebcae23d404f4ae265d1584db34486feb7e0c11518998a5d2ea44a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
a624c4cc5d63666a0140ed799317c6da

SHA1
f2a244374a12183be3c39816698bfea921cbb549

SHA256
3b531c74c3aab880f75e05f5c41c97e6cb680b4ee7d8eb25e4f732307265efe1

SHA512
df09bd953d8a05025657f407b160b4336c068c49dabb86f1ace3b3c4410943f0505af5973d2cc63b2b61dea91a69b082eed871a2b7f3b7d0f92806b227b3a033

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_km.dll

Filesize
27KB

MD5
1b10f804af3b3a929a4c425d30a0e237

SHA1
c9b9bdb361f5f1ec1c9f22503ccd442a5807c678

SHA256
b3f80704a723c952e8a7f729617e8c037dabac7f012762e43843f92aefa73fa3

SHA512
5c81bed1f44f9ff9d56d336ec4762c47fbeb9215d71c3d992c0fb28690894541cbc7eacdcfd685ae40c6cc12e7070a309283f57e5007a62fb0885c5f58dafd23

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_kn.dll

Filesize
29KB

MD5
c020f0ed0051d87c1a2834e08faf726b

SHA1
8c95342539a8ab521f42e916db56387f4ec09c13

SHA256
c7b7e5a005d7f136453b6deb7835e0a10bca432eeabb6041d8f83c08dfac7115

SHA512
dde0952b327d4e9d5d8f46fd1864be21706b24201b3eeff74a08cc8d504335c93fc5756ddb228e2c48b3a72b9d503a18a3d0125e9247d7de90fe219c2d073cc9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_ko.dll

Filesize
23KB

MD5
437c8f54209c532ee9a27b61da989a57

SHA1
b2ec1c2ffdc31f55dc1385904cc3895dbc784b6a

SHA256
37803be34ca3dc367062e26f1d8be83f9638795f98566b9bc951ce3727993292

SHA512
d94413e861c6e7eef8e6074a88eec0b63690e2a362ef3966fd30b6e8d736d3c4e0d06bff4593908381572a530e3108fa61ef02650945919f3c22600dc9092d65

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_kok.dll

Filesize
28KB

MD5
37cc3fef64c4810b7987c93b1995754c

SHA1
2fd33ee7932b5d25c329b540beda16777fe231dd

SHA256
a7f763c4e5bb45cf28775df2a613085d8d6056e2fa08232b49d38470c2ef7af2

SHA512
7040b94ab901f1afce1ec094309101aa4ab4367974330faa325c0ad2c9c873148683c091460eaea1dfbf1cc8d42139017611b19a04be52502b56519c7803f877

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_lb.dll

Filesize
30KB

MD5
38064b818562fcc9c38f596b9fa3d97f

SHA1
48dc9db3ba59c362fb057440d955c67a7f7f6109

SHA256
55cb68efde9f4f79f28c7c224e60032b2143ced785cc7f5b162e0f12bf20a1f2

SHA512
da92718162cdb9b41a5b1a5dd63fa4e95ae9b311373dd756f4d062717be8aca3ca1cd6ec85065fc9797d72132f9dd70120060d662ff5e4e1fa30f678461fe362

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_lo.dll

Filesize
27KB

MD5
85b1e636a379401c8342de61009d8948

SHA1
87cd18a539add1d9906b172d078f073f7902f70b

SHA256
5c78d6fd0b17d8ed5bcc3c584c38b84099ab6fb175b04f33dc6ff60434f52494

SHA512
1551ac0441e433bb8471c434c1ccf23238fd187fb6d0db71453d4ec598b5b75f293a03f2306cb1ca50786d7922e7069da9560e7ddd3409ab50d4a55284181210

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
af9d238a13bc579d2dbee591b6abe2d7

SHA1
5478082a99c6b6edef2afa736992b6a956c6d66e

SHA256
f0de6b679ce4065132e33e01eac5b7d8bccb393663960bcae8a78a86d7b64e7d

SHA512
2a1c7b7a71f0cdf867ffdfeafbfe758538ecf7c426c24bf49d72aaf86c1f1d356c2932a9cfdb34c17b881fd12bacd54db0130d3feb876dc859f5f0d7a17e8f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4uEGJ9h4dhYD6k.exe

Filesize
1.5MB

MD5
85a1ffbba981e63dd419ec1020b23c47

SHA1
d63c3d196cef714f9335c6162283650f4ed959c4

SHA256
ed544bb542723f729e9873f37f9ae440a57136d0c429d47f83ff494164ef42d9

SHA512
9ff1384bca61a0997d0807cec22a94ba41df4b5103c9d9c2718c564e1ca95f67d6e89b81114b915591c8fa9bedbfe2439533120c8d5a9fbf059fa7a7cb324312

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4uEGJ9h4dhYD6k.exe

Filesize
1.5MB

MD5
85a1ffbba981e63dd419ec1020b23c47

SHA1
d63c3d196cef714f9335c6162283650f4ed959c4

SHA256
ed544bb542723f729e9873f37f9ae440a57136d0c429d47f83ff494164ef42d9

SHA512
9ff1384bca61a0997d0807cec22a94ba41df4b5103c9d9c2718c564e1ca95f67d6e89b81114b915591c8fa9bedbfe2439533120c8d5a9fbf059fa7a7cb324312

