52af9190a47efe33841c5619beb09f9731ed764145ccc3ddc5f17eda1abb511b

Analysis

max time kernel
165s
max time network
166s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
22-05-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hatt-windows-amd64-installer.exe
Size

9.7MB
MD5

88eb2a71ea0e2234dd7a2985edecadce
SHA1

2d9fa6604e2c9166c7e8bf18bf316b059c4a7096
SHA256

52af9190a47efe33841c5619beb09f9731ed764145ccc3ddc5f17eda1abb511b
SHA512

01cd4207636c11b5b493ebb56cd2da853f571e6349673df6b1ee3439ba1f8712bce2666b8e0d06b592b0a209f343e5edc85f9fc21f04048256b349c9d2ae86ea
SSDEEP

196608:IB70yAyMGYJ3CDJUyAk7yr+pf89fVImke/J8W1owOy/o2rMNfq:ICOfJV5pfINl/J8W1oTF2mfq

Score

8^/10

discovery evasion persistence trojan

Malware Config

Signatures

Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Executes dropped EXE 23 IoCs

Processes:

hatt.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_125.0.2535.51.exesetup.exesetup.exeMicrosoftEdgeUpdate.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	process
4924	hatt.exe
248	MicrosoftEdgeWebview2Setup.exe
2152	MicrosoftEdgeUpdate.exe
1300	MicrosoftEdgeUpdate.exe
792	MicrosoftEdgeUpdate.exe
2340	MicrosoftEdgeUpdateComRegisterShell64.exe
3896	MicrosoftEdgeUpdateComRegisterShell64.exe
808	MicrosoftEdgeUpdateComRegisterShell64.exe
4736	MicrosoftEdgeUpdate.exe
5048	MicrosoftEdgeUpdate.exe
1472	MicrosoftEdgeUpdate.exe
3392	MicrosoftEdgeUpdate.exe
228	MicrosoftEdge_X64_125.0.2535.51.exe
3564	setup.exe
892	setup.exe
2456	MicrosoftEdgeUpdate.exe
4388	msedgewebview2.exe
1872	msedgewebview2.exe
2484	msedgewebview2.exe
1824	msedgewebview2.exe
4880	msedgewebview2.exe
1184	msedgewebview2.exe
2384	msedgewebview2.exe

Loads dropped DLL 41 IoCs

Processes:

hatt-windows-amd64-installer.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exehatt.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exe

pid	process
4728	hatt-windows-amd64-installer.exe
4728	hatt-windows-amd64-installer.exe
4728	hatt-windows-amd64-installer.exe
2152	MicrosoftEdgeUpdate.exe
1300	MicrosoftEdgeUpdate.exe
792	MicrosoftEdgeUpdate.exe
2340	MicrosoftEdgeUpdateComRegisterShell64.exe
792	MicrosoftEdgeUpdate.exe
3896	MicrosoftEdgeUpdateComRegisterShell64.exe
792	MicrosoftEdgeUpdate.exe
808	MicrosoftEdgeUpdateComRegisterShell64.exe
792	MicrosoftEdgeUpdate.exe
4736	MicrosoftEdgeUpdate.exe
5048	MicrosoftEdgeUpdate.exe
1472	MicrosoftEdgeUpdate.exe
1472	MicrosoftEdgeUpdate.exe
5048	MicrosoftEdgeUpdate.exe
3392	MicrosoftEdgeUpdate.exe
2456	MicrosoftEdgeUpdate.exe
4924	hatt.exe
4388	msedgewebview2.exe
1872	msedgewebview2.exe
4388	msedgewebview2.exe
4388	msedgewebview2.exe
4388	msedgewebview2.exe
1824	msedgewebview2.exe
4880	msedgewebview2.exe
2484	msedgewebview2.exe
4880	msedgewebview2.exe
2484	msedgewebview2.exe
1824	msedgewebview2.exe
4880	msedgewebview2.exe
4880	msedgewebview2.exe
4880	msedgewebview2.exe
4880	msedgewebview2.exe
1184	msedgewebview2.exe
1184	msedgewebview2.exe
1184	msedgewebview2.exe
4388	msedgewebview2.exe
2384	msedgewebview2.exe
2384	msedgewebview2.exe

Registers COM server for autorun 1 TTPs 31 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

hatt.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA hatt.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	hatt.exe

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedgewebview2.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

Processes:

MicrosoftEdgeWebview2Setup.exesetup.exeMicrosoftEdge_X64_125.0.2535.51.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_gu.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_sl.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\sv.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\cy.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\msedge_wer.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\MEIPreload\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\identity_proxy\win10\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\nn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_sk.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\msedgewebview2.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Trust Protection Lists\Mu\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\sv.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\onnxruntime.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\mt.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_th.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\nn.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_kok.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\wns_push_client.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\MEIPreload\preloaded_data.pb	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\or.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\EDGEMITMP_1769C.tmp\MSEDGE.PACKED.7Z	MicrosoftEdge_X64_125.0.2535.51.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\or.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_af.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\psuser_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\mip_protection_sdk.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\oneauth.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\ca-Es-VALENCIA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Locales\sr-Latn-RS.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\concrt140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Edge.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\Locales\ca-Es-VALENCIA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\copilot_provider_msix\copilot_provider_neutral.msix	setup.exe

Drops file in Windows directory 12 IoCs

Processes:

setup.exemsedgewebview2.exesetup.exe

description	ioc	process
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4388_659362192\manifest.json	msedgewebview2.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4388_659362192\protocols.json	msedgewebview2.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4388_659362192\manifest.fingerprint	msedgewebview2.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedgewebview2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 43 IoCs

Processes:

MicrosoftEdgeUpdate.exemsedgewebview2.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133608202400439737"	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32\ = "{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D3747B6-FED9-4795-BB56-E077C582FB69}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CLSID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CLSID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ = "IPolicyStatus4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{4E50ED6A-8A46-4CB9-9E77-B99CBFED1E68}"	MicrosoftEdgeUpdate.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

hatt.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hatt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	hatt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	hatt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	hatt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	hatt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	hatt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	hatt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	hatt.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	hatt.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

MicrosoftEdgeUpdate.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
2152	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdate.exe
2152	MicrosoftEdgeUpdate.exe
4536	msedge.exe
4536	msedge.exe
4432	msedge.exe
4432	msedge.exe
3376	msedge.exe
3376	msedge.exe
2240	identity_helper.exe
2240	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedgewebview2.exemsedge.exe

pid process

4388 msedgewebview2.exe
4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
4432 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MicrosoftEdgeUpdate.exe

description pid process

Token: SeDebugPrivilege 2152 MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege 2152 MicrosoftEdgeUpdate.exe

pid	process
4388	msedgewebview2.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

description	pid	process
Token: SeDebugPrivilege	2152	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2152	MicrosoftEdgeUpdate.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe
4432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

hatt.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_125.0.2535.51.exesetup.exemsedgewebview2.exe

