Malware Analysis Report

2024-11-16 12:52

Sample ID 240813-hl8afsyhpg
Target Remove-EdgeOnly.exe
SHA256 33ba55d82eaab33a54fc34f1b8ce650a8f264a10295ed09d35548a5106780480
Tags
adware discovery evasion execution exploit persistence privilege_escalation spyware stealer pyinstaller
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

33ba55d82eaab33a54fc34f1b8ce650a8f264a10295ed09d35548a5106780480

Threat Level: Likely malicious

The file Remove-EdgeOnly.exe was found to be: Likely malicious.

Malicious Activity Summary

adware discovery evasion execution exploit persistence privilege_escalation spyware stealer pyinstaller

Boot or Logon Autostart Execution: Active Setup

Possible privilege escalation attempt

Stops running service(s)

Modifies file permissions

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Event Triggered Execution: Component Object Model Hijacking

Checks computer location settings

Installs/modifies Browser Helper Object

Launches sc.exe

Drops file in Windows directory

Command and Scripting Interpreter: PowerShell

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Detects Pyinstaller

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry key

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 06:50

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 06:50

Reported

2024-08-13 06:51

Platform

win10v2004-20240802-en

Max time kernel

34s

Max time network

38s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe"

Signatures

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris C:\Windows\SysWOW64\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\icacls.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\takeown.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\system32\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\system32\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\system32\wermgr.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\system32\wermgr.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\system32\wermgr.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\RUNAS\COMMAND C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\DEFAULTICON C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN32 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\APPLICATION C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\PROXYSTUBCLSID32 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\OPEN\COMMAND C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TYPELIB C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN64 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3396 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe
PID 3396 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe
PID 3396 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe
PID 4780 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe
PID 4780 wrote to memory of 1784 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe
PID 1784 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe
PID 1784 wrote to memory of 4660 N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe
PID 1784 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe C:\Windows\system32\wermgr.exe
PID 1784 wrote to memory of 5112 N/A C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe C:\Windows\system32\wermgr.exe
PID 4780 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 2492 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4780 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\schtasks.exe
PID 4780 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\schtasks.exe
PID 4780 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\schtasks.exe
PID 4780 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\sc.exe
PID 4780 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\reg.exe
PID 4780 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4892 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4892 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4892 wrote to memory of 4752 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe
PID 4892 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4892 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4892 wrote to memory of 892 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\icacls.exe
PID 4780 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4780 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4128 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\takeown.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe"

C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe"

C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe

C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe --uninstall --system-level --force-uninstall

C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe

C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x218,0x21c,0x220,0x1f4,0x224,0x7ff63cbbeb10,0x7ff63cbbeb20,0x7ff63cbbeb30

C:\Windows\system32\wermgr.exe

"C:\Windows\system32\wermgr.exe" "-outproc" "0" "1784" "1780" "1440" "1784" "0" "0" "0" "0" "0" "0" "0" "0"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -NoProfile -Command "Get-AppxPackage -AllUsers | Where-Object {$_.PackageFullName -like \"*microsoftedge*\"} | Select-Object -ExpandProperty PackageFullName"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe -AllUsers 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe -AllUsers 2>$null"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge.Stable_127.0.2651.86_neutral__8wekyb3d8bbwe 2>$null"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge.Stable_127.0.2651.86_neutral__8wekyb3d8bbwe -AllUsers 2>$null"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\ProgramData\Microsoft\EdgeUpdate""

C:\Windows\SysWOW64\reg.exe

reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /query /fo csv

C:\Windows\SysWOW64\sc.exe

sc delete edgeupdate

C:\Windows\SysWOW64\sc.exe

sc delete edgeupdatem

C:\Windows\SysWOW64\reg.exe

reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe""

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe""

C:\Windows\SysWOW64\takeown.exe

takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\Temp""

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI33962\python311.dll

MD5 9c83364db2337cedb50cefce5772bf28
SHA1 6a65ce4bec369e2e2f6aa19e52ac556ceb3445fc
SHA256 89b71fca8d164d6e7a98967036212aa1fb28f5554e2a1b1042556c22c514ac16
SHA512 e3608ced277fce1e64a0d371b928a5bfc0e00d93a3f020a56f698b1aa2f18a80fc726a9f7c25b8d8d98a2b95ca49a03a254b3c704c08772abaadee0b01f8aa48

C:\Users\Admin\AppData\Local\Temp\_MEI33962\VCRUNTIME140.dll

MD5 17f01742d17d9ffa7d8b3500978fc842
SHA1 2da2ff031da84ac8c2d063a964450642e849144d
SHA256 70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e
SHA512 c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

