Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1794s -
max time network
1462s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
07/08/2024, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
BootstrapperV1.15.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
BootstrapperV1.15.exe
Resource
win11-20240802-en
General
-
Target
BootstrapperV1.15.exe
-
Size
796KB
-
MD5
653c07b9b5f1b22c84f72c03b0083d18
-
SHA1
54c25b876736011d016dc0ea06a1533365555cc4
-
SHA256
c9d04a3a87fee318ba65f837f40bd2dd2428f25e78bf271207f8b2b02aaa8a06
-
SHA512
b605773fc4fa244f354bb8f51621225e6482751d19bddf747f03f624581bc7ae896ca0e40be91b667aea7a7978a291497a362f9bd65449682e1948938af684f8
-
SSDEEP
12288:wuHbakEAdS7SdsgtNaFoGQ4jEr+xpS1nmkFmZ2ojKU:/HbTHSINooGQ4jESxpS1nmkkK
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\127.0.2651.86\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 46 IoCs
pid Process 732 BootstrapperV1.15.exe 5320 BootstrapperV1.15.exe 5460 MicrosoftEdgeWebview2Setup.exe 4676 MicrosoftEdgeUpdate.exe 6064 MicrosoftEdgeUpdate.exe 6124 MicrosoftEdgeUpdate.exe 6040 MicrosoftEdgeUpdateComRegisterShell64.exe 6052 MicrosoftEdgeUpdateComRegisterShell64.exe 6136 MicrosoftEdgeUpdateComRegisterShell64.exe 5180 MicrosoftEdgeUpdate.exe 5268 MicrosoftEdgeUpdate.exe 5132 MicrosoftEdgeUpdate.exe 1836 MicrosoftEdgeUpdate.exe 5328 MicrosoftEdge_X64_127.0.2651.86.exe 5708 setup.exe 5776 setup.exe 2436 MicrosoftEdgeUpdate.exe 5844 BootstrapperV1.15.exe 3860 MicrosoftEdgeWebview2Setup.exe 5500 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 5544 MicrosoftEdgeUpdate.exe 780 MicrosoftEdgeUpdate.exe 6052 MicrosoftEdgeUpdate.exe 4900 MicrosoftEdge_X64_127.0.2651.86.exe 112 setup.exe 2824 setup.exe 4340 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 5944 MicrosoftEdgeUpdate.exe 5032 MicrosoftEdge_X64_127.0.2651.86.exe 5248 setup.exe 3384 setup.exe 5892 setup.exe 5160 setup.exe 5432 setup.exe 5024 setup.exe 776 MicrosoftEdgeUpdate.exe 2604 Solara.exe 720 elevation_service.exe 4264 setup.exe 5976 setup.exe 5028 setup.exe 5844 setup.exe 3308 setup.exe 1244 setup.exe -
Loads dropped DLL 49 IoCs
pid Process 5728 MsiExec.exe 5728 MsiExec.exe 5808 MsiExec.exe 5808 MsiExec.exe 5808 MsiExec.exe 5808 MsiExec.exe 5808 MsiExec.exe 5940 MsiExec.exe 5940 MsiExec.exe 5940 MsiExec.exe 5728 MsiExec.exe 4676 MicrosoftEdgeUpdate.exe 6064 MicrosoftEdgeUpdate.exe 6124 MicrosoftEdgeUpdate.exe 6040 MicrosoftEdgeUpdateComRegisterShell64.exe 6124 MicrosoftEdgeUpdate.exe 6052 MicrosoftEdgeUpdateComRegisterShell64.exe 6124 MicrosoftEdgeUpdate.exe 6136 MicrosoftEdgeUpdateComRegisterShell64.exe 6124 MicrosoftEdgeUpdate.exe 5180 MicrosoftEdgeUpdate.exe 5268 MicrosoftEdgeUpdate.exe 5132 MicrosoftEdgeUpdate.exe 5132 MicrosoftEdgeUpdate.exe 5268 MicrosoftEdgeUpdate.exe 1836 MicrosoftEdgeUpdate.exe 2436 MicrosoftEdgeUpdate.exe 5948 MsiExec.exe 5948 MsiExec.exe 3008 MsiExec.exe 3008 MsiExec.exe 3008 MsiExec.exe 3008 MsiExec.exe 3008 MsiExec.exe 5172 MsiExec.exe 5948 MsiExec.exe 5500 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 5544 MicrosoftEdgeUpdate.exe 780 MicrosoftEdgeUpdate.exe 6052 MicrosoftEdgeUpdate.exe 6052 MicrosoftEdgeUpdate.exe 780 MicrosoftEdgeUpdate.exe 4340 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 5944 MicrosoftEdgeUpdate.exe 5944 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 776 MicrosoftEdgeUpdate.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 252 5564 msiexec.exe 253 5564 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 143 raw.githubusercontent.com 237 pastebin.com 248 pastebin.com 267 raw.githubusercontent.com 269 pastebin.com 306 pastebin.com 340 pastebin.com -
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
flow ioc 196 https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html -
Checks system information in the registry 2 TTPs 22 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\__generated__\sigstore_trustroot.d.ts msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\VisualElements\LogoBeta.png setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tar\lib\normalize-windows-path.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@tootallnate\once\dist\types.js msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\Locales\nl.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7940.tmp\msedgeupdateres_tt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\process\index.js msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\Trust Protection Lists\Sigma\LICENSE setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\lru-cache\index.d.ts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\libnpmaccess\LICENSE msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\Installer\msedge_7z.data setup.exe File created C:\Program Files\nodejs\node_modules\npm\lib\commands\view.js msiexec.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\pnpm msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\127.0.2651.86\Locales\fi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\Locales\es.pak setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\smart-buffer\build\smartbuffer.js.map msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUE7E2.tmp\msedgeupdateres_et.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-org.html msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks\docs\examples\javascript\associateExample.md msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\universal.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\jsonparse\samplejson\basic.json msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Locales\af.pak setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\sigstore\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\has-unicode\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\cli\index.d.ts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\normalize-package-data\lib\fixer.