description	pid	process	target process
PID 4924 wrote to memory of 248	4924	hatt.exe	MicrosoftEdgeWebview2Setup.exe
PID 4924 wrote to memory of 248	4924	hatt.exe	MicrosoftEdgeWebview2Setup.exe
PID 4924 wrote to memory of 248	4924	hatt.exe	MicrosoftEdgeWebview2Setup.exe
PID 248 wrote to memory of 2152	248	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 248 wrote to memory of 2152	248	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 248 wrote to memory of 2152	248	MicrosoftEdgeWebview2Setup.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 1300	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 1300	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 1300	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 792	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 792	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 792	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 792 wrote to memory of 2340	792	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 792 wrote to memory of 2340	792	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 792 wrote to memory of 3896	792	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 792 wrote to memory of 3896	792	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 792 wrote to memory of 808	792	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 792 wrote to memory of 808	792	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdateComRegisterShell64.exe
PID 2152 wrote to memory of 4736	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 4736	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 4736	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 5048	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 5048	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 2152 wrote to memory of 5048	2152	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1472 wrote to memory of 3392	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1472 wrote to memory of 3392	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1472 wrote to memory of 3392	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1472 wrote to memory of 228	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_125.0.2535.51.exe
PID 1472 wrote to memory of 228	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdge_X64_125.0.2535.51.exe
PID 228 wrote to memory of 3564	228	MicrosoftEdge_X64_125.0.2535.51.exe	setup.exe
PID 228 wrote to memory of 3564	228	MicrosoftEdge_X64_125.0.2535.51.exe	setup.exe
PID 3564 wrote to memory of 892	3564	setup.exe	setup.exe
PID 3564 wrote to memory of 892	3564	setup.exe	setup.exe
PID 1472 wrote to memory of 2456	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1472 wrote to memory of 2456	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 1472 wrote to memory of 2456	1472	MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
PID 4924 wrote to memory of 4388	4924	hatt.exe	msedgewebview2.exe
PID 4924 wrote to memory of 4388	4924	hatt.exe	msedgewebview2.exe
PID 4388 wrote to memory of 1872	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 1872	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe
PID 4388 wrote to memory of 4880	4388	msedgewebview2.exe	msedgewebview2.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

msedgewebview2.exe

description ioc process

Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Users\Admin\AppData\Local\Temp\hatt-windows-amd64-installer.exe
"C:\Users\Admin\AppData\Local\Temp\hatt-windows-amd64-installer.exe"
1⤵
- Loads dropped DLL
PID:4728

C:\Program Files\Hatt\Hatt\hatt.exe
"C:\Program Files\Hatt\Hatt\hatt.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:248

C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
3⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2152

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1300

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.37\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.37\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:2340

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.37\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.37\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3896

C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.37\MicrosoftEdgeUpdateComRegisterShell64.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.37\MicrosoftEdgeUpdateComRegisterShell64.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:808

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzciIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTAxODFEOTgtNTRCMi00REJCLThBNzAtNjFENzNENDlGQjczfSIgdXNlcmlkPSJ7N0Y3NEZEQTYtOEQ0Ri00REM1LTgwMDAtODYwNDQ0NDc1NzBGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezcyQUJBMjZELUM5RjEtNDZBQy04QjQwLTVBMUEwMzczMDIxRn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTQzLjU3IiBuZXh0dmVyc2lvbj0iMS4zLjE4Ny4zNyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk2NTc2NDI5MCIgaW5zdGFsbF90aW1lX21zPSI3MTgiLz48L2FwcD48L3JlcXVlc3Q-
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:4736

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{50181D98-54B2-4DBB-8A70-61D73D49FB73}"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5048

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=hatt.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4924.4332.740570037226361177
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4388

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.51 --initial-client-data=0x17c,0x180,0x184,0x158,0x18c,0x7ffea84a4ef8,0x7ffea84a4f04,0x7ffea84a4f10
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView" --webview-exe-name=hatt.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,12435336343865183521,4309987961625072836,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1772 /prefetch:2
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4880

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView" --webview-exe-name=hatt.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1832,i,12435336343865183521,4309987961625072836,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2164 /prefetch:3
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView" --webview-exe-name=hatt.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1788,i,12435336343865183521,4309987961625072836,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2372 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView" --webview-exe-name=hatt.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3328,i,12435336343865183521,4309987961625072836,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3396 /prefetch:1
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1184

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.51\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView" --webview-exe-name=hatt.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4772,i,12435336343865183521,4309987961625072836,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=4800 /prefetch:8
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gog-games.to/search/jazzpunk
2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffea6423cb8,0x7ffea6423cc8,0x7ffea6423cd8
3⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1848 /prefetch:2
3⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:3
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
3⤵
PID:3556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
3⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
3⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
3⤵
PID:1204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
3⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
3⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,17108093264328887206,4284221501298046295,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
3⤵
PID:4124

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1472

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzciIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTAxODFEOTgtNTRCMi00REJCLThBNzAtNjFENzNENDlGQjczfSIgdXNlcmlkPSJ7N0Y3NEZEQTYtOEQ0Ri00REM1LTgwMDAtODYwNDQ0NDc1NzBGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QkUzOERBOTAtRjY3Ni00MEYxLUI2NUEtRTgyNDU3RDJBMDRBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyNSIgaW5zdGFsbGRhdGV0aW1lPSIxNzE0MTQ2Mjk1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNTg2NDQxNzUxNTM4NjI3Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDA2OCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDk2OTY3MDAwOCIvPjwvYXBwPjwvcmVxdWVzdD4
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:3392

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\MicrosoftEdge_X64_125.0.2535.51.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\MicrosoftEdge_X64_125.0.2535.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\EDGEMITMP_1769C.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\EDGEMITMP_1769C.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\MicrosoftEdge_X64_125.0.2535.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3564

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\EDGEMITMP_1769C.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\EDGEMITMP_1769C.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{11791D4A-59CF-4E01-9231-7EBC2A7B9DA4}\EDGEMITMP_1769C.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.51 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff649f64b18,0x7ff649f64b24,0x7ff649f64b30
4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:892

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzciIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzciIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTAxODFEOTgtNTRCMi00REJCLThBNzAtNjFENzNENDlGQjczfSIgdXNlcmlkPSJ7N0Y3NEZEQTYtOEQ0Ri00REM1LTgwMDAtODYwNDQ0NDc1NzBGfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezI1NTlFQzIwLUFGREUtNDNGNS1BRjE2LTczMEM0OUY4OEUxM30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMjIwMDAuNDkzIiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEyNS4wLjI1MzUuNTEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5ODAxMzg3OTAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTgwMjk1NTU5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE5NjEyNTU5MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNGJlMDU5ZDYtYThhYi00NWQ0LWExMDUtNTExNTA0NWNhOGQwP1AxPTE3MTY5NTEzODYmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9bWtjanhsNm5Dem83WFNYbnlLQmxVbW1EdkF5cWNFV0ZURXhLVEg1U2ZwaHBqejZPakFtbHF0NE9zazglMmZySU03TlcyYWM5b3ExWDAzdTY4dkY3R0UwdyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3MzY0MjI4OCIgdG90YWw9IjE3MzY0MjI4OCIgZG93bmxvYWRfdGltZV9tcz0iMTUwNDciLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTk2MjgxNTY0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTIwOTg3NTk0MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ5MTAxNzc3NCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjQyMiIgZG93bmxvYWRfdGltZV9tcz0iMjE1NTIiIGRvd25sb2FkZWQ9IjE3MzY0MjI4OCIgdG90YWw9IjE3MzY0MjI4OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iMjgwOTkiLz48L2FwcD48L3JlcXVlc3Q-
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
PID:2456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.51\Installer\setup.exe