C:\Users\Admin\AppData\Local\Temp\_MEI33962\base_library.zip

MD5 81cd6d012885629791a9e3d9320c444e
SHA1 53268184fdbddf8909c349ed3c6701abe8884c31
SHA256 a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd
SHA512 d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_ctypes.pyd

MD5 9c2163d73a2ecdaf34a613c703a13440
SHA1 f4fcb291c311695d1f5da95020583ecc2aa18ec6
SHA256 3bdb7150ad0304035a5f25c69ec6d6ea25c87d056b6713f29a8be96f2b17d057
SHA512 fd1f96220421a3b63a6b6046cb985093aa41a17ea24adc114c9c54a80d7558be90fcfe56032787ab653ed340b3c8c5b75bd334875d68c85e9a725595cd53779f

C:\Users\Admin\AppData\Local\Temp\_MEI33962\libffi-8.dll

MD5 74d2b5e0120a6faae57042a9894c4430
SHA1 592f115016a964b7eb42860b589ed988e9fff314
SHA256 b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0
SHA512 f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_socket.pyd

MD5 943124d117b6e9548f6a9d0c34009b52
SHA1 1acacb610ed41ab78eea2d093a35f48284698bd0
SHA256 5a60284ec53036fedad0057a564f709ab328c8ac77084191d6350d2001004fe2
SHA512 89eb4b4163fc3ae29dce7cdd7ca28392c378e5858bbd43a3f556c836284c067406d67eb228047767202c955539cbeaef4228bd2aa8c25627f96d56c35877e89d

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_lzma.pyd

MD5 e40cbb898cb17b0f60a67216a6b5cc4d
SHA1 dc724af9e03a02e1121697a94603bda9d4cff345
SHA256 ceb38183cc7f2b513588f9d6d1713d115cee127ad06d146de5b230504e126538
SHA512 5646ecbf555d8ab369c2c03dca720aa738d1af515fb7302ceffbfcfa65661083c009d6a5aa723d09bb330e10b10ec8509450f4c1b90733c4aeb85c895d4d63bd

C:\Users\Admin\AppData\Local\Temp\_MEI33962\setup.exe

MD5 593b7497327222d69048f7f6204b1886
SHA1 56ee397b91b5235ad5fb3259e35676c633b46022
SHA256 4963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e
SHA512 45999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_hashlib.pyd

MD5 61ff2a1a01d6dcd0626441c6888f2bf3
SHA1 ecacdb63666d539c03d2a0efdf4b30b24824d3cb
SHA256 ae886b9bf59f27bbe4f846972bc22baf550cae46dc6dbc820eafad523ae7da04
SHA512 6c089ac9299efb84f6e48259726be799c51b0a2a6cd67104ca8b43cf1aaa6e838ec34c5cfc09c484c93efb59b24bd85aa3a83f098d3e95b6bc01a1fd09943638

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_decimal.pyd

MD5 75f984ae9e97d34293aa1b452baeb15d
SHA1 5d6de679ed6fd1155f997bdd2b686ec5d1be4f13
SHA256 edc9caa73ae4e606012152a6531336c667092cd14a1f03f3166ec8e0b25b48a7
SHA512 34a7c72ac5f3f9a28c3a64e6e7d318a5ec81c6e22e03a0e173d65745ba6d8eb1eb3bc411d43678345448977d078849171c506814f0b96f650024a51082b50fe4

C:\Users\Admin\AppData\Local\Temp\_MEI33962\_bz2.pyd

MD5 e4519f30e22cd8d4bfe7059d60183ce0
SHA1 40fb4def438aa07738961a9f25e7ea1be0c60e7f
SHA256 580f42dedd0e70bd7431916ee27db3202b822712af03f418546da89a4c0ad0b1
SHA512 5271a99202c9a1e5266a0deaf58c65f0a8fced8b2f1019e80260a79f64b3afdaf22dca72c218c9b3253afe12ac803c5d1ca955b8b29f1c481eff1d584352b02b

C:\Users\Admin\AppData\Local\Temp\_MEI33962\unicodedata.pyd

MD5 53f8f7e0caaece4a0977a1a6a4663197
SHA1 37a259658c970c3aaf527e32454c208cd19331a7
SHA256 cb85c4932833fc0f5606c6e774a4b9661adcd1a0f8146294eca7ff27418de26c
SHA512 a3ffa42bc0c7c0529e7936397a4b644f38fec3fae13ac4890f23dd905ce33fe81fe208e0d7f2fcb6f34515f6c95dd030f457d2725bae5b6d4f58646fd84ebf6d