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\rimraf\node_modules\brace-expansion\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\output\commands\npm-completion.html msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\127.0.2651.86\Locales\ro.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Locales\fa.pak setup.exe File created C:\Program Files\nodejs\node_modules\npm\lib\commands\rebuild.js msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\mspdf.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\127.0.2651.86\identity_proxy\win10\identity_helper.Sparse.Internal.msix setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU7940.tmp\psuser_arm64.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1bb8b25f-24b7-4b71-b007-f3384eba558b.tmp setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\make-fetch-happen\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\ranges\subset.js msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\EdgeWebView.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\elevation_service.exe setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\@npmcli\config\lib\type-defs.js msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\onramp.dll setup.exe File created C:\Program Files\nodejs\corepack msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\tuf-js\dist\models\root.d.ts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\semver\node_modules\lru-cache\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\readable-stream\lib\ours\browser.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\ssri\package.json msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\x509\asn1\tag.d.ts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\err-code\package.json msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Locales\es-419.pak setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\which\bin\node-which msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUE7E2.tmp\msedgeupdateres_lb.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\127.0.2651.86\Locales\lb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Trust Protection Lists\Mu\Entities setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\make-fetch-happen\lib\index.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\is-lambda\test.js msiexec.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\pnpm msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\function-bind\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm-restart.md msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\EDGEMITMP_6C7C9.tmp\setup.exe MicrosoftEdge_X64_127.0.2651.86.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\socks-proxy-agent\dist\index.d.ts msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUE7E2.tmp\msedgeupdateres_ka.dll MicrosoftEdgeWebview2Setup.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIB625.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDE07.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File created C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\Installer\MSI71BE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI72AC.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\Installer\MSI6D47.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File created C:\Windows\Installer\e5db2d8.msi msiexec.exe File created C:\Windows\SystemTemp\~DF5D82642F5911AD9D.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF18B48D0B19142753.TMP msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\Installer\MSI72BC.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\Installer\MSIB626.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE0E7.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} msiexec.exe File created C:\Windows\SystemTemp\~DFEE29D69C275A21F8.TMP msiexec.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\Installer\MSIDEA4.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\Installer\MSIC359.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6D07.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\Installer\MSIB604.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBF12.tmp msiexec.exe File created C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI6D57.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI721E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBC22.tmp msiexec.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File created C:\Windows\SystemTemp\~DFEBBE00AA6DA97102.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSIE29E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI71AE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI721D.tmp msiexec.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\BootstrapperV1.15.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 24 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeWebview2Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeWebview2Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5180 MicrosoftEdgeUpdate.exe 1836 MicrosoftEdgeUpdate.exe 2436 MicrosoftEdgeUpdate.exe 5544 MicrosoftEdgeUpdate.exe 4340 MicrosoftEdgeUpdate.exe 776 MicrosoftEdgeUpdate.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge\WarnOnOpen = "0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\127.0.2651.86\\BHO" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\127.0.2651.86\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge\WarnOnOpen = "0" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFiles0000 = 43003a005c00500072006f006700720061006d002000460069006c00650073002000280078003800360029005c004d006900630072006f0073006f00660074005c0045006400670065005c004100700070006c00690063006100740069006f006e005c00390030002e0030002e003800310038002e00360036005c006d00730065006400670065005f0065006c0066002e0064006c006c0000000000 setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 0dd8ad496d24e230f84ede3ab42145d044ba48810bf6fbebb4007db4792389ea setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = a41300000249c7ada8e8da01 setup.