Malware Analysis Report

2024-09-11 05:56

Sample ID 240529-mvpxpaca3v
Target Remove-Edge.exe
SHA256 b6fab3f62e29a08e0ca648b84a99e8144e80e320c626175e995d9b1ac78d7b1f
Tags
adware discovery evasion execution exploit persistence spyware stealer pyinstaller
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

b6fab3f62e29a08e0ca648b84a99e8144e80e320c626175e995d9b1ac78d7b1f

Threat Level: Likely malicious

The file Remove-Edge.exe was found to be: Likely malicious.

Malicious Activity Summary

adware discovery evasion execution exploit persistence spyware stealer pyinstaller

Stops running service(s)

Possible privilege escalation attempt

Modifies Installed Components in the registry

Registers COM server for autorun

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Modifies file permissions

Checks computer location settings

Drops desktop.ini file(s)

Installs/modifies Browser Helper Object

Drops file in Windows directory

Launches sc.exe

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Command and Scripting Interpreter: PowerShell

Enumerates system info in registry

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies registry key

Modifies Internet Explorer settings

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
System Services
T1569
Service Execution
T1569.002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Browser Extensions
T1176
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Unsecured Credentials
T1552
Credentials In Files
T1552.001
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Data from Local System
T1005
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Service Stop
T1489
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-29 10:47

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-29 10:47

Reported

2024-05-29 10:50

Platform

win10v2004-20240426-en

Max time kernel

94s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"

Signatures

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris C:\Windows\SysWOW64\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wermgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\wermgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN64 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\RUNAS\COMMAND C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN32 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\DEFAULTICON C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\APPLICATION C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\PROXYSTUBCLSID32 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TYPELIB C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
PID 4860 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
PID 4860 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
PID 64 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe
PID 64 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe
PID 2732 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe
PID 2732 wrote to memory of 5620 N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe
PID 2732 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe C:\Windows\system32\wermgr.exe
PID 2732 wrote to memory of 1572 N/A C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe C:\Windows\system32\wermgr.exe
PID 64 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 4884 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5376 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5312 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5312 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5312 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5400 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5400 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5400 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5368 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 64 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 5324 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\schtasks.exe
PID 64 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\schtasks.exe
PID 64 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\schtasks.exe
PID 64 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\sc.exe
PID 64 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\sc.exe
PID 64 wrote to memory of 5152 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\sc.exe
PID 64 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\sc.exe
PID 64 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\sc.exe
PID 64 wrote to memory of 4872 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\sc.exe
PID 64 wrote to memory of 5536 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 5536 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 5536 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\reg.exe
PID 64 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 64 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\cmd.exe
PID 5244 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 5244 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 5244 wrote to memory of 1432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 5244 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 5244 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 5244 wrote to memory of 4152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 64 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"

C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"

C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe

C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe --uninstall --system-level --force-uninstall

C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe

C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ff7e26feb10,0x7ff7e26feb20,0x7ff7e26feb30

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2732" "2088" "2012" "2092" "0" "0" "0" "0" "0" "0" "0" "0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -Command "Get-AppxPackage -AllUsers | Where-Object {$_.PackageFullName -like \"*microsoftedge*\"} | Select-Object -ExpandProperty PackageFullName"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe -AllUsers 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe -AllUsers 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe -AllUsers 2>$null"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\ProgramData\Microsoft\EdgeUpdate""

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo csv

C:\Windows\SysWOW64\sc.exe

sc delete edgeupdate

C:\Windows\SysWOW64\sc.exe

sc delete edgeupdatem

C:\Windows\SysWOW64\reg.exe

reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate /f

C:\Windows\SysWOW64\reg.exe

reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe""

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe""

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\Temp""

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI48602\python311.dll

MD5 9c83364db2337cedb50cefce5772bf28
SHA1 6a65ce4bec369e2e2f6aa19e52ac556ceb3445fc
SHA256 89b71fca8d164d6e7a98967036212aa1fb28f5554e2a1b1042556c22c514ac16
SHA512 e3608ced277fce1e64a0d371b928a5bfc0e00d93a3f020a56f698b1aa2f18a80fc726a9f7c25b8d8d98a2b95ca49a03a254b3c704c08772abaadee0b01f8aa48