C:\Users\Admin\AppData\Local\Temp\_MEI33962\select.pyd

MD5 e64bdec75ee2e467343742db636c6105
SHA1 32645de632215f6410abc1e7102a98cac127ae95
SHA256 109146def651028ad4d788a7c6712558f246417410248e2cbcdf0e8c11efad77
SHA512 7219b52f4f71048ce1c96aeba4b14d12e8366f7265bc06292f036511ee4b47df7be56e438d88915d92772879ec4d25bb1217e34dfea427b391334edc16705f60

C:\Users\Admin\AppData\Local\Temp\_MEI33962\libcrypto-3.dll

MD5 9a76997e6836c479c5e1993cbb3cefae
SHA1 6747a82434daa76239c68e1f75c26f4420f4832d
SHA256 bdbf2ff122354b0e219df81293de186cecfd966fce64e3831b798ffd7c3fc815
SHA512 5fb3f7eeb770f1bdcb06558081441e9fc9bbc618059e33f6864afeb3474033ec1be036cbc5503b74cb56b82894976f03f87e15f1ef5e5bf779de78e15a0c2cdf

memory/5100-46-0x0000000002310000-0x0000000002346000-memory.dmp

memory/5100-47-0x0000000004E50000-0x0000000005478000-memory.dmp

memory/5100-48-0x0000000004C70000-0x0000000004C92000-memory.dmp

memory/5100-50-0x00000000054F0000-0x0000000005556000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zofyxigh.tbu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5100-49-0x0000000004D10000-0x0000000004D76000-memory.dmp

memory/5100-60-0x0000000005660000-0x00000000059B4000-memory.dmp

memory/5100-61-0x0000000005C40000-0x0000000005C5E000-memory.dmp

memory/5100-62-0x0000000005C60000-0x0000000005CAC000-memory.dmp

memory/5100-63-0x00000000072A0000-0x000000000791A000-memory.dmp

memory/5100-64-0x0000000006180000-0x000000000619A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

memory/4460-68-0x00000000061C0000-0x0000000006514000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a4d984808b845fa13e672261d83dc44
SHA1 24d9f6d21d824ecc79718611302e6d8c8da070e0
SHA256 fb862ac2999b58924e998203052b65647594ae07e97325a16aefbb7013907bd8
SHA512 f8c503e116f2ded0e857de58289e926ff5537c235294c8eb0278d187bcabc03ad75dbc16c0b969f5ec9b9f57123088acf4bce02a11a81803f07fadd75ad9de50

memory/4460-80-0x0000000070850000-0x000000007089C000-memory.dmp

memory/4460-79-0x00000000079D0000-0x0000000007A02000-memory.dmp

memory/4460-90-0x0000000007990000-0x00000000079AE000-memory.dmp

memory/4460-91-0x0000000007A10000-0x0000000007AB3000-memory.dmp

memory/4460-92-0x0000000007D80000-0x0000000007D96000-memory.dmp

memory/4460-93-0x00000000079B0000-0x00000000079BA000-memory.dmp

memory/4460-94-0x0000000007DD0000-0x0000000007DF6000-memory.dmp

memory/1400-105-0x00000000062E0000-0x0000000006634000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4b4aa1f5516b2f498ffc855207e4b0d0
SHA1 d97cb2cd610ea5356ea635aeb7bdd2a0d597b2e3
SHA256 d0d9daa7598af5b10ce4179f2df847298e842418fefd05bbf8c94d4432672175
SHA512 264525174d5a57b37cd22dc2b5b6808754a43bf566b1921f30c4008c850119fdac5089857439c37c17e22da8ebdf270d9067f694b9dd6b4fe873a9ae2d4d1026

memory/1400-107-0x0000000070850000-0x000000007089C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0a324fb7fa997d347a686040686f536c
SHA1 2a27ea0ab35227f7a66d57648b3293c1f11cb8d8
SHA256 926790eec10aa5277488289615f07fb66d0a4372f31ffa482e5a7927b2dc0e5e
SHA512 637a5ff2cd87318f9c8ad38c91881a1f59a9cce5d2c1675d2fe09123995aa07fdac9b1f2c023a6bd953206c3ef6f2135de402947ac99c561028017af01efd009

memory/2200-128-0x0000000070850000-0x000000007089C000-memory.dmp

memory/1900-139-0x0000000005830000-0x0000000005B84000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb2a103d37b2428813783480f04efef8
SHA1 a75a9f75d1bdeaaeae9c4fbbf7e882da721311a6
SHA256 aa642385c356dcb5ce88c4a7fc2fb7287bc9eeae4c4bd25238bd26b9d5cb11ce
SHA512 b6a8125c6434ffba92bf508544e9ae5657747c61bf445f36301b554861f59d3aac65223ce80f04da570dcff94e25bcd77ebf6a552f085957ce875074eb7eedcf