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\RegFilesHash = ecbb37ab919136ee23604b951ebc220831ca44e64bde1997294237ed777f8549 setup.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" setup.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C} setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\ = "Microsoft Edge Update CredentialDialog" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0E8770A1-043A-4818-BB5C-41862B93EEFF}\ = "PSFactoryBuffer" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\Interface setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CLSID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\ProgrammaticAccessOnly setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\CLSID\ = "{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine.1.0\CLSID\ = "{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0E8770A1-043A-4818-BB5C-41862B93EEFF}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 893596.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\BootstrapperV1.15.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4868 msedge.exe 4868 msedge.exe 3004 msedge.exe 3004 msedge.exe 4288 msedge.exe 4288 msedge.exe 1664 identity_helper.exe 1664 identity_helper.exe 2768 msedge.exe 2768 msedge.exe 5320 BootstrapperV1.15.exe 5320 BootstrapperV1.15.exe 5320 BootstrapperV1.15.exe 5564 msiexec.exe 5564 msiexec.exe 4676 MicrosoftEdgeUpdate.exe 4676 MicrosoftEdgeUpdate.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 1208 msedge.exe 4676 MicrosoftEdgeUpdate.exe 4676 MicrosoftEdgeUpdate.exe 4676 MicrosoftEdgeUpdate.exe 4676 MicrosoftEdgeUpdate.exe 5844 BootstrapperV1.15.exe 5844 BootstrapperV1.15.exe 5844 BootstrapperV1.15.exe 5564 msiexec.exe 5564 msiexec.exe 5500 MicrosoftEdgeUpdate.exe 5500 MicrosoftEdgeUpdate.exe 5500 MicrosoftEdgeUpdate.exe 5500 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 3960 MicrosoftEdgeUpdate.exe 5248 setup.exe 5248 setup.exe 5944 MicrosoftEdgeUpdate.exe 5944 MicrosoftEdgeUpdate.exe 2604 Solara.exe 2604 Solara.exe 5844 setup.exe 5844 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe 5028 setup.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs
pid Process 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3232 BootstrapperV1.15.exe Token: SeDebugPrivilege 732 BootstrapperV1.15.exe Token: SeDebugPrivilege 5320 BootstrapperV1.15.exe Token: SeShutdownPrivilege 5528 msiexec.exe Token: SeIncreaseQuotaPrivilege 5528 msiexec.exe Token: SeSecurityPrivilege 5564 msiexec.exe Token: SeCreateTokenPrivilege 5528 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5528 msiexec.exe Token: SeLockMemoryPrivilege 5528 msiexec.exe Token: SeIncreaseQuotaPrivilege 5528 msiexec.exe Token: SeMachineAccountPrivilege 5528 msiexec.exe Token: SeTcbPrivilege 5528 msiexec.exe Token: SeSecurityPrivilege 5528 msiexec.exe Token: SeTakeOwnershipPrivilege 5528 msiexec.exe Token: SeLoadDriverPrivilege 5528 msiexec.exe Token: SeSystemProfilePrivilege 5528 msiexec.exe Token: SeSystemtimePrivilege 5528 msiexec.exe Token: SeProfSingleProcessPrivilege 5528 msiexec.exe Token: SeIncBasePriorityPrivilege 5528 msiexec.exe Token: SeCreatePagefilePrivilege 5528 msiexec.exe Token: SeCreatePermanentPrivilege 5528 msiexec.exe Token: SeBackupPrivilege 5528 msiexec.exe Token: SeRestorePrivilege 5528 msiexec.exe Token: SeShutdownPrivilege 5528 msiexec.exe Token: SeDebugPrivilege 5528 msiexec.exe Token: SeAuditPrivilege 5528 msiexec.exe Token: SeSystemEnvironmentPrivilege 5528 msiexec.exe Token: SeChangeNotifyPrivilege 5528 msiexec.exe Token: SeRemoteShutdownPrivilege 5528 msiexec.exe Token: SeUndockPrivilege 5528 msiexec.exe Token: SeSyncAgentPrivilege 5528 msiexec.exe Token: SeEnableDelegationPrivilege 5528 msiexec.exe Token: SeManageVolumePrivilege 5528 msiexec.exe Token: SeImpersonatePrivilege 5528 msiexec.exe Token: SeCreateGlobalPrivilege 5528 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeSecurityPrivilege 6048 wevtutil.exe Token: SeBackupPrivilege 6048 wevtutil.exe Token: SeSecurityPrivilege 6068 wevtutil.exe Token: SeBackupPrivilege 6068 wevtutil.exe Token: SeRestorePrivilege 5564 msiexec.exe Token: SeTakeOwnershipPrivilege 5564 msiexec.exe Token: SeRestorePrivilege 5564 msiexec.exe -
Suspicious use of FindShellTrayWindow 37 IoCs
pid Process 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe 3004 msedge.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 904 MiniSearchHost.exe 5460 MicrosoftEdgeWebview2Setup.exe 4676 MicrosoftEdgeUpdate.exe 6064 MicrosoftEdgeUpdate.exe 6124 MicrosoftEdgeUpdate.exe 5180 MicrosoftEdgeUpdate.exe 5268 MicrosoftEdgeUpdate.exe 3860 MicrosoftEdgeWebview2Setup.exe 5500 MicrosoftEdgeUpdate.exe 3572 MicrosoftEdgeUpdate.exe 5544 MicrosoftEdgeUpdate.exe 780 MicrosoftEdgeUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3004 wrote to memory of 4200 3004 msedge.exe 98 PID 3004 wrote to memory of 4200 3004 msedge.exe 98 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 2348 3004 msedge.exe 99 PID 3004 wrote to memory of 4868 3004 msedge.exe 100 PID 3004 wrote to memory of 4868 3004 msedge.exe 100 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 PID 3004 wrote to memory of 2352 3004 msedge.exe 101 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.15.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV1.15.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3232
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:904
