hxxps://www[.]cursor[.]com/

Resubmissions

30-11-2024 22:18

241130-17x1qaxkfv 8

30-11-2024 22:15

241130-16hjms1pel 8

30-11-2024 21:58

241130-1vqe4s1lcm 10

Analysis

max time kernel
753s
max time network
781s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2024 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.cursor.com/

Score

8^/10

defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 1 IoCs

pid	Process
1316	MRT.exe

Loads dropped DLL 8 IoCs

pid	Process
1316	MRT.exe
1316	MRT.exe
1516	wuauclt.exe
1516	wuauclt.exe
1516	wuauclt.exe
1516	wuauclt.exe
6448	MsiExec.exe
6448	MsiExec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Binary Proxy Execution: wuauclt 1 TTPs 5 IoCs

Abuse Wuauclt to proxy execution of malicious code.

defense_evasion

System Binary Proxy Execution

T1218

pid	Process
1516	wuauclt.exe
5880	wuauclt.exe
4176	wuauclt.exe
3616	wuauclt.exe
7544	wuauclt.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	MRT.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\system32\MRT\7D5CAE38-63C9-4B8E-BE4E-E0D8EC828B96\MpGearSupport_20241130_2226229F1E9CCE-6ED9-E33D-858C-A7AF5039376B.log	MRT.exe
File created	C:\Windows\system32\MRT\7D5CAE38-63C9-4B8E-BE4E-E0D8EC828B96\01db4376f2830d9f	MRT.exe
File created	C:\Windows\system32\sedplugins.dll	MsiExec.exe
File opened for modification	C:\Windows\system32\sedplugins.dll	MsiExec.exe
File opened for modification	C:\Windows\system32\MRT.exe	Windows-KB890830-x64-V5.130.exe
File created	C:\Windows\system32\MRT.exe	Windows-KB890830-x64-V5.130.exe
File created	C:\Windows\system32\MRT\7D5CAE38-63C9-4B8E-BE4E-E0D8EC828B96\History\Results\Quick\{38AE5C7D-C963-8E4B-BE4E-E0D8EC828B96}	MRT.exe
File created	C:\Windows\system32\QualityUpdateAssistant.dll	MsiExec.exe
File created	C:\Windows\system32\MRT\4342F2FD-8452-C715-A739-B8361185B417\MPGEAR.DLL	MRT.exe
File created	C:\Windows\system32\MRT\4342F2FD-8452-C715-A739-B8361185B417\MPENGINE.DLL	MRT.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\RUXIM\plugscheduler.xml	msiexec.exe
File created	C:\Program Files\Microsoft Update Health Tools\unifiedinstaller.dll	msiexec.exe
File created	C:\Program Files\Microsoft Update Health Tools\QualityUpdateAssistant.dll	msiexec.exe
File created	C:\Program Files\Microsoft Update Health Tools\sedplugins.dll	msiexec.exe
File created	C:\Program Files\RUXIM\SystemEvaluator.dll	msiexec.exe
File created	C:\Program Files\RUXIM\RUXIMPHDialogHandlers.dll	msiexec.exe
File created	C:\Program Files\RUXIM\PLUGScheduler.exe	msiexec.exe
File created	C:\Program Files\Microsoft Update Health Tools\expediteupdater.exe	msiexec.exe
File created	C:\Program Files\Microsoft Update Health Tools\uhssvc.exe	msiexec.exe
File created	C:\Program Files\RUXIM\DTUDriver.exe	msiexec.exe
File created	C:\Program Files\RUXIM\RUXIMICS.exe	msiexec.exe
File created	C:\Program Files\RUXIM\RUXIMIH.exe	msiexec.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5f1fa6.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	wuauclt.exe
File created	C:\Windows\Installer\e5f1fab.msi	msiexec.exe
File created	C:\Windows\SoftwareDistribution\Download\49ba6ae83fe2a990fc76e38a96972f75\img\Windows-KB5001716-x64.msi	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\Mitigation.dll	wuauclt.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\ExeUpdateAgent.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\windlp.state-old.xml	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\metadata\{C4802AAB-54A0-4275-B7B0-10FD0DBAC780}	wuauclt.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	wuauclt.exe
File opened for modification	C:\Windows\Installer\MSIE815.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2062.tmp	msiexec.exe
File opened for modification	C:\Windows\Debug\mrt.log	MRT.exe
File created	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\metadata\$dpx$.tmp\4dabd11dc031674bbd4045e774b5b74d.tmp	wuauclt.exe
File created	C:\Windows\Installer\SourceHash{29B15818-E79F-4AB0-8938-9410C807AD76}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DA80A019-4C3B-4DAA-ACA1-6937D7CAAF9E}	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\metadata\$dpx$.tmp\job.xml	wuauclt.exe
File opened for modification	C:\Windows\Installer\e5f1fab.msi	msiexec.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\UAOneSettings.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\compdb.xml.cab	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\metadata\compdb.xml	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\metadata\$dpx$.tmp	wuauclt.exe
File created	C:\Windows\Installer\e5f1faa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\UpdateAgent.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\Dpx.dll	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\windlp.state.xml	wuauclt.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\metadata\{478C07BD-42E4-4BDD-9E9A-B5DF015AEE06}	wuauclt.exe
File opened for modification	C:\Windows\Installer\MSIE583.tmp	msiexec.exe