Filesize
6.9MB

MD5
0e2485bb7949cd48315238d8b4e0b26e

SHA1
afa46533ba37cef46189ed676db4bf586e187fb4

SHA256
1a3d50530e998787561309b08a797f10fe97833e5a6c1f5b35a26b9068d8c3e8

SHA512
e40fcfb989e370606469cb4ca4519ce1b98704d38dbfa044bf1ad4b49dbcaf39e05e76822e7dc34cb1bb8f52e8d556c3cbf3adb4646869aba0181c6212806b96

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
13fad1a73c960168be59885cbd8681b9

SHA1
0fae27254003eb50d58e4f410681b65b9fc23f8d

SHA256
ccdcbabb2dd8a0701bcc7cb3342ffe1b7bb633300de782c8cd0cb706894db709

SHA512
093904555288198eb8bc7b67608be14f9fc33618f19f3511d053c26d5da9d3f1963b3f18e8ca3a13460021c3c1324ad45ec5e912e6495dae84807946ba66d379

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
f2d14ff6375c24c821695ec218f2330b

SHA1
9d7b115c16d2ed5c3e6c3da19ccb495b3eb66b7b

SHA256
f9819b0b98e30da8b8f7c08191234ccf0bf03a33b7fd41fe93f120f974a8990a

SHA512
972814a3334ac85a30643778fceeb6f9a550d6dd578a0966fca9fbe6f36fc4e899e0a1b0534fe1d245c6f17ceb038d14d0989d31fb13f5b1556e188bb38c8b3e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
e75a70e3642516e42905833935d9a85c

SHA1
f804b8edafa6451f8cf6bbd1c994934fec0578e3

SHA256
aa3304fccb73b3c8f3b50f6bd539bb6293fa4393b6cfc56174878b1eb352eb61

SHA512
a8a65dcdb8e0201f0e4072de035446e3e5ad543795e4abf1e47c4ebd1277dbff45e7539c528d8b5df5fb65e5479bbc830ae3dd00966d5b4aa16c4480b0e1866f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
258KB

MD5
0c02bf3f64e1e52e23a1ff1be975481f

SHA1
1512259afc08f95346d28dd0dc949bda6895e862

SHA256
24b93e5e53c2fae8d6430da172bf79fd3a6a6d38c5ca9d3a844494f2b7bc01ae

SHA512
609eb973c21384ab151ba700714fd8c5ef70f9f2f62bc25ed5465198542551530849c5eb066736c1c67d9fe301143c214f40bccc751d18cecba6667f054db5b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
c35fda033b1b8441ae9d88c5763a7653

SHA1
6cd921518561d65155bdbdb085ad2fdc77fd635c

SHA256
4ac4272afebc63cd0bc85a5a901403570e5ba8ecb867febffcb005efc7d65837

SHA512
3068145da7f6d3755b8d497b8ce499823292d6b3be35bb3d1735ad1e3776c8bc2bcad59b48d69dd9135cd18a2238e9f2b1ebb4c3f19d47e70c421f620c7cc5a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
ed0e2b7f8e5d1d1dfec64347388b4eee

SHA1
8458c853b7f53646395197a0ce7ed62a7322277c

SHA256
6c0aab9da650ff49e668f6048e7cca45d908f566e9b1ad1a2736db2abcb6a540

SHA512
9ae9ba8bc2e2e24c63c15e2568f62df74558204f2885df0333f697635a85e47690c9a23546e758b0350b56bc26a58f1046950de00498727129b175832be82044

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
52361017f9d46715074437f4f4ef510c

SHA1
0805c5b1e97d27b0a4e9a0f9273f76a78afde60c

SHA256
1bfc89c8a6c558f70edab1a24585960276fe1c08c5f363855062e13503daf7de

SHA512
beac1313538e97f3cfc87b9bd7bf2ecfc7beec003f757d73513ff3ce6a710f554c1f036c372d8c2da227293643cbf0bcc7ad3f1ac77457bb006e3ec17f14df21

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
23825769098fcfeb651593ab1d9a17fb

SHA1
d8591e5c31b41b54077e72ac3190b28d13a80861

SHA256
e7a94d29115f6b575c9dce9a0d649e38058e369bfa32b4f510efeca30bb85388

SHA512
631d87f130c3aee169312de6dfb1bf7df89b2263a4c753cd8fe5de679c5f476574ecfc40492ba044353a52edb062c6f5b6dca3ce4c790f9f89e27d95aa2bcda3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
0354ed3612ce1ad066261a816d778838

SHA1
f4986dd7fe70b5e8b226ab994e082c625f1b1ed7

SHA256
6ea80179f119d72f00940dffa2b0fe11c8559052d22837d035d57cf0fa923caa

SHA512
c409c223075a50c39acee6465cc7e49d860f3ea856484ed328e3dba085d99f4ec3038c7f917eb630e6e624077c51ba086c5c13e37683f7fa698fd9d26e16d793

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
d2274e6ef10f7db41c95ef6f1d8e4bf3

SHA1
898c671264d58164cb27364e8857d78e40daea2c

SHA256
3cb6ba05195e7aee536d3734f7631f0fc47bd5f483c1bf6c646f57c008cd0ed3

SHA512
42355d14a248ad372e366010c2ad1b0e64d0b84f52ea34acd37c2bc1da198c525d8e1c19558edf49a780098694b98b6b049f3ce62342e27a99ef0417f0f2ebc5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
b34dfac8c3a1dbb83b0d41ae7a4b4059

SHA1
18d2696ea79d3e81356892cfeb4dbeae882517c4

SHA256
0be36d4264d8ac8af871c1ebc448672137bfb894cb0b91a07dab20743d2f344c

SHA512
f7f75859e9fe40db427c5e15446c6411a28f1628ddee73d818d840c0b6ae5b2d3176fac3fb83fe5343d3fbd8b44c294f060e09492304a49102863b99acfa4f20

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
e87a1ad4f7aa16527eb02b92fea2f590

SHA1
f3362cbd635b803e1003c3a15edf52348ba1fb77

SHA256
a248073ed5a436a921745aa78f3c039e8ac0c360372644c1f78c36737e78f87e

SHA512
8018c0325f598e0071b4f5a8d4fa201aa6f30a2eefc34cd1a0effd05f5ba75be9fec30565d6d9c9f761a896a7c121d7f0ba665a22e6cd7dc39f932f0857a8b2f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
d84aa26e9486830f6e34485ab4e97a0e

SHA1
d4053cabcd346a9b17ec533319c0d9d3305bfd90

SHA256
75951874d4a4624d5a054fada852f046add3d57424986bfdc2a1c3bfc66be484

SHA512
52e50ced2e936ade01781b043ca518af8a32c33a64463fea4947c7163342e3375ae590d224311c47dd072969a79a85bca38e8bc41384b961f40979be7eae0a40

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
de8c111a65a9e98bd81041fbf51e3594