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e1263cb8,0x7ff9e1263cc8,0x7ff9e1263cd82⤵PID:4200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:22⤵PID:2348
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:82⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:2232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:12⤵PID:4312
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:12⤵PID:908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3848 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3864 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:12⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:12⤵PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:12⤵PID:4276
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:12⤵PID:2844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:12⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:12⤵PID:2436
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:12⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:2308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:12⤵PID:4944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵PID:3016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:4408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:12⤵PID:344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:12⤵PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:12⤵PID:1844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:12⤵PID:1384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:12⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:12⤵PID:880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:12⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:12⤵PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7452 /prefetch:12⤵PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7992 /prefetch:12⤵PID:2076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:12⤵PID:4752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7440 /prefetch:82⤵PID:4288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:12⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7792 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2768
-
-
C:\Users\Admin\Downloads\BootstrapperV1.15.exe"C:\Users\Admin\Downloads\BootstrapperV1.15.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732
-
-
C:\Users\Admin\Downloads\BootstrapperV1.15.exe"C:\Users\Admin\Downloads\BootstrapperV1.15.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5320 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:5528
-
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5460 -
C:\Program Files (x86)\Microsoft\Temp\EUE7E2.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUE7E2.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4676 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6064
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6124 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6040
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6052
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6136
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjU0ODE3NDYtRUNEQS00QTIwLTgyMTAtNUQ4MDgxQzZFQjJGfSIgdXNlcmlkPSJ7QjkxRENEN0UtMDNBRC00QkI0LTg3MEEtMjExQjA4ODZDMzE1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswNUZBNjc0RS04ODNDLTQxODgtOUI5MC1DRDJGMTA4MTU4NTR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0My41NyIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg5MTYyMjI4NTEiIGluc3RhbGxfdGltZV9tcz0iNjU2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of SetWindowsHookEx
PID:5180
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{25481746-ECDA-4A20-8210-5D8081C6EB2F}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5268
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5328 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1208
-
-
C:\Users\Admin\Downloads\BootstrapperV1.15.exe"C:\Users\Admin\Downloads\BootstrapperV1.15.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5844 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn3⤵PID:4636
-
-
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3860 -
C:\Program Files (x86)\Microsoft\Temp\EU7940.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU7940.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5500 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /healthcheck5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3572
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDI1Njc2M0ItM0YwNC00RkFCLUE1MkUtMjExRTUxOTk3NEUzfSIgdXNlcmlkPSJ7QjkxRENEN0UtMDNBRC00QkI0LTg3MEEtMjExQjA4ODZDMzE1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGRTgxRTdBNS0yMTEyLTRGNTYtOTAwRS1EMUU2MkE0NUU2NDR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtoVmZEak1kRkc2RmdLczBOejZlbXJZQ1NnNlRRdkRQb21vbFJheVFYQks0PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjE1IiBuZXh0dmVyc2lvbj0iMS4zLjE5NS4xNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTkzNjE5OTkyNiIgaW5zdGFsbF90aW1lX21zPSI0NyIvPjwvYXBwPjwvcmVxdWVzdD45⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of SetWindowsHookEx
PID:5544
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{D256763B-3F04-4FAB-A52E-211E519974E3}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:780
-
-
-
-
C:\ProgramData\Solara\Solara.exe"C:\ProgramData\Solara\Solara.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2604
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1772,6427023894205991760,9637207226724797705,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:12⤵PID:2500
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2240
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5564 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 633292D0910867D13E8545B48902D40C2⤵
- Loads dropped DLL
PID:5728