File created	C:\Windows\Installer\e5f1faf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5f1fa6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE5F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\MoSetup\UpdateAgent.log	wuauclt.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotificationUx.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotificationUx.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotifyIcon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotifyIcon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	wuauclt.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Sequence = "1"	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	wuauclt.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	wuauclt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 061ea4c9263bfd63ac0a13da8f215ddeaf64d85ad21582274ae3442c6a496dad	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	wuauclt.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wuauclt.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = d8120000fe8eb2dd7643db01	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000f9e9b8759918db01adad8d49a518db0131d3ade27543db0114000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32	MRT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\ProductName = "Microsoft Update Health Tools"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\Version = "39059456"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\910A08ADB3C4AAD4CA1A96737DACFAE9\RUXIM	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\Language = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C15E7514-40CC-4EB7-AA04-2DA105DCD391}\AppID = "{53530985-9D53-460F-983E-D7CD14A808B7}"	wuauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C15E7514-40CC-4EB7-AA04-2DA105DCD391}	wuauclt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\ProductName = "Update for x64-based Windows Systems (KB5001716)"	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\PackageCode = "1B2A9C9F1C2FB70499AEC9ED21C428C3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF6015E21A24EBB4C992E7D143BC971A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81851B92F97E0BA4988349018C70DA67	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\SourceList\Net	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\SourceList\PackageName = "Windows-KB5001716-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81851B92F97E0BA4988349018C70DA67\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\910A08ADB3C4AAD4CA1A96737DACFAE9\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 968490.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
1796	msedge.exe
1796	msedge.exe
4476	identity_helper.exe
4476	identity_helper.exe
2200	msedge.exe
2200	msedge.exe
2124	msedge.exe
2124	msedge.exe
5700	msedge.exe
5700	msedge.exe
5184	msedge.exe
5184	msedge.exe
5184	msedge.exe
5184	msedge.exe
2096	msedge.exe
2096	msedge.exe
2780	Windows-KB890830-x64-V5.130.exe
2780	Windows-KB890830-x64-V5.130.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
1316	MRT.exe
4824	msiexec.exe
4824	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4200	vssvc.exe
Token: SeRestorePrivilege	4200	vssvc.exe
Token: SeAuditPrivilege	4200	vssvc.exe
Token: SeShutdownPrivilege	4176	wuauclt.exe
Token: SeIncreaseQuotaPrivilege	4176	wuauclt.exe
Token: SeSecurityPrivilege	4824	msiexec.exe
Token: SeCreateTokenPrivilege	4176	wuauclt.exe
Token: SeAssignPrimaryTokenPrivilege	4176	wuauclt.exe
Token: SeLockMemoryPrivilege	4176	wuauclt.exe
Token: SeIncreaseQuotaPrivilege	4176	wuauclt.exe
Token: SeMachineAccountPrivilege	4176	wuauclt.exe
Token: SeTcbPrivilege	4176	wuauclt.exe
Token: SeSecurityPrivilege	4176	wuauclt.exe
Token: SeTakeOwnershipPrivilege	4176	wuauclt.exe
Token: SeLoadDriverPrivilege	4176	wuauclt.exe
Token: SeSystemProfilePrivilege	4176	wuauclt.exe
Token: SeSystemtimePrivilege	4176	wuauclt.exe
Token: SeProfSingleProcessPrivilege	4176	wuauclt.exe
Token: SeIncBasePriorityPrivilege	4176	wuauclt.exe
Token: SeCreatePagefilePrivilege	4176	wuauclt.exe
Token: SeCreatePermanentPrivilege	4176	wuauclt.exe
Token: SeBackupPrivilege	4176	wuauclt.exe
Token: SeRestorePrivilege	4176	wuauclt.exe
Token: SeShutdownPrivilege	4176	wuauclt.exe
Token: SeDebugPrivilege	4176	wuauclt.exe
Token: SeAuditPrivilege	4176	wuauclt.exe
Token: SeSystemEnvironmentPrivilege	4176	wuauclt.exe
Token: SeChangeNotifyPrivilege	4176	wuauclt.exe
Token: SeRemoteShutdownPrivilege	4176	wuauclt.exe
Token: SeUndockPrivilege	4176	wuauclt.exe
Token: SeSyncAgentPrivilege	4176	wuauclt.exe
Token: SeEnableDelegationPrivilege	4176	wuauclt.exe
Token: SeManageVolumePrivilege	4176	wuauclt.exe
Token: SeImpersonatePrivilege	4176	wuauclt.exe
Token: SeCreateGlobalPrivilege	4176	wuauclt.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe
Token: SeTakeOwnershipPrivilege	4824	msiexec.exe
Token: SeRestorePrivilege	4824	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
3888	MusNotificationUx.exe
4548	MusNotifyIcon.exe
6076	MusNotifyIcon.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2124	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1796 wrote to memory of 1836	1796	msedge.exe	85
PID 1796 wrote to memory of 1836	1796	msedge.exe	85
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 2184	1796	msedge.exe	86
PID 1796 wrote to memory of 4848	1796	msedge.exe	87
PID 1796 wrote to memory of 4848	1796	msedge.exe	87
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88
PID 1796 wrote to memory of 3940	1796	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.cursor.com/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa461946f8,0x7ffa46194708,0x7ffa46194718
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6964 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3308 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2208 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7124 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,13445210824483554810,18189477576627830495,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x3bc
1⤵
PID:4824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultabcff565h4f89h40cfha46fh351e622cbe58
1⤵
PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffa461946f8,0x7ffa46194708,0x7ffa46194718
  2⤵
  PID:5464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,12567017024007217798,3667096286434334857,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,12567017024007217798,3667096286434334857,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5700