memory/1900-150-0x0000000070850000-0x000000007089C000-memory.dmp

memory/4560-170-0x0000000006230000-0x0000000006584000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb0784a5b18bab898827b87eb4b8c5a5
SHA1 c0b293c5676d5c878a70ab3ce25c35b7835b6102
SHA256 73dfc45b778b68c51a7eb729201b591e6bbe256444d8f39d74776ba9b3cbade5
SHA512 4602f9838e4654bf3a326b42e0d92178e293b0643e2c61fa005bf1f71ea3297791670a5415e50e63e30e85e98f9eb83d0e1a75729eda0cb2598e851948c1e989

memory/4560-172-0x0000000070850000-0x000000007089C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b2b412628d0a6714233bb5658d4d400a
SHA1 27a72524ed33ced0613e4ce6320e4cd3b54bb90e
SHA256 068900e47ff6689a170500770ff777c94ed57de69e7874953d40ba0772a50133
SHA512 5caaecfaf3a85fd87970e379f61f57abdd7b759da07e4196a793a1af2fa7ba899a19821d999fd87fc5d457599181e351903088f7a8e12f173f9508cf26f36644

memory/4376-193-0x0000000070850000-0x000000007089C000-memory.dmp

memory/3528-203-0x00000289A3690000-0x00000289A36A0000-memory.dmp

memory/3528-219-0x00000289A3790000-0x00000289A37A0000-memory.dmp

memory/3528-235-0x00000289ABD80000-0x00000289ABD81000-memory.dmp

memory/3528-236-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-237-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-238-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-239-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-240-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-241-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-242-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-243-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-244-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-245-0x00000289ABDB0000-0x00000289ABDB1000-memory.dmp

memory/3528-247-0x00000289AB9C0000-0x00000289AB9C1000-memory.dmp

memory/3528-246-0x00000289AB9D0000-0x00000289AB9D1000-memory.dmp

memory/3528-250-0x00000289AB9D0000-0x00000289AB9D1000-memory.dmp

memory/3528-253-0x00000289AB9C0000-0x00000289AB9C1000-memory.dmp

memory/3528-256-0x00000289AB900000-0x00000289AB901000-memory.dmp

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 477c8bd2abd6b8bbb8c34efdd0dfa090
SHA1 a99b64412c75b6ded635fc6367aabf13aad866af
SHA256 5870ba2d796ca3adb24442d67e5ee8ba10f8c59da5aa2ef559081bc9c3d4f9a0
SHA512 94cbdedc79adadddc520018a679e2578c79cbf68538b5e0194d9a7e7e591f741eaaf4c016fd0e4205c76db7b263ae67aa197b836b2c9101f5c8f06eebe242642

memory/3528-268-0x00000289ABB00000-0x00000289ABB01000-memory.dmp

memory/3528-270-0x00000289ABB10000-0x00000289ABB11000-memory.dmp

memory/3528-271-0x00000289ABB10000-0x00000289ABB11000-memory.dmp

memory/3528-272-0x00000289ABC20000-0x00000289ABC21000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7230abe02503d07d9d575f799c9946e7
SHA1 291af535900d779e210569af265cf4b599a73869
SHA256 d2766465648fc866c5e1f604de4b31a41b6a8a356b2e1f99c1709598b4aafe77
SHA512 8e7ecd27ee5075443dbdaf7e26c1b951afec518dc2f25885604ed2a5ca812b51c4868259817ea55c016f218c698c75f2fe149ae1b7a1431d88685e2ee6be56dc

memory/2492-283-0x0000000070850000-0x000000007089C000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 06:50

Reported

2024-08-13 06:53

Platform

win7-20240704-en

Max time kernel

14s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe"

C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe

"C:\Users\Admin\AppData\Local\Temp\Remove-EdgeOnly.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI6242\python311.dll

MD5 9c83364db2337cedb50cefce5772bf28
SHA1 6a65ce4bec369e2e2f6aa19e52ac556ceb3445fc
SHA256 89b71fca8d164d6e7a98967036212aa1fb28f5554e2a1b1042556c22c514ac16
SHA512 e3608ced277fce1e64a0d371b928a5bfc0e00d93a3f020a56f698b1aa2f18a80fc726a9f7c25b8d8d98a2b95ca49a03a254b3c704c08772abaadee0b01f8aa48