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2EDE44401251206321E4FE791FD62E592⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5808
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7FB54FB3FA1EAF4181E97016ED9B0183 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5940 -
C:\Windows\SysWOW64\wevtutil.exe"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:6048 -
C:\Windows\System32\wevtutil.exe"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow644⤵
- Suspicious use of AdjustPrivilegeToken
PID:6068
-
-
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding DFFAE53BF6AA3CB1C2670EF29A071C8B2⤵
- Loads dropped DLL
PID:5948
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71928EEDB972753ADC3226A3C97245992⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A5979C737FBBCCEB8A5D6EDDDD6C8B37 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5172
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5132 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjU0ODE3NDYtRUNEQS00QTIwLTgyMTAtNUQ4MDgxQzZFQjJGfSIgdXNlcmlkPSJ7QjkxRENEN0UtMDNBRC00QkI0LTg3MEEtMjExQjA4ODZDMzE1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Nzg1RDJGRUEtOTQ5OS00RjQ0LTkyNzAtMEE3RDA4OEQ2OUI5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MjI2MTM1MzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM2NzA4NjA0MTY3NzAzODEiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTE0MzI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4OTIxMTU0MDI3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies data under HKEY_USERS
PID:1836
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\MicrosoftEdge_X64_127.0.2651.86.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\MicrosoftEdge_X64_127.0.2651.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5328 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\EDGEMITMP_6C7C9.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\EDGEMITMP_6C7C9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\MicrosoftEdge_X64_127.0.2651.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5708 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\EDGEMITMP_6C7C9.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\EDGEMITMP_6C7C9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{038FBFAB-4060-45DB-8449-31DBFBA10860}\EDGEMITMP_6C7C9.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6e9c9b7d0,0x7ff6e9c9b7dc,0x7ff6e9c9b7e84⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5776
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjU0ODE3NDYtRUNEQS00QTIwLTgyMTAtNUQ4MDgxQzZFQjJGfSIgdXNlcmlkPSJ7QjkxRENEN0UtMDNBRC00QkI0LTg3MEEtMjExQjA4ODZDMzE1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGNjUxOTQzMS00QjFCLTRCQjQtQUQwNC0yMDMzQzM2QzQ1NEZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtoVmZEak1kRkc2RmdLczBOejZlbXJZQ1NnNlRRdkRQb21vbFJheVFYQks0PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjcuMC4yNjUxLjg2IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4OTczNTA5MTYyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODk3MzY2NDg3NiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkyMzMzNTkyNzUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2IyMzVmYzNhLTg2YmYtNDIwZi1iMWJjLTZjNjdhM2E5NTg4OT9QMT0xNzIzNjI1Mjk0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUh3eE8zYmNNQWlnQTBkUzVoTEZJQnBLYVZ2RGdFUUczenQ1amNySzU4R2NTMHpJcFdHOVdoR1RNVFpoTmJ0Qmp6V3FiMU5aeSUyZk9vVDVIZUhxckVLdVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzI1NjcxMDQiIHRvdGFsPSIxNzI1NjcxMDQiIGRvd25sb2FkX3RpbWVfbXM9IjE5NTc5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTIzMzM1OTI3NSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkyNDc0MjE5ODYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk2ODc3MzQyMjUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxOTg0IiBkb3dubG9hZF90aW1lX21zPSIyNTkyMyIgZG93bmxvYWRlZD0iMTcyNTY3MTA0IiB0b3RhbD0iMTcyNTY3MTA0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0NDAzMSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2436
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
PID:6052 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\MicrosoftEdge_X64_127.0.2651.86.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\MicrosoftEdge_X64_127.0.2651.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4900 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\EDGEMITMP_E5E34.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\EDGEMITMP_E5E34.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\MicrosoftEdge_X64_127.0.2651.86.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:112 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\EDGEMITMP_E5E34.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\EDGEMITMP_E5E34.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\EDGEMITMP_E5E34.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff7752cb7d0,0x7ff7752cb7dc,0x7ff7752cb7e84⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2824
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDI1Njc2M0ItM0YwNC00RkFCLUE1MkUtMjExRTUxOTk3NEUzfSIgdXNlcmlkPSJ7QjkxRENEN0UtMDNBRC00QkI0LTg3MEEtMjExQjA4ODZDMzE1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4RjI4MkQ3MS04RDY4LTRBODYtQTI0RS1DNzQwQkE1NkE5NkN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtoVmZEak1kRkc2RmdLczBOejZlbXJZQ1NnNlRRdkRQb21vbFJheVFYQks0PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjcuMC4yNjUxLjg2IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5OTQ0NDgxNDQwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTk0NDQ4MTQ0MCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk5NTc5MTg2NDkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5OTczODU2MzY0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDMzNDIyOTA4MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjQzNyIgZG93bmxvYWRlZD0iMTcyNTY3MTA0IiB0b3RhbD0iMTcyNTY3MTA0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMSIgaW5zdGFsbF90aW1lX21zPSIzNjAyMiIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies data under HKEY_USERS