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:5456

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TurnOffDevicePortal
1⤵
PID:5656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaultcece0deeh6db6h4c82ha9e4h3f59417f1e86
1⤵
PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa461946f8,0x7ffa46194708,0x7ffa46194718
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1444,17247336876259821148,3278155640438532061,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1444,17247336876259821148,3278155640438532061,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5888

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId f3fbae5e-6532-4047-88cb-11ce14062daa /RunHandlerComServer
1⤵
- System Binary Proxy Execution: wuauclt
PID:5880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:1512

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId d5368f2f-7075-44a0-afec-e2cb72248893 /RunHandlerComServer
1⤵
- System Binary Proxy Execution: wuauclt
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4176

C:\Windows\system32\MusNotificationUx.exe
%systemroot%\system32\MusNotificationUx.exe QueryNotificationState
1⤵
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
PID:3888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4824
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c RD /S /Q C:\ProgramData\PLUG
  2⤵
  PID:3632
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe -delete -tn Microsoft\Windows\WindowsUpdate\RUXIM\RUXIMDisplay -F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5252
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe -delete -tn Microsoft\Windows\WindowsUpdate\RUXIM\RUXIMSync -F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4580
- C:\Windows\SysWOW64\schtasks.exe
  C:\Windows\SysWOW64\schtasks.exe -create -tn Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler -xml plugscheduler.xml -F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:760
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 81F5D617D11606B16F8438673EAF73FA E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:6448

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 19
1⤵
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
PID:4548

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 794c270f-59dc-4127-997a-b863c014695e /RunHandlerComServer
1⤵
- System Binary Proxy Execution: wuauclt
PID:3616
- C:\Windows\SoftwareDistribution\Download\Install\Windows-KB890830-x64-V5.130.exe
  "C:\Windows\SoftwareDistribution\Download\Install\Windows-KB890830-x64-V5.130.exe" /Q /W
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2780
- - C:\Windows\system32\MRT.exe
    "C:\Windows\system32\MRT.exe" /Q /W
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:1316

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 06de270a-48e4-48f6-a599-9853b275ef25 /RunHandlerComServer
1⤵
- System Binary Proxy Execution: wuauclt
PID:7544

C:\Windows\system32\MusNotifyIcon.exe
%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 19
1⤵
- Checks processor information in registry
- Suspicious use of SendNotifyMessage
PID:6076