C:\Users\Admin\AppData\Local\Temp\_MEI48602\VCRUNTIME140.dll

MD5 17f01742d17d9ffa7d8b3500978fc842
SHA1 2da2ff031da84ac8c2d063a964450642e849144d
SHA256 70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512 c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

C:\Users\Admin\AppData\Local\Temp\_MEI48602\base_library.zip

MD5 81cd6d012885629791a9e3d9320c444e
SHA1 53268184fdbddf8909c349ed3c6701abe8884c31
SHA256 a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512 d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

C:\Users\Admin\AppData\Local\Temp\_MEI48602\_ctypes.pyd

MD5 9c2163d73a2ecdaf34a613c703a13440
SHA1 f4fcb291c311695d1f5da95020583ecc2aa18ec6
SHA256 3bdb7150ad0304035a5f25c69ec6d6ea25c87d056b6713f29a8be96f2b17d057
SHA512 fd1f96220421a3b63a6b6046cb985093aa41a17ea24adc114c9c54a80d7558be90fcfe56032787ab653ed340b3c8c5b75bd334875d68c85e9a725595cd53779f

C:\Users\Admin\AppData\Local\Temp\_MEI48602\_lzma.pyd

MD5 e40cbb898cb17b0f60a67216a6b5cc4d
SHA1 dc724af9e03a02e1121697a94603bda9d4cff345
SHA256 ceb38183cc7f2b513588f9d6d1713d115cee127ad06d146de5b230504e126538
SHA512 5646ecbf555d8ab369c2c03dca720aa738d1af515fb7302ceffbfcfa65661083c009d6a5aa723d09bb330e10b10ec8509450f4c1b90733c4aeb85c895d4d63bd

C:\Users\Admin\AppData\Local\Temp\_MEI48602\_socket.pyd

MD5 943124d117b6e9548f6a9d0c34009b52
SHA1 1acacb610ed41ab78eea2d093a35f48284698bd0
SHA256 5a60284ec53036fedad0057a564f709ab328c8ac77084191d6350d2001004fe2
SHA512 89eb4b4163fc3ae29dce7cdd7ca28392c378e5858bbd43a3f556c836284c067406d67eb228047767202c955539cbeaef4228bd2aa8c25627f96d56c35877e89d

C:\Users\Admin\AppData\Local\Temp\_MEI48602\_hashlib.pyd

MD5 61ff2a1a01d6dcd0626441c6888f2bf3
SHA1 ecacdb63666d539c03d2a0efdf4b30b24824d3cb
SHA256 ae886b9bf59f27bbe4f846972bc22baf550cae46dc6dbc820eafad523ae7da04
SHA512 6c089ac9299efb84f6e48259726be799c51b0a2a6cd67104ca8b43cf1aaa6e838ec34c5cfc09c484c93efb59b24bd85aa3a83f098d3e95b6bc01a1fd09943638

C:\Users\Admin\AppData\Local\Temp\_MEI48602\_decimal.pyd

MD5 75f984ae9e97d34293aa1b452baeb15d
SHA1 5d6de679ed6fd1155f997bdd2b686ec5d1be4f13
SHA256 edc9caa73ae4e606012152a6531336c667092cd14a1f03f3166ec8e0b25b48a7
SHA512 34a7c72ac5f3f9a28c3a64e6e7d318a5ec81c6e22e03a0e173d65745ba6d8eb1eb3bc411d43678345448977d078849171c506814f0b96f650024a51082b50fe4

C:\Users\Admin\AppData\Local\Temp\_MEI48602\_bz2.pyd

MD5 e4519f30e22cd8d4bfe7059d60183ce0
SHA1 40fb4def438aa07738961a9f25e7ea1be0c60e7f
SHA256 580f42dedd0e70bd7431916ee27db3202b822712af03f418546da89a4c0ad0b1
SHA512 5271a99202c9a1e5266a0deaf58c65f0a8fced8b2f1019e80260a79f64b3afdaf22dca72c218c9b3253afe12ac803c5d1ca955b8b29f1c481eff1d584352b02b