PID:4340
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3960
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5944 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\MicrosoftEdge_X64_127.0.2651.86.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\MicrosoftEdge_X64_127.0.2651.86.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
PID:5032 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\MicrosoftEdge_X64_127.0.2651.86.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:5248 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6e4d7b7d0,0x7ff6e4d7b7dc,0x7ff6e4d7b7e84⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3384
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5892 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{74E9ECFA-EAC7-4B24-A79D-AFD049361664}\EDGEMITMP_4C366.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff6e4d7b7d0,0x7ff6e4d7b7dc,0x7ff6e4d7b7e85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5160
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5432 -
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff65bdfb7d0,0x7ff65bdfb7dc,0x7ff65bdfb7e85⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5024
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMTUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTQyREEzMTUtRkM3MC00Q0VBLUI1NEUtMDE1OEIzRENBOUFBfSIgdXNlcmlkPSJ7QjkxRENEN0UtMDNBRC00QkI0LTg3MEEtMjExQjA4ODZDMzE1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswRTIzOUU3Ri01MkU4LTQ1RUYtQjI4NS0wMzczNjkzMUM1OUV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtoVmZEak1kRkc2RmdLczBOejZlbXJZQ1NnNlRRdkRQb21vbFJheVFYQks0PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjE1IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9IklzT25JbnRlcnZhbENvbW1hbmRzQWxsb3dlZD0lNUIlMjItdGFyZ2V0X2RldiUyMiU1RCIgaW5zdGFsbGFnZT0iMCIgY29ob3J0PSJycmZAMC44NSI-PHVwZGF0ZWNoZWNrLz48cGluZyByPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkwLjAuODE4LjY2IiBuZXh0dmVyc2lvbj0iMTI3LjAuMjY1MS44NiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNjc0OTM5OTY4MjUzMzIwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjUwODQyMDg1NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjUwODczMzMyNyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjUzNjA3NjgzNiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjU1MDEzOTc5NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI4OTkyMDI1OTciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI0NzUwIiBkb3dubG9hZGVkPSIxNzI1NjcxMDQiIHRvdGFsPSIxNzI1NjcxMDQiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIyIiBpbnN0YWxsX3RpbWVfbXM9IjM0OTA2Ii8-PHBpbmcgYWN0aXZlPSIxIiBhPSItMSIgcj0iLTEiIGFkPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEyNy4wLjI2NTEuODYiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBjb2hvcnQ9InJyZkAxLjAwIiB1cGRhdGVfY291bnQ9IjEiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9Ins5QzE0RTU4RC02N0YwLTQzQzctQUVDMC03RUU5Nzk5NUYzOEF9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\elevation_service.exe"1⤵
- Executes dropped EXE
PID:720 -
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --rename-msedge-exe --system-level --verbose-logging --msedge --channel=stable2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4264 -
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff65bdfb7d0,0x7ff65bdfb7dc,0x7ff65bdfb7e83⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --msedge --channel=stable --delete-old-versions --system-level --verbose-logging3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5028 -
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x24c,0x250,0x254,0x228,0x258,0x7ff65bdfb7d0,0x7ff65bdfb7dc,0x7ff65bdfb7e84⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3308
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5844 -
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=127.0.6533.89 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=127.0.2651.86 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff65bdfb7d0,0x7ff65bdfb7dc,0x7ff65bdfb7e84⤵
- Executes dropped EXE
PID:1244
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5838d99bf68f9da13faaf110bd1ca771e
SHA160decb8ba45d81806f2af06f11efb1b5d8f3efcc
SHA2564dcc1dfa9376511a62a141bf63da2dcf6000f8df5c504e4dbd2c3bfe62e9060d
SHA5123825c17c86795139c637ec0dd2828facfbcaf94599bbd5f90107c6a408828c95e5b17575c6d2f07a91967aa8c88e4d7454ecd18fba25c20e0b8094f2c9964b7c
-
Filesize
215KB
MD5df47f836e9ef7580ed5edf10ad2ffe6d
SHA1625b8500c4d4d5b6e1ec8d80a51723860f8ae5b7
SHA25637384d3ef893b82a006f8d3fc1f1e25003096b6782deb887c657e80d0cd8e4bd
SHA512fbfd0818562f10b774f8d7057957fa47b87bed58e863272d3a067985b6cf4f69a4c8c0ffb0ba16d61e424052547b2050032e1c0cdc7a64b2f78e6d989470bfc2
-
Filesize
6.6MB
MD571bf4a76d1762959b49eda173f57656e
SHA12ead7f36b7ef2790d83d10d96b20959bf73d061d
SHA2560121c1dde7daaacfd974fc8545a029e970ad7769af84646feff41b7c8c2de33e
SHA51205ea34097e98e4df5358a2968e4af9c7157c1946b15787d5c3cb1c841d47db6cacda4135a0fc662c2dae0b8ad03bdcfa1015db745c39bb16068df0108bda717e
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A431C00D-2E0B-40E7-9CE3-DCD481AA9117}\EDGEMITMP_E5E34.tmp\SETUP.EX_
Filesize2.6MB
MD5773e45f33cae3d7e514589b04930d7ba
SHA1ca73da33a39de5309b596eaeb055f3175864c0ae
SHA25616ee960dbf5a6b3c3d465ba2d77c049af4c15e5aea5c6f8b2e44ee7e5a623ed8
SHA512d707474b38e991b8b015a0cc1bddc5dec29622c9f48b43e4b37d4e4d2a74dca70fd71eb792ee8d38c53af43da4e500afa018b27df3dfc9b652b5c1c0a76fff4f
-
Filesize
201KB
MD5136e8226d68856da40a4f60e70581b72
SHA16c1a09e12e3e07740feef7b209f673b06542ab62
SHA256b4b8a2f87ee9c5f731189fe9f622cb9cd18fa3d55b0e8e0ae3c3a44a0833709f
SHA5129a0215830e3f3a97e8b2cdcf1b98053ce266f0c6cb537942aec1f40e22627b60cb5bb499faece768481c41f7d851fcd5e10baa9534df25c419664407c6e5a399