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 7fbc3a67-c198-4d38-ad5c-2e589b4ebd9a /RunHandlerComServer
1⤵
- Loads dropped DLL
- System Binary Proxy Execution: wuauclt
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1516
- C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\unifiedinstaller.exe
  "C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\unifiedinstaller.exe"
  2⤵
  PID:6356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

System Binary Proxy Execution

T1218

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5f1fa9.rbs

Filesize
8KB

MD5
4952de91b33a914409fdccc3c4780ab7

SHA1
a7d7fbc8222245cca097fac230aa9d5f5d425fb7

SHA256
c41a185bd631e7f05066d60af53ea9b9f09ac1279a919eaa412b13162425ee91

SHA512
5797f89642e3f1cbb8c6e82640505cc23dd813257893408ffb18581d323853e3b5224456b6f0b4278a883b8ddf2a22dcd434348e6ee59ad4d25a64c0d0e00e7c

Download Submit
C:\Config.Msi\e5f1fae.rbs

Filesize
11KB

MD5
13910ee53707304f53c2cb0908abd892

SHA1
da364fbbaff580c69d0858fc33f07ac5d8f1f7cf

SHA256
8f1b842a86a301b45d385c6f1d0e3f1e7a14cc5e073e78cfc2b62593bd7cd151

SHA512
1d821c6e7014981b06d4837fa9f271ed1764ef4fa667c3a710ebbcb6497cbaec6ed956b10e2f3217b85d459b8ee5b14feb8faa83f2a3e7efc7e70bdf94902a84

Download Submit
C:\Program Files\Microsoft Update Health Tools\QualityUpdateAssistant.dll

Filesize
475KB

MD5
4b944d93d5c75ef05f64ccb9d877d9f5

SHA1
f343691790795f06b22a1f6995c53124fb70f8f2

SHA256
5cbb22f583517b32f8bdca9e5d8083761c8a414588b8506adf5c5761a528dfbe

SHA512
9b6b9bfa3f62292566d94cb821e4e35fbbd073c96157edcd3e35862802a2a5f14ac26a482703dda7e6dc2b90454b36aef05a5c65f23a05411788d5036ac7d2ab

Download Submit
C:\Program Files\Microsoft Update Health Tools\sedplugins.dll

Filesize
591KB

MD5
655040ebf669318abf11bf056e395ebc

SHA1
119476a449a47093a52c5f70ae5198d0d6c5e557

SHA256
29d99cf8c1f51c624dd160c9021ff944701bcd5892620902c83d9911db8339a7

SHA512
ef4d51acaeb48dceec9fc8f7f6a653f33d82d93077971f98b4796f5e9f78c88dcc0ff711443a0545920fe6aa4ea0d99066ca2a4b19349a879f84a102fffdd18e

Download Submit
C:\Program Files\RUXIM\PLUGscheduler.exe

Filesize
374KB

MD5
fa7592e31d4cd67f779df2076b3e9520

SHA1
0094cecad593abc8e5eeccb1f9bf8a060fdeda1f

SHA256
effba0e62c1d7669bec25853bf0b8e3dd7c7ea0a35ddeae5622426ee139048f2

SHA512
6228ff084a53b97f25e2d72799104d398adbf3a62ee14b71ed5c0e82d4653fd27d476f318d19c20f936a7e40df22929b7932b5a77797c97c8aaa887ecb405fc3

Download Submit
C:\Program Files\RUXIM\plugscheduler.xml

Filesize
4KB

MD5
68e17321cd6983588f34c56d33eef8ef

SHA1
83d6e35a427ec0ae5a61733f4775d6f25d11ece7

SHA256
0c9600548bdb7c1939d425095817d43599eabead5d339cf84ccbe5d3d72439b8

SHA512
14fcdc7c1f1feed1530a7a31a597d7ac205b2ae11a5999b97c88f6fac17b9e4cfff902f4090514b18c754c3d6800f4054683da1453f35cac2936967f854c6164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cce9e9f4b9fd8e0f9ef79f48c6dbaec4

SHA1
4fe453b717b00775adec43b84db8955e1108d8c8

SHA256
c4191c0180a10c00ab5e70dbb4c01173954a481f48c2202f59257b277868e637

SHA512
ddd6475da132aff41462af588dc4ec8702e2ca6e029f30f42f2410b061530cd535b559a4a5a3ab219e8cfdff388dbb3a25503a4d8d9fd155d9f7e80065fe5b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002f

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
909243c41ceefc8a808c3933dd6d6b4f