SHA1
eed2545549c5dc2072ade08321d9229cb49090f5

SHA256
42c14d538d82c44d0ea2b4424548269cf7dc9063d5c56c3e12a7a4f575a37f6e

SHA512
987c660516b27f9fb671f381b353e2dd293811e9a0effc5cf2a9ac9bf9432b3074748ee0d99677ed5485ac9fd01d46f126d3880c762b8572fcf49eff36bdd8e5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
1481af2fe87b9ce9b891b6d79db6bfee

SHA1
581b2eeae265ad4a8837d1b638e4b691bc064620

SHA256
88f78ff99301af50ebaff945557092113f27201738aad2cf9ee24d416023617a

SHA512
2eddf41b00100d55cdad663dea4fb7af405cbc77a282414c13672d315f0fd1f3578fd241d63da9ab246efc940b7510bcc19baf2772847200dccc3e0248355fd7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
695da6b2e8c2ded73fa3b35a8f3178e1

SHA1
f4fe324aa0b81bbdbe92c4eb5b08f307d8a9f770

SHA256
ebeb21625556564644993a2eb2ab10a1f4a0507c175933343025c4d0ed5b3933

SHA512
00c871d1f54fc80643ddbdf01976f00947a28f639894e8092d28582bea770ad7e68a989edf4cf7ed8de22c386225a75a500879b9151a0f8687cd6c28f6dc0310

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
28acdb7e4762aad04b93e3462f09b16b

SHA1
4bbdaaa8411799a9108b81251c7d261c858ce7d9

SHA256
b4f889351006556944447c9c6bd3f5591442296ba9f57948eae09a6828fbc0bb

SHA512
ebf4366dc8f24253bd83d516f07b9b69033e70c09f4fd3fc9654d1e06436917e22b8f1eb10d33602bd1d72b42c22e1d89f10f98eef9b30c59e9b38133040755d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
904baba636f7bd537f86c96b486edde4

SHA1
c90548a30a322e0d2fb554b313ff99f0b0d12f94

SHA256
e732991010f68800ad14718687e29df53ee763264facf87db8c08eab874309ce

SHA512
ea20a7241de74b064c29f2463ab8ddc67a8b3604228f025ac5c0ca460deee2f7fa55283e82dacdb75959b8423faadd40e85c9d6b2b53f3f62f16ae37f440d07a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
a9ee7fdeed416b6fce213235d74a6412

SHA1
d1e478398eb5cfa2490fead8842ff386e52c5e46

SHA256
30ae20bd4527f98e16af09566d67e3163d05be72a6021d9b54c493a1934f7792

SHA512
fa00b91c7ee2119d82204c4961ad303102f21151dafd21b31a28ce7532790fb4c12df2fb062a267c24cd8419abcda1312a4b829876db40a5b3b320a29d87e74e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
6b3e71ac529dd6b60c52dc03958dce57

SHA1
1758a9be6ca598b88f89b2955f6e69b195abceef

SHA256
edd1374957acefc691ebbc448c74636f5a5efcb91630d901ac1f323a91f55904

SHA512
0b5f3089ffe94fea2809735b1b4d4331bfb2b438a85c549e57f34fe25295633d6785bf89da4b2f224734e9784c43255cb6ccb0de82b0c06a47770351ba566d59

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
609bb0fa897a29dc620192a99fd20738

SHA1
204171116dab2677c16f3f8a275d52eb58baed4c

SHA256
32a516ba9e696a37815e0870c42ec9deddeab24d6c66b9020afc4b28ab5d0de8

SHA512
a2c2ef8523a01350b1d119f7ef9d9c3888b38a1ad088f0b7bd1f05124a1d720722bcb3175f88b3579b2d16d33f702b3566d3ae77d3f2f2e180c079f0428843ab

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
1bc70e3fefc50aead40833779bb05142

SHA1
faac018733971b29ce94bf81e9462b78c0c6a2bd

SHA256
0bd45524f17fcc436eb62803f42ddcb9ab4ddf9de6d6338a8d90da8ecda699aa

SHA512
b099b388e58bc0274070c74809c043e2f1a98ed14ff4e9b1be1d7ac4fc8af46ad8ecd272a1e60b0eb37d98ba5fd5f5d6e6d9008f9e050ddf20928e4866edd8da

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
c3dcb4ad44d0abedcb962778ff50c941

SHA1
a2b48433c32f2bcf6565d59b0c2720e74ec939a7

SHA256
387385234ff48a0faef8935ea7dbaab58acb85594bb9cd67b6b66da8e2c15941

SHA512
3d98d48c57a99c9a546a9847fa238d7bf2c00e86728a5c53b2029ac1917857952c28abf94502269500fbcd26c625468a8fcc988737ed2c77a43451679ddec65c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
03b60cf8809192b6b00e125ed94bdc2a

SHA1
aa5d7cbce3a7063abd6aa3030398c2de7b1478ff

SHA256
a370d7198985602c8d1858d1b39aa57c62ae3463ddf99f03304b04c8dd3ce381

SHA512
4c361f8302f89ab7e7bfde07cda67a2eb4367fc805142c3eac0c3f0ed10e812523ace1536aed9e9874a9b88664ed341bc873731da135786d36458fd9235030d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
c1dfc0e349268ffbcd87904762ec8362

SHA1
6a7ed33fd1b99a11bfedeaad301f6f60d1ddf873

SHA256
a043288bb0006a2e9de1e10e2aed56bdd195ce93681dd63af8e86a4ba6932224

SHA512
6a2297754b6117c78ef9c7b5b089f6a8b897836c8187cf7003c9232364afc48c1dbdbdc2f96dab8fe1efd87b684cb2005fca8734fefd0cfc93339ea0d7843d2f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
f894161c808aba5106feb30193a2daf2

SHA1
37d5fee915f4215150ef7604ab21254e6e5883bf

SHA256
541d96a5dd7aa5382547917d7426722f2a82f5cbf40fe457459b7b2b22e6f06c

SHA512
ce50b1d7b9a851aa4a13b30e17e601fd61dadb82ba82de72f60ca344e8bdbb14e752a163d665d9c64d218ca0485dfb119a97731adc6d437e2f0132c4c04d6517

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_eu.dll

Filesize
29KB

MD5
b63db4a72eaeb5ea638d4e8befdd303a

SHA1
1f7bc4ddadab1b5c469c750b527129531769fed4

SHA256
21f2a1440e2277a3f1814a67e758ba2efa30f64653c8efc727f2ebcb92d3b85e

SHA512
bbecb99955da46056918de3bd375b40ec9ce0b929a8b44859dc1364b2b3268b98351d8b44179d846c5a7b894532e8f5d1ef6b5e4f563425129845098d46e43a1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_fa.dll

Filesize
28KB

MD5
d681435419c9da50a1f5757ada63b58b

SHA1
edc316cf013ccdadee3b6366231bc019e5612abd

SHA256
6c938d3deb6eb18ed7406ac64eb97070b08764442f738fee98665db6b8397927

SHA512
3beb7792c743611fa439accc520d2936137aeed25877cd3f853045d861f2eae2493798f8293ff0f231d04ffa0fe27c3209144858c3e03d7be838c60baddf7a4a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
1d241411ab33d0e4486666e032fe7e0c