-
Filesize
8KB
MD5a38123446847ae68c5492775de3cf471
SHA1b0ee15723a65874bb29c56bc764c276ea23e0266
SHA256ea0b844cd0e7207ccf6564028d421c87479899a9c8118c32415d88f2314a178f
SHA512994d7b9795110044b4863cf242ddda4ecc10bdb25cbfd84605ed769574e5d99915dc3ec28fb6e80e5d5cd25c2109cd260626841b6539f5854847f0bb7f0270ea
-
Filesize
8KB
MD5d3bc164e23e694c644e0b1ce3e3f9910
SHA11849f8b1326111b5d4d93febc2bafb3856e601bb
SHA2561185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4
SHA51291ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854
-
Filesize
818B
MD52916d8b51a5cc0a350d64389bc07aef6
SHA1c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74
-
Filesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
Filesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
Filesize
771B
MD5e9dc66f98e5f7ff720bf603fff36ebc5
SHA1f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b
SHA256b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79
SHA5128027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b
-
Filesize
730B
MD5072ac9ab0c4667f8f876becedfe10ee0
SHA10227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA2562ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json
Filesize1KB
MD5d116a360376e31950428ed26eae9ffd4
SHA1192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA5125221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a
-
Filesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
Filesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
Filesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
Filesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts
Filesize4KB
MD5f0bd53316e08991d94586331f9c11d97
SHA1f5a7a6dc0da46c3e077764cfb3e928c4a75d383e
SHA256dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef
SHA512fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839
-
Filesize
771B
MD51d7c74bcd1904d125f6aff37749dc069
SHA121e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab
SHA25624b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9
SHA512b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778
-
Filesize
15KB
MD5eaef914654e3b24f4f3c1c137c7d0bf8
SHA1e9511589e8a3806f5b061fa35dfb82cf2d7b7133
SHA256882724012cd699e69b426586a5f5c376d52b684808c2a7a934411d1e0bbdeb1e
SHA5121d9721dc7a82893fc3738f7175b24cbf435a66aa6bb482326ae6d654fae8edc9487bcc17dd625f15425823f4ee774140dd4b4367d408d9e506e1c92e900fc5db
-
Filesize
168B
MD5db7dbbc86e432573e54dedbcc02cb4a1
SHA1cff9cfb98cff2d86b35dc680b405e8036bbbda47
SHA2567cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9
SHA5128f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec
-
Filesize
133B
MD535b86e177ab52108bd9fed7425a9e34a
SHA176a1f47a10e3ab829f676838147875d75022c70c
SHA256afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA5123c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62
-
Filesize
152B
MD56fdbe80e9fe20761b59e8f32398f4b14
SHA1049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f
SHA256b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942
SHA512cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234
-
Filesize
152B
MD59828ffacf3deee7f4c1300366ec22fab
SHA19aff54b57502b0fc2be1b0b4b3380256fb785602
SHA256a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7
SHA5122e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d
-
Filesize
1KB
MD53d9325313e706bf2401d50e1fe1875f6
SHA1c3818df1e9539315efc6a591a975ce2ce68685d0
SHA256d6123c75ac6d742e43aa38767776bf28814d5345bec271a1466b3179afa0d57e
SHA5121311dc7c26a1b0f0c30659975b165f9e90d1d417b337193ba9041db89ac2076706dd779662817ae2b47ae5354497758a0ed9264c609812c9d8006a74308de06c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5c94e201f8b1cdf3e89402b144303858a
SHA15456614f05c9bdb5011587129ba65c05fed7946d
SHA256971dcead4feb54d77eeda3b3099522fb8922bc5feb4dac3fb604fefcfd2009ed
SHA5120232adad31ee790b79d940eff7f95ee1574c16faf5157af24e79a23f315dd6aa071104a742334c99e782ef9768acb57b0b31820b5469881aaf2d58d7c46b5040
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5fbcf30f5c23f717e83aa725b90e5bedb
SHA1f463e39c77d473b59f00783c281c410d7222a50b
SHA256de9988649805d57c4b15c24c629157559ad7786470fd1ce29f2816f4c945157b
SHA5125d1aae6e89aa0db8353f1a37552e04d8741caeee0df851b69b058ada0acc06a87bf5ffc1d71ae3e33d183262eadbc5bc199492759c33f4fbdb9db2c50af0a804
-
Filesize
10KB
MD55eb5340b96f4dfcb65c5678916bd1c26
SHA192338aa06667b3164d54159c2f207290e528fb85
SHA2565dfb99f2f821c4f56395192cb5499395ac442a3c10201afd8ed2b993adf25e9b
SHA5120fa72e65118936255fb44a0db2e5788e756a82b80dc624d590ec67f48911bd128ed768df97d5ca0838110b980c450e615eee4f369899fb964723cc2765212886
-
Filesize
10KB
MD55cc1a2d41cc5c837f602ff38fd920288
SHA1fdcaa80b70f12a5b2b67ad8ab4ad27e47350fcfd
SHA256b7013f1d70553526b0de40cbb21302d0bfd33cb4df0cbe392e07bd5ba6badbd0
SHA512c085bbdc22e0b4f7df2dfbde77e08887afed97ab88b53ee6aa05358e3aac9662127ce6c9c5d6ab4b96cb0faa08e83fcef90ce6646f6cc534d89d0abeb70e63ff
-
Filesize
10KB
MD575bc750e7b76b5a0304d72e509fb805d
SHA1b834488b645ba617a36ca96aea9c1715a2189f60
SHA2560d5b81288aa67d878c512d7d607696d52e927d63c994f6b497fc4193c3d472cc
SHA512e8f015687a35d9c89ff4bb3b6ef056cedf974bd8682455f2170bf2f4ef30ad6083f81b266d648cc29590fdd3916c691cea3cf8d607d6940b9ab7185be71d541c
-
Filesize
10KB
MD58c2a8addc73fe5961606a331efe2aca4
SHA16fec600b3b8ef354271f73df58a3fd005203c2c9
SHA25624f129691de024184c9987fc43a886cda9e85643bea133ec8417f6acb5b8930f
SHA5120c6cfec7dd35a9b9a630e124d8d9c75d476245c65497bea2269a5895b73397b5500b0d30ab1d9e3a494be428bbb8460a2c6b824e6c75ee777df1234a4fa6a43e
-
Filesize
15KB
MD52736f133853b394b708344e163b91e6b
SHA12b560ab059c5909197e1b219c396d839213c497f
SHA2563b170b4fdc2826893d57bbeded14df6818317fde83b7dd0c3973aa628dee9869
SHA512bc7cffa73cc8b5e942435b0a96234cda367731f2e4382acd8dcb81c7a424173c7d5f5d7f2fd26bbe3488176943ef04d4c774f2c17c4150605037fd29861b961f
