Malware Analysis Report

2024-11-16 12:47

Sample ID 240807-k1hz8azaka
Target uninstall-edge.bat
SHA256 a72d568653e84ccb39046221ec4c8fa70ef4a1ab9aa2fe47433a626feea4992a
Tags
discovery exploit persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a72d568653e84ccb39046221ec4c8fa70ef4a1ab9aa2fe47433a626feea4992a

Threat Level: Likely malicious

The file uninstall-edge.bat was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit persistence

Boot or Logon Autostart Execution: Active Setup

Possible privilege escalation attempt

Modifies file permissions

Kills process with taskkill

Runs .reg file with regedit

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-07 09:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-07 09:03

Reported

2024-08-07 09:05

Platform

win7-20240705-en

Max time kernel

16s

Max time network

16s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\uninstall-edge.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2840 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2840 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 3000 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2784 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2984 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2316 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 1800 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2840 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2840 wrote to memory of 2716 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 2840 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2608 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2804 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2556 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2840 wrote to memory of 2584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\uninstall-edge.bat"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\Edge""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeUpdate""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeCore""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeWebView""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Editting registry"

C:\Windows\regedit.exe

regedit /s RemoveEdge.reg

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Public\Desktop\Microsoft Edge.lnk""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk""

Network

N/A

Files

C:\Users\Admin\Desktop\RemoveEdge.reg

MD5 4c8a079090c727bc831413155239b6a2
SHA1 2d595495c067b1784a427d73bc6658167e13a2bb
SHA256 7cc8c0543a77f3bb508cfc21e86cd957300de4e48c2e1366dc9f1b37ce76a108
SHA512 a33df0d82cfe0d770633a43df3acec53d90bd2bbd222182cd1601bbfe62c8a862ca7a30d2e422d325a3fd0fd68d8a4e8090de9b90fa61c791e6756ff655321f4

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-07 09:03

Reported

2024-08-07 09:07

Platform

win10v2004-20240802-en

Max time kernel

94s

Max time network

95s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\uninstall-edge.bat"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Windows\regedit.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\regedit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3172 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 3172 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 5100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3172 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3172 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3172 wrote to memory of 1184 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3172 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1880 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 2524 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3172 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 3172 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3172 wrote to memory of 4408 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 3172 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4248 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3276 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 752 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1100 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3672 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 3172 wrote to memory of 1196 N/A C:\Windows\system32\cmd.exe C:\Windows\regedit.exe
PID 3172 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 1916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 2376 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 4564 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3172 wrote to memory of 3260 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\uninstall-edge.bat"

C:\Windows\system32\taskkill.exe

taskkill /F /IM msedge.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe"

C:\Windows\system32\takeown.exe

takeown /a /r /d Y /f C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe

C:\Windows\system32\icacls.exe

icacls C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe /grant administrators:f /t

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\Edge""

C:\Windows\system32\takeown.exe

takeown /a /r /d Y /f "C:\Program Files (x86)\Microsoft\Edge"

C:\Windows\system32\icacls.exe

icacls "C:\Program Files (x86)\Microsoft\Edge" /grant administrators:f /t

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeUpdate""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeCore""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing dir "C:\Program Files (x86)\Microsoft\EdgeWebView""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Editting registry"

C:\Windows\regedit.exe

regedit /s RemoveEdge.reg

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Public\Desktop\Microsoft Edge.lnk""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Edge.lnk""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" set /p=Removing shortcut "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk""

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\RemoveEdge.reg

MD5 4c8a079090c727bc831413155239b6a2
SHA1 2d595495c067b1784a427d73bc6658167e13a2bb
SHA256 7cc8c0543a77f3bb508cfc21e86cd957300de4e48c2e1366dc9f1b37ce76a108
SHA512 a33df0d82cfe0d770633a43df3acec53d90bd2bbd222182cd1601bbfe62c8a862ca7a30d2e422d325a3fd0fd68d8a4e8090de9b90fa61c791e6756ff655321f4