SHA1
9dfbbd34e3c3cfb71e1ab501a9d2569e5e256e2c

SHA256
0cf505cfd900a334226b4709520ea5a8f47ad8e4fa700bd4c82e00edb01d9f87

SHA512
deb694f44e995f9475204f556e2edaeed19d101df3fcc9ce0e1a740613b2941a514b5ddf788a16008e91879751f3029875d298f6738e3824980933269fd4b195

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
d4b5e5849ed7d34e12a1048538ef8521

SHA1
c7c379be5447ed7d19774bdc4b85e3b897384613

SHA256
91ff7f63741c15c775b765b062be8f40950cc57bb006e93d89bef6f472de748c

SHA512
fe40c3e34196bc9ef49c3b7ab527c09a89a29f62680e371ea42768233d54e944d29e2b6cfa102090e0825fdbdf6546c5a467254e8158bdcc506d84caa193fa3a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
1c99c11f090427310b096f57c36af42d

SHA1
4d5154e2dfd963ea5007b83ea938c2223a8c4565

SHA256
277f8b8dc5158bf84c7aac8a6a12ee1b9168edcc68666d20e20f214f871c652e

SHA512
30f1cf39102ec0d9c7b22b6f0a6ff590b3aba8524482d3f15d30353d0aee113a0a4abd297a59d8e6fc1107f959f36f12c0747394c4881e36d8993f11ff51f5aa

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
778d627cce903222a21a7e268bb0dcb2

SHA1
9e8d7a7940221f09d57182c04297bbe1f00107dc

SHA256
4a3fd5525b8e7a84165a4699e8ce0d104bb59b3f4bf5d715b6428555d32d492f

SHA512
f31b05c200a7e3f99dd0c8cb7770f910acb16ab34026d3f41c10b48ca76bd8f5dc6fac5078bdd90acdc544b544a034fc9c622994a768813612e18c9c4203dfa1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
a8bbd2226cd37d2ca28e4888a06ef46f

SHA1
4f58a70f11148846f706430ef5aae4b711e4d90d

SHA256
1ab0953411b0c744023ef5e4ea17608c8772ae55e6a3fff62549ab1b2bebbea7

SHA512
4a57bc44fb17e6c64cdbb72401a8b7fec0130ab2318e52b5af0b947ac67427192083165ff420e2f264e0053391f1fc44245cf5a8814a96c83b99f5f7d80d378e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
4fd3fc7cc4323b94a79c2a96ec1ac80f

SHA1
9572e49e503d287566956045e25f315427532668

SHA256
076e55afeb3032e06c8e5c0c98b65b41b13e90b501bde5028d8d0dae0adab441

SHA512
eb89d958f0cc0f18dad361b0a12484753e1670d711a3f218323eda7b6e5f52de97fc636b40242bea13e552049a84c7cf6d82eb072fcb7497c21058cbb1422f75

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
a8a8e28cf90426d16d0b8e309e649db2

SHA1
00722bb48af2014083e82d3188fd5a33cdf61901

SHA256
1c3873c582b343ff0960e1a2463db72eea88d19f79e95647bf9f6e7adc3013a7

SHA512
994760e383fc08291bfa7e65cef2f27ee1a996cdc7268fb5a016e05662f1a4c8f99e49fdb3645b13b182a05c05df3a0c06cc2b50e354ad8500d7473dd0200eb0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_gu.dll

Filesize
29KB

MD5
7557c378c10fe3ad0c10a40082098640

SHA1
f831396d5e5c0b4d026d12027f4721064985b6c5

SHA256
e30c0968c0697dc59a373064ddae9bb4b206098ef7ef4553445341c16314a033

SHA512
8383c56d445123a891c13c0702d9eca4cc11a5dfb4e4170c28d11cdb201a99fe4695fe965d135db0fca3e01e8e786fc4e251001372579fe97221c085f68bb4fb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_hi.dll

Filesize
29KB

MD5
5256e56d89700d9c31a68acded035607

SHA1
5770ebac28d430569fc46b30a623335f87f19f7a

SHA256
36ba2c1da17821dcfb83eb5a232fd6252dd4c3713c197d3aa8aec1ca60125d8d

SHA512
64578fe3046d79ddf948815475c6dc22dec1defd84b04e81d6e3a3b64eef4e1357db2081c33616a07bca470dec0466ff5ae413d209afa7e6a8c93e59a804eb4f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
526966033704011a50885663bb4933db

SHA1
4c004899e8ddc7aa5895a7e6b0a9985e79b386df

SHA256
8c0f964ea755e1c8229b17673884f7b53f63b626ba3fbb0c9fe1b0f5a00d7c45

SHA512
45c69101da480d64b7f5f1eb980448b930b54b07af80737c2e7cecdea50e91bcc0b722efd096ce7212f806796f80515108a0357220b2db958970218ba34474a0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
6003f5a58c4b7810c6bd1a672b684541

SHA1
85030842adc4247304a60f00e70615b2f30e618a

SHA256
ff398da62816181d321178edf1ba67ae505851cf6a4e5376dbb2719154463d38

SHA512
ed3dca0e700133d655a487f6a3b39d5feff90f1d322462b4cc7d6fbad7dc1be4b111de26b92826266e42aba346a53cfb371b271629a50d89d8586eb290197bf9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_id.dll

Filesize
28KB

MD5
07b6aecfb9dc1386a59b17b9e0e13d8c

SHA1
fe3f34a1d5e870fef480a1fa3a8d91f31bee972d

SHA256
4ea354fe6800360b1af32d503d519809c880c9fb96f9b8e8e6cbd53de671c18c

SHA512
df86c455fc209199fd880c94c42b66cc03ba9eafee4917bb43cffb1ae6cb27bc1ef42ac879352f7c775b866dc66c419d745038a8be16ae58dfd55332b02b911f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
39ddcd9d60cca7520c98899df9ad8693

SHA1
5e8f4682b45562ae2aac9ba7eda007637a962c60

SHA256
d515ed955ebf704ec80649b61d35e92f2622c371025de8f2613c460515b642a2

SHA512
75a18d2c20f9b130c13be22842ea2d665d1f8e7932d9767016774c3ff7f9874eb7b92aed97e2c625398cebfe935fe37d93bf4a20534e183867c6eedd679a2d2d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
73dfe1c5d41f0d38c89764f15b1e712e

SHA1
3b66bc93f17f23fc054e9830c2c3978552699a25

SHA256
7b6dd7955e7e9c235cee987cffeb906390e7ffee57bf735f0aff36209933906f

SHA512
10518f6e737a17675a422a5f63533e31a75933ff5de225c57ecd373c45cb563c27fc865f4f394197516a04ede3d9fa4f1e31b038769986369422700a26629d6f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
938308716f5b89c0d1de1b74c5c40ddf

SHA1
b4c4f09fa3e052bd71258f7c6bc69c494d3aa034

SHA256
f3691eb9347aa0bb8b60e5dc8a4281141a82b88da9338866301cbb8bc026fecb

SHA512
96b60db53c982bed217ee9ab5ae6b417c8b419fee1c323015e3537e11f3ec289e605472e5ea74a339a7a44b4b26a186b00956106f88687901cfe94970b0cb842

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
34e4eb036da7c51e8e045efe26059e9e