-
Filesize
5KB
MD57632d9a2aaefd506c5e950d68eca482d
SHA1022a6b313a5a7a53338e7928a35f109894993112
SHA2563ecf984acb73c5601f7b3e8cd5e8add20e39aa9ed7bc4feeaa465237f36a01ba
SHA512b29a1169d464a3478d86a214a37458048f1d9e467a224330ab01b1acf1bcdc9071a1e9f5abb171d9f45c57b2c3ba6f96e4957298b9fd48d0d678ed93d97bfcf5
-
Filesize
16KB
MD5c7b36b5b9eb1e5bf1b823383b0993bbf
SHA17359ad6d03ffe2d9a7e76149711d4f4b052ef991
SHA2565355017189cfcd8c2c6b86b109b094f8f290a0e9dfc8268ee97e289ba3b75d82
SHA512450c01df72d309e9e997fc59f688023e9d4e12066cfb112390ef691408c93aeed220429af309deca850f7137bbd3248fea952121f80101ead2f3d3895c103677
-
Filesize
16KB
MD5b73a32bfb295e6b1ceed17406b21e934
SHA1e700b41a0a4e3fca12b1b473211c06cd2437d888
SHA256b6de92a1c7d2dc7174452e5751b012ce099a594a19510ecbed883568875c2eb0
SHA5122e35c078a839b423eeabb7d1d40478048c7ad21224ad73424868609c9fffe6555be4e13e7e30583d620165b229fed45fb755dd40c9333f5f2766535f061fb1c6
-
Filesize
5KB
MD5873a4c7a2ded836abe8e2967f505fdb3
SHA19a488430282347e17c1d1d11f823895a5324843d
SHA256ea97339776d71180350a6e8ddd500c6673f2243f6ec1bb17882e42589c723513
SHA51290c59484c205b4b88020f6dcdac9f95c0ae67ff40b63b27f99aea7bb7836b098fdb88528932a416b097cb14443242b82811d8d094d0d4d88f9390f6d3e596323
-
Filesize
15KB
MD5e28725e57702e0a981b24bb1b46f5e43
SHA1243f91657b379a097eb2e682ca80569702434958
SHA256ae295000d28d0e39aa246862cde860d4d55e433162740c01d6969d31b0722936
SHA512e5d41df503a561acd6adf25bf333853ef3252458a6692f284c9c67e96e134dae3fd3f5eb27932106266b477d3abab9d599adaff98af04fc3ee9beb5961939e43
-
Filesize
3KB
MD5593820d8048ede4d895cd7985288cf29
SHA1dd2054612035499f1ecc9eaceb4a72b977f9dcf4
SHA256d703061c8ddad958946244ccad0ee9bca13d6db2c7e8495c6ada64c95a41c19f
SHA51241a9c62f0a28fe638e1a025ff764d1da850eca7fb47eae8639389d6edb5141d71743b7b7d6f560b2892d1224b92ad8524268d4a46ac8a0cded861dddb7d6e689
-
Filesize
4KB
MD5bb0b0bc8449ecdb8dfb87b629eb84f4d
SHA164b5c0eef6bf7c772acc1beab9baefd91fc4a88b
SHA256623c2fd4ddc51709ddeadd087038f62e7dc03773234fac8cb0146bd1527505c1
SHA51244531632b57b0985289b9663ce92904395a3d9dfd5d6545bbaa6d4f980647f97507931aa3c65c684ea6f28c26c1fffd24b609bd032fe8fe04384bbfba6b404ad
-
Filesize
5KB
MD5e4aca43701e3aaeb46ec0b53d74d908c
SHA13d944573c0c9fec31d7967051a601d50691fd217
SHA25661a6ef21605f0c8f1b87618ba4d3a8026bbcd365758fde9d1deb1ad896b30c4f
SHA5127c4c4de5166e400cc0107e6795f5df265bdeaecdd2b0478e36bcbe5860412bb39a00a77eba64794fca90649c643c97fa5a789dc9642300907b3e1297f213ba82
-
Filesize
2KB
MD53d2745a719151a4aecc2b17ca9d42663
SHA1c0770cb40f678803541c498f9412478597d2b4a3
SHA2562e36c1924ffd0ffa9f5de5bed7768b52fbff2ddd03cc239e323b87b787f04ce0
SHA51230f18d1cb63dfa19623f08b10f13d57b4ba62e3acde2f5754bc5fcd7da146b0db3b589c0e0e4fa71989629505299ff8f6e0470034c1990cdb4aa6a326b8d7585
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5471f774141c5262c798024ba97dbd01f
SHA17e2f08ab937fd0480ecd0277208d64c787211be5
SHA2565c14066475b963163e5768a663002b5d4943586dc71c4baad0274241cef679e4
SHA512061693f68c4f68b0eb6a6969aedbe2fbffa17bc5d036f14f141fab3d1de15fd1f429397dd6ef91cc283880904469f21d3fd69af336bafc96132adb67bc60d35c
-
Filesize
11KB
MD5b2d61e6ac859d1816a2b0b73132756b2
SHA1041422341d841f1350cecf309a41c5dc82836f91
SHA256183ae2de0f735514fe15f2775b989c5ab0727ffd1570026e7d9d95cede4144a5
SHA512798f08f65e76baaa438e792993f19fb49bb2c6056e73fafab6719f09c580780c142fc906916e1b68bc748bdf171a70c0044666ec33f90a61abe066df9db74d05
-
Filesize
11KB
MD53215bb83da29303617c3e7ec765bb9a3
SHA15ea095fcb7cbc3a5ee3c5056fd4b025d26850a0b
SHA256efe7f16f85793b56527e4a5a7c8153e24d561743f750cbeac3969a1bcb551a32
SHA5122ff48ee3e89e8693b615fedef71a86c2bbae4ef5ff9f5c9da26dbd513114bce5fd4b84e4628cf945fe489bdc3cc9f65702ea775b2f2086115988c60c19c70f15
-
Filesize
11KB
MD59c75c9781a5e91f72bfe52977031d844
SHA1756853fb34bc4cd2c2fff55a3f9c7bb2fd3cc8b9
SHA256b6e94038d31f0afe1639c474d9ffef422eadc42de76d124cd97b784d8a10585b
SHA512277569af1d4110773199cdc6d68809d5057ba4c1fa78cdea053142eb3048f182967474788f09e396641e59cd1fc5613f60115690e4c4332502ee12fc8b0d1db2
-
Filesize
11KB
MD55038b98a398c0ff6a986fd6c08a11cad
SHA181812a56b5ff1c7b4b8391eccb1f2bfe7c0ca117
SHA256aa5d7373d4a7059bdc0cf68fe9511bfbfb904f00ca55b46c63f873aeaada0ac9
SHA5128f940eed9e4b5ef7232fac1f49a40f82c0f81dd9556d2f26bc1607e8d35369a22f569838ef329eec687ced83cfa85f5d26aabb3f23849cee08afb55eee1fd31a
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD54d52399020a24c1f6b4254cc7252504b
SHA12afe0c8994c64898d5fe16ca68811438ef19b0ee
SHA256e75a14ce8abaea1788c4361552ef9ef2b86ea02485eb4ad5f8c22c9c49ece3e7
SHA512a481726d4ef1dfd67a86ae79e16abda87a0f370310758cc8a1bb2516a69557129e9612b9430c0ae11d7ddf72e1afc3375f5649a09bb53febe5cc16718ba976b4
-
Filesize
1.6MB
MD545e5ca74b9ae3c3fc6f6a63c609783b6
SHA1f36715bea96d69bb18075fac30b90502c6d2464b
SHA256b4afd37b9087df7e041ae749fd0fa342926d9cce533bde9cdc4283132c3820a9
SHA512014fd398d456fcb118dfd6b038b6f96008ca209d44d9707e175e85e7f14cfb3f2886deaed0d8ed25971813035e8dd7f88142c06972f3e2c9b4a534d84bec661a
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
796KB
MD5653c07b9b5f1b22c84f72c03b0083d18
SHA154c25b876736011d016dc0ea06a1533365555cc4
SHA256c9d04a3a87fee318ba65f837f40bd2dd2428f25e78bf271207f8b2b02aaa8a06
SHA512b605773fc4fa244f354bb8f51621225e6482751d19bddf747f03f624581bc7ae896ca0e40be91b667aea7a7978a291497a362f9bd65449682e1948938af684f8
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
297KB
MD57a86ce1a899262dd3c1df656bff3fb2c
SHA133dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec
-
Filesize
280B
MD5d6edb8e1864d97956c972f7158535eb8
SHA169fc8145119affddcd40e4e190ffff1a2415e3cf
SHA25602f1971e3d9ad4aecd4db7ffb927228f4d0cc0537b25d08a2ccf07213223db91
SHA512df3ae4fece50946012d752b74f0f71ccfd7d1fd32ae81c45c05c34278a19d028c494fd7651932d405cb599fecf1522cd683adffdb7e114f652874359336269ab