C:\Users\Admin\AppData\Local\Temp\_MEI48602\unicodedata.pyd

MD5 53f8f7e0caaece4a0977a1a6a4663197
SHA1 37a259658c970c3aaf527e32454c208cd19331a7
SHA256 cb85c4932833fc0f5606c6e774a4b9661adcd1a0f8146294eca7ff27418de26c
SHA512 a3ffa42bc0c7c0529e7936397a4b644f38fec3fae13ac4890f23dd905ce33fe81fe208e0d7f2fcb6f34515f6c95dd030f457d2725bae5b6d4f58646fd84ebf6d

C:\Users\Admin\AppData\Local\Temp\_MEI48602\setup.exe

MD5 593b7497327222d69048f7f6204b1886
SHA1 56ee397b91b5235ad5fb3259e35676c633b46022
SHA256 4963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e
SHA512 45999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1

C:\Users\Admin\AppData\Local\Temp\_MEI48602\select.pyd

MD5 e64bdec75ee2e467343742db636c6105
SHA1 32645de632215f6410abc1e7102a98cac127ae95
SHA256 109146def651028ad4d788a7c6712558f246417410248e2cbcdf0e8c11efad77
SHA512 7219b52f4f71048ce1c96aeba4b14d12e8366f7265bc06292f036511ee4b47df7be56e438d88915d92772879ec4d25bb1217e34dfea427b391334edc16705f60

C:\Users\Admin\AppData\Local\Temp\_MEI48602\libcrypto-3.dll

MD5 9a76997e6836c479c5e1993cbb3cefae
SHA1 6747a82434daa76239c68e1f75c26f4420f4832d
SHA256 bdbf2ff122354b0e219df81293de186cecfd966fce64e3831b798ffd7c3fc815
SHA512 5fb3f7eeb770f1bdcb06558081441e9fc9bbc618059e33f6864afeb3474033ec1be036cbc5503b74cb56b82894976f03f87e15f1ef5e5bf779de78e15a0c2cdf

C:\Users\Admin\AppData\Local\Temp\_MEI48602\libffi-8.dll

MD5 74d2b5e0120a6faae57042a9894c4430
SHA1 592f115016a964b7eb42860b589ed988e9fff314
SHA256 b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
SHA512 f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231

C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

MD5 4bb6cba4146bd959552e2d0d41991e35
SHA1 2a0e5d8ba805b09ecc9d3f09e52681ed79fc6c0f
SHA256 40bd4e1254913a9e5d6cfe32a436839501b1a3d1ceee6fe3ec0e60fc22a67252
SHA512 bd3330d63f2f50007ded287713fc2f46c73590fa53b4bedae4373c2d1b43a2fddade39005eafc8e1cc0fc53994519433cf63d97c230cf1372e4daa9cbd74c9eb

memory/5056-58-0x00000000044F0000-0x0000000004526000-memory.dmp

memory/5056-59-0x0000000004B70000-0x0000000005198000-memory.dmp

memory/5056-60-0x0000000004B10000-0x0000000004B32000-memory.dmp

memory/5056-61-0x0000000005310000-0x0000000005376000-memory.dmp

memory/5056-62-0x0000000005430000-0x0000000005496000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3iru5xd.luh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5056-72-0x00000000054E0000-0x0000000005834000-memory.dmp

memory/5056-73-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

memory/5056-74-0x0000000005B60000-0x0000000005BAC000-memory.dmp

memory/5056-75-0x0000000007140000-0x00000000077BA000-memory.dmp

memory/5056-76-0x0000000006000000-0x000000000601A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 157afc0219da6b3d1b3df1c278f6d1e3
SHA1 367645598ecb988cd245695481e336596f30b33b
SHA256 8f2d7dee73dc870014739b17fcb1186d15ed6a28f2b6db88be31f64d8a4ace50
SHA512 f6528d9b88870251790bb6f789e6f7fec349bdde37b567164fb3e29d144804525f336ab95ac3ed35675d50b6b0952a7d6e9adb0bf0fac1cfa83a38d45bc71fa5

memory/4884-90-0x00000000064A0000-0x00000000064D2000-memory.dmp

memory/4884-91-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/4884-101-0x0000000006440000-0x000000000645E000-memory.dmp