SHA1
95ce9544f575e4f6a87a9ff30dbf2a62c674113a

SHA256
cc365d352297d2ac78cb93379000b4e5affd6c650ebab6504d7028fce524935e

SHA512
ecb9752a6ddccee9eebda386c004dd4dbb12d0488d7d7c7b3ec8fe8f14f953ca5537734691afdd1c3a5036bcce00a71e32e482b43e5230a1f5caf669dd8839eb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
25471b07f505670a309b8e6593a1af88

SHA1
0394035dd8d3e1e9f81b442073571e9ba121ba69

SHA256
30ce2b7c6267161b356e297f5536abf5beff6b95052af10d0041e6c479309bd1

SHA512
64cbf003d965b0a9f6df674a594deaf69e241763a978a6d81abb3149fe7ee2af81fac628d47f459966eec4691485426391d9cee0af40e17bb4c9b82c063d6801

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_kk.dll

Filesize
28KB

MD5
4eda0ab4a909751ff0aabb1d04b48669

SHA1
8b442b209081030469feb49d3014cb3a90fe1d16

SHA256
541c864b2daeb81b4a280f1dbdbab1f3a22aa42b93bf29b632f53ab09bbded07

SHA512
9c30162c038af0b42309e46eb3080f95afcf811283661c56e2df0be58d3fe152b780140586a9e1e3124ad487e42d253cd7669fffda9a737a295fb81e6479d627

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_km.dll

Filesize
27KB

MD5
a33f322adb541a19d11ce2cb8594ef18

SHA1
3875fda8f8ac60c83ba943a92d41f39c4224e8f3

SHA256
5f5f4b01c659afed2e394de7539c6c7de394252c8c7df447f76a53bf5df98f79

SHA512
cc405796e84902e24bf86ac8058d8e329eca8a480efd68f6744ae3846a4c4adf5fdc2739b76fef7613c88f098812cafb045ede19f6a5ac837a6b2e1ec7aede06

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_kn.dll

Filesize
29KB

MD5
d47df9d1318f127218af4f769ab10647

SHA1
696600fac66590e3f66711522167fb366058280d

SHA256
297935c0721fe3e35d007e2df4bdcad94033584da953f4428d04c8924c1b8416

SHA512
0331662212a93accd5bc3c5a94f492c7269a3093e216aa9cf795d50804a53e6db33e1d2879c12d892eb40d8593a3ce85fa94deb7a42e3b38bddfc51af814f06a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_ko.dll

Filesize
23KB

MD5
e5c8392f9c0977097c95a8276f28826d

SHA1
679e1e6dfeb50b444e65d14481458138f39d29d8

SHA256
0627fe52f076ceb509c28a0b1313ee3cde9374cf62838332046b8f7db791251b

SHA512
5d38502f955f2a6125f1ea1864269b90d7b9d063c7b0fa21ae67a5d0eebc3ceacba3d899220d7f877862b733e4798f4436fa8600fa96b86ce1c6811db12bbb84

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_kok.dll

Filesize
28KB

MD5
63d614991f3ee1847de636c346be7c7d

SHA1
3b83b068fc8d9b3a5d5f0ab2b499b4b369dc31e6

SHA256
54156bcd957fd10400b353a3f68cde2545598f754c7aa35abd659cd31d6ea4d2

SHA512
96bfde8dbc8e8a02740fe47318b0993d9a51caec8f6c4a231245b4dc5e3c4ec5cba89d3ce90858a63f5ebaad10da42a5ae6f83862e18ad4309fc603de2179447

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_lb.dll

Filesize
30KB

MD5
bfbee9ffb9550e8ec1a1231d56353ca9

SHA1
084c8c59bdc2fe4e6ace6644254c26700a378c65

SHA256
df61de11911c41bf081e70bea9b850596b2331981a58c916fd1eb19b00af6f38

SHA512
56bf2f628840a03db8abb811be93e5e4d2e30fadc87ff02bc35c35280ed1585251628aece88dc2967ee264a38908e02ea4ddd0f32a4a0aeb58cfbb57239f323e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_lo.dll

Filesize
27KB

MD5
464864e83c2f08180b1ca8f49a3993f7

SHA1
6494b9086a69c4508fbc7c6929729c84820c897e

SHA256
f3fd224b2d26c6e1a27a3ecf76221dc734b04beda90f226fbcad8c69ff2a5a37

SHA512
c3c8f9cc022f6618cbf670abf3be7e7ce13db166018b9a31d436685e39b558b5e4b2c918f93a33eee0c96344c57f900bb5f9fa4f91fce708da96754655716dc0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU19EC.tmp\msedgeupdateres_lt.dll

Filesize
28KB

MD5
50eba70b0e29a40870053bc65569fb6a

SHA1
a27acc813481f31fc65598cb4286f252e61a55fb

SHA256
cf9a85e1bfcb7be8f18da235eba13324f4855b2fd3d8aa2adbe87233283a8764

SHA512
19279fa97d38f28a7287677816b4604f9e94670cf707069d9e49c9e29f1c837763cf1f8e54e3f8b9bea23dcba49aa67ae41f2325263269fb9f4d6ec9abc527f3

Download Submit
C:\Program Files\Hatt\Hatt\hatt.exe

Filesize
19.0MB

MD5
8b616c5a474d9177664bcd80fd5bf600

SHA1
db40d029a103232bad4785de6d5d4db3b1c74c67

SHA256
46fdead1c40748bd5fb71e267f57da17cc927e78dc8f2265de7f593e9f38690f

SHA512
462213c7a4c089665fe2a5e3c5e649618c4cc77057019a444377eb284cc8e4f17373585b6b56733cd395c704500fb641cdacd056151954ffe4c05043d8217ee2

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
18KB

MD5
dfc778d60aac1ddfe56c42d4ffcd1c06

SHA1
ced5c5150f239a5480336b311eb7e67eada92d74

SHA256
49a81711a0603b4dde95502dfce084d387f4e6ddad81e934dacdfa3ce64a7b5b

SHA512
ab3655907fbf1b1fc73af8bbea34d68a713005a7c42b603c71e195cf5ae6246df65da5a78a7c76e0f478503326f7313fbe7295c79cdd5228020ab7b6cf30e32c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c5042350ee7871ccbfdc856bde96f3f

SHA1
90222f176bc96ec17d1bdad2d31bc994c000900c

SHA256
b8b1cb139d4d19a85adce0152fa3c4f6adfb73a322d7253820e848c6f82afc1b

SHA512
2efdb535fa6a06c4f9702b2129f2dd07c330e37fd10b492f2236007c660c1707773c22005d1e1fa580dbf633dc1a700ada3b7b611ef9accd9555a17a244f61ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e027def9b55f3d49cde9fb82beba238

SHA1
64baabd8454c210162cbc3a90d6a2daaf87d856a

SHA256
9816e980b04f1fe7efaa4b9c83ff6a0fdd485ee65a884c001b43a0cad7c39d83

SHA512
a315e1336c5ec70cbb002969e539068ba92f3ec681b6d863db95227fd1808a778fd994e2fb03f28f0e401677aa5f7c66813e315b6b99a5065384c49586f9782e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
901be8a4c3c86033f57036fa8c1bac4d