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab50FF.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5141.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f53a5c9ca2e3837485afaba90a4cd7e2

SHA1
5b02231c979d9af0990294094113aca1de3fb8b4

SHA256
479450abbbb7bded1c00cceb20497fc90f6156325b86401505b50739075a63ba

SHA512
4c0c8ec807e458f5fe9407796307d43ae109047a133d08ef3ce86b726646749dcce6802a85a9a3186c9837afd1e8b0d040f74d6034865a1e2a62f28c4e8e3c78

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f53a5c9ca2e3837485afaba90a4cd7e2

SHA1
5b02231c979d9af0990294094113aca1de3fb8b4

SHA256
479450abbbb7bded1c00cceb20497fc90f6156325b86401505b50739075a63ba

SHA512
4c0c8ec807e458f5fe9407796307d43ae109047a133d08ef3ce86b726646749dcce6802a85a9a3186c9837afd1e8b0d040f74d6034865a1e2a62f28c4e8e3c78

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
f53a5c9ca2e3837485afaba90a4cd7e2

SHA1
5b02231c979d9af0990294094113aca1de3fb8b4

SHA256
479450abbbb7bded1c00cceb20497fc90f6156325b86401505b50739075a63ba

SHA512
4c0c8ec807e458f5fe9407796307d43ae109047a133d08ef3ce86b726646749dcce6802a85a9a3186c9837afd1e8b0d040f74d6034865a1e2a62f28c4e8e3c78

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
d7f1a28652610d9a0dcfc46e8ace6278

SHA1
848fb45674a663678dbe78368c4dc1cf7865f695

SHA256
b5e7a970b921867e15d0de4be81a31ba60df48506dad50beef11d2c9df947096

SHA512
d34488ed986cd6ea6cb505ee06d8f7d6bd99758e7fd9081f7c40075cb309e5f334a06442fce4c8ec4fc5467aa8123155d95503cfecd00afc2600100a98fc400e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
993a8eb0be7f9a46e4c9cd348357f1c1

SHA1
c909639923ca7ae3624c3ff382d5d691358d437b

SHA256
dc56f819860922590a578623dd2e49d4c104a187e80a96a6ddfd5c35d353dd83

SHA512
d8f69cad788ee65b3ea0ebca601eca627936aaad1efcf0386a765b8a618814013589a0097e83e275a9548eee0b6b2a913d841e534a5f146d9102100433439ddc

Download Submit
\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
d7dec1752172a55a855da132e6b685cb

SHA1
ece34bdfee10b09c62fa52c205a47594e024eafe

SHA256
5dfc43333a2360ad916f67bf783d8260a32d811a738b3d2e58427b1b384ff9a3

SHA512
aff3de4e68f4266389d8ff58186bb2b7deef4cf09c05150fd7bef851685b25bff718c803cf19c32db1bd23e2f6ae5396f4d7611bd06f84c158e43b7600367e44

Download Submit
\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
fa3ab8067d5ca8429d04c00d2640a654

SHA1
b4425dc963b9852e2633a212166af5c2bfc77083

SHA256
35e5dc8c698a118017ef4fbc81fb78215b940450e1c5090429483e78ed51d8ac

SHA512
70057b38f5e322de634c4e5103e65b38f74947da3aecb12202de155d843863840915a1464a0b269bf6abf02a9f750f2301b3b5c9a4d76581529784ee02d3e90e

Download Submit
\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
6fb527f8b56ae008dc5d26df9861a0c8

SHA1
8e4b97b29a2adb0ca5c43f4f152cb8ea5de8e0c2

SHA256
ffeb20f1ab5fecdfc965d543466a8ef6e5798477d429f01be5bf119aaf88e6ed

SHA512
a9747c5981e7440eb5d232fd1112b7e2f00fab83d02ee27f36125825cf5cf9aeeca7376e79c2a8ad646ff6c8c74d32b15dcc2d3138bfc61a2bbda2e150c2261e

Download Submit
\Program Files (x86)\Microsoft\Temp\EU3A42.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
6fb527f8b56ae008dc5d26df9861a0c8

SHA1
8e4b97b29a2adb0ca5c43f4f152cb8ea5de8e0c2

SHA256
ffeb20f1ab5fecdfc965d543466a8ef6e5798477d429f01be5bf119aaf88e6ed

SHA512
a9747c5981e7440eb5d232fd1112b7e2f00fab83d02ee27f36125825cf5cf9aeeca7376e79c2a8ad646ff6c8c74d32b15dcc2d3138bfc61a2bbda2e150c2261e

Download Submit
\Users\Admin\AppData\Local\Temp\B4uEGJ9h4dhYD6k.exe

Filesize
1.5MB

MD5
85a1ffbba981e63dd419ec1020b23c47

SHA1
d63c3d196cef714f9335c6162283650f4ed959c4

SHA256
ed544bb542723f729e9873f37f9ae440a57136d0c429d47f83ff494164ef42d9

SHA512
9ff1384bca61a0997d0807cec22a94ba41df4b5103c9d9c2718c564e1ca95f67d6e89b81114b915591c8fa9bedbfe2439533120c8d5a9fbf059fa7a7cb324312

Download Submit
memory/2004-463-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2004-127-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2200-518-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2200-198-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download