memory/4884-102-0x0000000006E90000-0x0000000006F33000-memory.dmp

memory/4884-103-0x0000000007400000-0x0000000007416000-memory.dmp

memory/4884-104-0x0000000006460000-0x000000000646A000-memory.dmp

memory/4884-105-0x0000000007490000-0x00000000074B6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1259a53a01ec5ebd0fd6936040240001
SHA1 0a55e29eb9c342e2f1ab93fdff780a83df5f5eb6
SHA256 32c5bc253f927e401259bfd95ef7e91aa92a13b8561e2616345502b3377ad3e2
SHA512 0daa7865e8ff98257bf6bd21b17a5d6a6abc65aa5a002f5c5edf5be5ad6ce635c68ce1cfdb1bc3c363ee9c555077364c89e994c035740025afdb175c90261632

memory/5376-117-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/5312-128-0x00000000063B0000-0x0000000006704000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f059716dd85c6b06378b9faeb7b1bda9
SHA1 e1559fbd9a57f5cd7436b0e1f0e7165b5d194f14
SHA256 5600178939a680c50ca3e2572db76b4edb17c4d8e4f9c53f3e16ae56a6ec7185
SHA512 1baba886a1c7ab4ad845bc5bce4a83df20b77a9e46d45d3dcc2b18b5a9d357fa3c6d309e1514696dec80d2700f0c8d4aa1187cd78d716f5a78446a7eeb191a1c

memory/5312-139-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/2800-159-0x0000000006340000-0x0000000006694000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92a311b7828bb18951b69f964a9dc32d
SHA1 0bc29732b1d5b1bc0a32f7099e080b28c1f8f695
SHA256 3187b539f18d503a2ac867cd4d0e3028c247c52575e914cca9083dd4c68cc986
SHA512 8f3b00d573b113c121e7a1bfba6520177317322729889f73c696317f59891f282e9b9cb1b9eae54b4da4d8d6a4ca34328ff7c5ebdb70bede00276d6bc43c921a

memory/2800-161-0x0000000070990000-0x00000000709DC000-memory.dmp

memory/5400-181-0x0000000005D40000-0x0000000006094000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4ee532b23fd0ddea191f42c65befba22
SHA1 3b1a3663ba70f58e46009e1c98f3df32860d3ca4
SHA256 1c9362b491235acae1944dd14bb85ecacc8118964c96ab8b51a7c8654573c502
SHA512 395b2b95da6ad9ae81096c30987b0f873bf8c361daae777dcdc98c7e1d6006871a849ea7a16e0eed23adab00d3c773fb09218fbb0caa00fcb308ba46ca8bbc1f

memory/5400-183-0x0000000070990000-0x00000000709DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 941fb71d00fe9ad98d81d16251f91783
SHA1 c8b50449c4e1800eec2c980d97b80b6700724c39
SHA256 a98c360f147058e165473c032e8bc08471fd741f26cb6bb6529da9d2fc179a78
SHA512 3f46e1c06709de57c3aaef6454b1e2da15704494a763beb81b862c2d58b414e0e600acbf6913db7f0f23df232b29354b802858564607794bed2f5068501dffd8

memory/5368-204-0x0000000070990000-0x00000000709DC000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4c6b8c528e2f2f4fee336dcee362e1ce
SHA1 fcdce85ec5b3778cea080c7f0b7a4dbe6b58aadb
SHA256 5c66311f421365bec4bb203b6e9d1038a50aac80e22db4b9fdaca0101f25c637
SHA512 c06e30c896e4b7d630079c8425ff3c2facad713dfa9e70111010cc19c01d793d502701cd3161629a7c808d288c8b86537509a2c7e1f5ec38e313988e7ae7a962

memory/908-225-0x0000000070990000-0x00000000709DC000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-29 10:47

Reported

2024-05-29 10:50

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
PID 2316 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
PID 2316 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe
PID 2316 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"

C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-Edge.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI23162\python311.dll

MD5 9c83364db2337cedb50cefce5772bf28
SHA1 6a65ce4bec369e2e2f6aa19e52ac556ceb3445fc
SHA256 89b71fca8d164d6e7a98967036212aa1fb28f5554e2a1b1042556c22c514ac16
SHA512 e3608ced277fce1e64a0d371b928a5bfc0e00d93a3f020a56f698b1aa2f18a80fc726a9f7c25b8d8d98a2b95ca49a03a254b3c704c08772abaadee0b01f8aa48