SHA1
77d2fd080fbedeb3eb70e7abd6357ed67da63010

SHA256
15730c2256fc1fc3da5f4d2d52d810f5a605e20b38a343f152bec5057d477c42

SHA512
132000c18bfeccd67d85ddad8c5f805aef28d52b4e910e953b5a11abae51dcdf3a9e095beba793907a210744fae4ca5d9e21d30f62e99a47e4ed060f25b3d9fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
778af6ac04cb7c1c826afb167307b1d4

SHA1
cfef2d26acac68706eb5461d01bb67eeca598dd1

SHA256
888a22eab4b6eb15efc30e7f228a59a4b72a4326e28262fba9292b0de9a662be

SHA512
48a3505e4663c4601afb96c67bf3886c7ecda31024060b5d6b50e521cdad14876280ad47c544e3cee45f3f5eaca67285498c9116918f4a6c1d4c19783abf1fe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bca5ee39f5d7270bbd43131a1e3e992b

SHA1
d930a596860e101549ff55753361ddec736e8975

SHA256
71f9cc8cb4c24cc4a270890807464534575c4b272dc4ecf778e215a30a21cb59

SHA512
414cc73c26cafc6a79ef5bd416fc7956875adb5291894c85b3a605e4a235ba4df8addbbbcd84aa17a87fb65208092f8636bf840fc85d483c58cbd644976007a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f4c8484b398c3a5b6740e9d52f4165fa

SHA1
be10f850ef82323e4c28c7819cbee8db6bd5ac6a

SHA256
b5d3dd2285cf09fa026f15ffd6fa4d7c311c6973a80b140872e9eb054e9632c4

SHA512
03cd0833a2d8159305c90286b03d6f97dd2e81b733f6ccad5a1907811f27c0cb472493767659c8f960c0c292cc173fe3880e17a3180b57c3090f33d154f6c06a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
1a8e15de0c4de9ff87e90268f780d1be

SHA1
e90ee17d0d92b18efbb3f261d16b49742781a44e

SHA256
4cfffb2178202505422fc9612d3418ed1ee58d72a22fdde34d5ec4010285c874

SHA512
676438645c4b24d17d85a259ec587b494d418d84309651b7336935d019c0baf86648adaa6096273cb0848e7aaa0f0bd806aa6e3b3916bd03a5721d107601cdd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso82DD.tmp\InstallOptions.dll

Filesize
32KB

MD5
d64e73ead7cbb8eacb554daf5be57c82

SHA1
e09821ef6c5f47e962449586923174e7130be2c4

SHA256
dd8a9dadb32729ee9c36d4ae1c0fe5cec1f4ef0530fb0b0a85117a47cbdf8c99

SHA512
b8959c8ae7dfbe2b423bb98b39a1b5ced8cce19cfa5e826f5fd56ba69ccbabaafb49cd602740ba59af3ff0e66bdccb13ed1c8184bc76b00f9a2cca0238ff351c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso82DD.tmp\System.dll

Filesize
29KB

MD5
5350a89760fb305097c4f2d53ea8d995

SHA1
b6149631125d69730a27c94c23b0943bfc495151

SHA256
dc48657ed25664bdedf8935aaebaa9a6f624745556aa074b395eda7cb11ca9ba

SHA512
290cbaa7dcaca5fc01918432e8b7047a2580e377442961fcec3c9670990c5fbca4e645e7926e1998e6f251b41f8e1ab56b7200fc400faaf7f97d39c1496aaa2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso82DD.tmp\ioSpecial.ini

Filesize
1KB

MD5
7a8d2f2c7f9bc0a90b797419f6bace10

SHA1
36d43594b1c1de2b831ce4d4b55b1aab7ac8dc51

SHA256
45c66840c7e305cecfcbafb0d4115f42ecbe7eb555ea7832ac9e55302055c2a1

SHA512
f2f7333078e958bb1d3544ea389a168ed70577558010c6600f1d828126e2453ec61cd768420663bd0cd8436641c417a942d33233925a9eaf7b307cfd4bb03145

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso82DD.tmp\ioSpecial.ini

Filesize
1KB

MD5
8846d3d091ab586c81d123baa35a80cd

SHA1
e7e4db02ca0d6a3498e83d8b0d89c135c3ec61ba

SHA256
3cdb3db87b466369983a1ccdc9571b8247e11ea587fd5612860a26609fb9f777

SHA512
c975e3f15dba565da2e4a5037181f6e035b1966e41e9145588ac27159fbb1798308b35b3827df67203889a3d82221921aa411b921501f1f6ae5860140faf259f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso82DD.tmp\ioSpecial.ini

Filesize
1KB

MD5
238e9b002d861ec31fcfad1facd848b9

SHA1
43bb365ad4b7a3ebcea7d51873f6a90ab521fe37

SHA256
528a3123053bd39939ebb50beab296bc270ae6467f9bd302ba29a886df0917a9

SHA512
59d1523d23088bea5a96fe0a01a86f0a97678205c18e3a93de1f8614e52e7d3f985dafd78e5ca8018a1b84eb23842dc905db3abe88326b7ab3334028be80964f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso82DD.tmp\ioSpecial.ini

Filesize
1KB

MD5
b436fe4d8b7131a8a50f2478bbe13eb5

SHA1
e4d0fba8c65a5a5660556932ed7f1f26b51cc0d1

SHA256
62448a2b472a6d99e24fef5825eb13a132dbc9ba8d1ccfa1a64c1fb3f50667dd

SHA512
ac81beb78c761eb5e933de7f55496c93290ed9bcb9cdc0b9eee05a232537e6a5f6c2694146e89dd53c60d902676e94609b0085ec41e0804f4eebe1ea43059511

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
dc536e1d7b42bb30f30fbbf646139edd

SHA1
8c4eae9c2234e8e0df857652e661ecdceefb29ea

SHA256
6ae1c84412b23215771f977253460db8b6b404f4aec749da25d88731e20c68e9

SHA512
90ed29b0cc3b85eb2c7a58f9af755c43dabc5835f8d7caf48f080cf11c54bf03679b739e647040788fb16866bdbd125309cb0184fa98ae260d959e978d77f51f

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\0a75c5c7-02f9-461c-8f06-08b9dc92b422.tmp

Filesize
6KB

MD5
0e18ade9a63e27289c13ef5299de27e6

SHA1
86a086d47582dd4cb7c372b7ad5f36ddade77a27

SHA256
4d6e8f58a55b0d370702de11d049d929ccc4ff748f27e9b23d9d85a1fb31b567

SHA512
1eda6e98e541d788f9817726e83001704879b670fae2ade4b22307074b12be7ff3b5f8b3ac698f0d969e6b9f8f1e5b422ecb1680ee81b5a6e12c8f38ca8ab28e

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6248ff23a86936f2ad71211eca7ea857

SHA1
e9d0c386d521fcb36777aedf61de662050187fdf

SHA256
7ce66f368d9088b76fb45c0596a6f69d74c23f11b44120829d015e6f4f026eaa

SHA512
b88d90bc45e21aea2a7352bc22af92cdb97c0abc2f2a716e2661f4569e56c001294b898217f3d92e4cb6b6ce5a773fff61816dd80b0603d56de76b77461d3ac7

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
fe1b0f17abe83b4c223b9f874569b28d

SHA1
4965b2c4ca0cde02ca64e29bd2c29ac9ad7fe1bf

SHA256
ce367540e7d794d07bd891b85764f14fabdc8e897983163d726d1b69ced3cab4

SHA512
2b8f5ee7cec6278505e6750c7aae23fb1a00c4e5730200e78e1c6b8807ad872bb4e1b42c2c7d0a0997a7d7f36a53ccaad5e35ac48ea5e780ee59df556ad3e275

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\Network\TransportSecurity

Filesize
188B

MD5
87cc26b2e9ef62425dc93da67348582a

SHA1
3bb224f14aa358d996696ef5cda154517edb0e1b

SHA256
54858d6cbcdad97418231d8ab350a1beb80e7f1d424ad9430ec2cdcbfebc7a35

SHA512
72b5457df7efe02e22724ac310ea779045d5b42cccc545e65e83c4fbe98da59e3dd6360ae43ff1ed0f971f5750e3faae01a86b058077310ab38b95e2b9809b48

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\Network\TransportSecurity~RFe598ac2.TMP

Filesize
188B

MD5
cf47353645e1cfa528dcd766bf4621f6

SHA1
2ecad0b862cd1f8528a1f1f9b1a7e78c12bdc5ca

SHA256
d4fbce42ae772a8d327b223934ee621f8d223e67237f47bb6d8c30bd6ab1a839

SHA512
3ab9558e473293a471b8fbf0eb99cb017e6d755ca83d0c48de116341332e63af14295116262503dd5496a554421e9b198ee11398410fab19078c1f27e77b49ab

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\GraphiteDawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Local State

Filesize
16KB

MD5
c504dc70a80100d755bae88cab8b2cd2

SHA1
556632506f74fbc84a1f65f912da5d4f8e573011

SHA256
cc8ec17edb6d03e38390a4adbc4855e8495739b77c02de5d5fc641b028a588c1

SHA512
49505a25923176d20b375458dd1eb7de5c3ad3154693a03e04a9e31acefc86b848e1b44781d20bf022a423f11c302804c01ff0fc10496a3b86f59c72128e2978

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Local State

Filesize
1KB

MD5
17a5182957d241293b0d1aac8c81501b

SHA1
f6e774a66493ed9c92daa808e34d86b35e82b442

SHA256
723936b3e942bb3caeeef831613bf0e294b4f3777f0eacae2dac787397cca025

SHA512
29fa07418400e14052944da8ba6b7b14a5f5e6d59d228ecbd748c8e5fcc9d78b9da2a26517a9b9099afdd98fc5c4120b2b05f2746919088be7db38c7ac520bd4

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Local State

Filesize
2KB

MD5
a5b5e0d50ae418374e76f04197cee737

SHA1
2881554bd5aff7dd307cdbeedc34429f54a82a72

SHA256
9bf313446b075c07fd6d3305708d1c57cdd03829e011470fa7d94cca6eb48bbd

SHA512
6c02bfb0f2e7593899c36bcc94e6f6c174156c8c9f98f4f05885df48eb80bf8d40da8c9f025d6a9d18992a3bcd1de789120a50596535b6a4932a84789b280432

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Local State

Filesize
16KB

MD5
0ddd5bc7826772eb7e3960aa19056a1b

SHA1
718db05ffdb119cb27092dce24ed7c366ae88c47

SHA256
8ba2fbd83504c4a1c3c49455f777be2bdef33497628b3c72b5b7e45d7035bdfd

SHA512
907c29398bfee399aa79b1a018701b08436f131cad6a3830bbf17a5c9b030791a764df4d9d693b06464f881dc5cf6638fee85be6980f3cc436157ea1c218da2c

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Local State

Filesize
3KB

MD5
37d7204ad8b043b398893563c888631a

SHA1
ce8a8b7147c1c04b2ae813106effd2b29ae1e62e

SHA256
f8a0e7cdc5425c18065ca31db6bf475397c487593d49bb5efc1506b8d7c594a3

SHA512
58119afe4c2eef7ddf7084a2cca35755c487a8eb4a52723a85d374f4992bd4f05eb9a445301315b3f16044692cedfc076f7dca889afec474aabcb83f7695fdb7

Download Submit
C:\Users\Admin\AppData\Roaming\hatt.exe\EBWebView\Local State~RFe58f1ed.TMP

Filesize
1KB

MD5
c234895d971e3f445e4885efe4e37135

SHA1
4ea433a222a765bed78c70c0e350f7ce3d721a75

SHA256
0e6bf0d489642b5e1b640743b1d0ed24f63b9aca7a6611ae78790bb9e9b05832

SHA512
3f07f2cf8ad33fbb00140bbdbd0137217f1b516fe9ed2d4cb5250b97ddbdc409f6ebb26f7c2ad2ad864eb838382b387a899abe44920454c7dd385c414b4314f8

Download Submit
C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
f3bb4badcccb6c54493aec8c5bad78d9

SHA1
a69070ca48e679728b558b9e3f3b81c09cd8399d

SHA256
3409a66e92f48eab18278c2ddd72323d685d645f942bdce8df3fbdc97cf3ffbd

SHA512
60f376ff668125ca0c8721d3bd18ec26e44e75ff7b12427e5d52eadf354e1f37acf90580bc28c5b544d8b9f97c7547df3d1964f48e55e042fc9c3241b98d49c6

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4388_659362192\manifest.fingerprint

Filesize
66B

MD5
0c9218609241dbaa26eba66d5aaf08ab

SHA1
31f1437c07241e5f075268212c11a566ceb514ec

SHA256
52493422ac4c18918dc91ef5c4d0e50c130ea3aa99915fa542b890a79ea94f2b

SHA512
5d25a1fb8d9e902647673975f13d7ca11e1f00f3c19449973d6b466d333198768e777b8cae5becef5c66c9a0c0ef320a65116b5070c66e3b9844461bb0ffa47f

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping4388_659362192\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
memory/1184-493-0x00007FFEC7E20000-0x00007FFEC7E21000-memory.dmp

Filesize
4KB

Download
memory/2152-384-0x0000000074A90000-0x0000000074CAF000-memory.dmp

Filesize
2.1MB

Download
memory/2152-355-0x00000000003B0000-0x00000000003E5000-memory.dmp

Filesize
212KB

Download
memory/2152-356-0x0000000074A90000-0x0000000074CAF000-memory.dmp

Filesize
2.1MB

Download
memory/2152-405-0x00000000003B0000-0x00000000003E5000-memory.dmp

Filesize
212KB

Download
memory/4728-85-0x0000000074660000-0x0000000074674000-memory.dmp

Filesize
80KB

Download
memory/4728-84-0x0000000074850000-0x0000000074860000-memory.dmp

Filesize
64KB

Download
memory/4728-83-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4728-163-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4728-165-0x0000000074660000-0x0000000074674000-memory.dmp

Filesize
80KB

Download
memory/4728-164-0x0000000074850000-0x0000000074860000-memory.dmp

Filesize
64KB

Download
memory/4728-176-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4880-438-0x00007FFEC7E20000-0x00007FFEC7E21000-memory.dmp

Filesize
4KB

Download