SHA1
bc11de872b3ff4b536a70f1777c1c42608a32afd

SHA256
80473cf0e28d5ae316dda949323a62a6e9e374aa70623045708a3881e38d6ee9

SHA512
afae7fa1cdd8c125d3e246ba0f4f1701525914ccfd0489820f27e4c9ab570d54275522b31d5322d0619b43f3b81fe313dcdaf8534ac15f7c38c35f8ab5f703f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
512a7911db3cdd810b9e07030eab0aa5

SHA1
eac6250fc085bcf8f2842551a80aab358b32e0fd

SHA256
a8524801a88de2eadecf8225fe7f60842f1f6226b52452f28c1cd3f307b46cd4

SHA512
7f26e7595761518d4f1ba23efea4b0f657175e2d35fb130e1b194cb127ce68ac1329665d530fdb10906fd0e6073bbe46f5152ec08ab2e017cf523a0f1d1d476b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
27f1bbe0d7c7292e4b635f88fd64db1d

SHA1
65d6c39863cbe0c464efba7995e44c2c4570c679

SHA256
ab3b02aef45246b8c7ac0b2e1b8d9911239be610f57a2d4e631a97348b52e18b

SHA512
a1ac95a04bd65ced31f10aa3f4cb67d4d7f3498626965095ef7a801d1c3372ea3a81de4b5980dd8c9f64549e310ea509bff7025b00a89d361c65bc25a4df2870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d048a05ce95afa29590900f3cdacfce6

SHA1
6f5cbc51bc0808c76c516c59b7e1fb0a455689e3

SHA256
06a40c04987bb3f682f88b91b786f0674bb45169f800b79fb169cf0bd4f1ab14

SHA512
6a98f165facc99dee9ed57d10ffa10585b6c3f4f284e8581d12177f47a3114b2f2fb303f86858b8718174026d43fbbdd514b4422261eb1e5394a995fce13f3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0f2a0b5911b163d2a3e6f59b6ab4a903

SHA1
4aadd386605de08ee87ee7a08717a0f80847e3be

SHA256
1c088db4df1be67d7fbd0a43320b6d74ba7d3f44235d7e93b6ea8b6cbed358fb

SHA512
1831927fb38a613ef9617803b7908ab10a0acaf1ed81b0eb534848a92dbe8d2ddfb8c7a189e9008938e5a25c28c75debcdee843a9ea86a79594875934c05ec39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ae9c991f7ba725934c814a1e6ea6a006

SHA1
503eda745365f6fcb86e934ded04a66acb42f538

SHA256
8080590af92d85ffcff5f60817eb63fc066f8daf6b3b001945e9f0a775be157f

SHA512
f7d5e7ccaf56b2d6d16cda1d580820271b63221a8f43ba5468f00ce52f20333da118968b3e907c7ce2e2b61aeb25a5bc0956264e2c6e93228a54a2cd279217e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0d6bf523fb744b83e493925968f3e184

SHA1
293a00fc2b6ed218ef749b8873f1eead71e144f4

SHA256
adf55812abf2214633fd84624b56854ef1351f78d8ed43c90f8a396a0f964502

SHA512
05d8f7d8876ca631975638b3009bb3d24d715e7fe0c6656f26dca53bc8c37d39bb6de4d2b07f776d24bbb6881e8dc59353b37069035744583e720319605423b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8de73542331c82b92d198c38a949552c

SHA1
bf7bc5b01fc60a456adb139a4d532faaa0aef88f

SHA256
74e4442b894e3d57516cf26be762f37a553cab536c37a2a233786f0ad3a605b5

SHA512
c8f4c5c3c846c86cfe3a0e316c65f2d2687ef83fd02ed504125461f5eb438cdd3c40ed2de82b409077ed2a8c3cc590ef36048a47dd78fe9575b76756921f0847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
650ea5c0d8ffcc18ea1dabac7be10d41

SHA1
af67e7a0d23e3567da53697a69a5695d1c816c5e

SHA256
67dbc053f3f435c81427d8dcb3b3a1c2c97f87b1b15af6adbf816a08eb7d55eb

SHA512
084b6ddc0ca2918f12dc50ba08d92b268e5304f5647d9b2b6db25bccd5c4068ece3faf7bf14d99b83df60456205f2a599fdf501230a66422c5d9994a7d168ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d9b0816d3ca198158e2981959844fa34

SHA1
8965c3d7633022672984b61961b523b6d2bfba2e

SHA256
ce1bb273f831ff9f449ac44a580156915aa75d635c3cd9548951d7b6949b2481

SHA512
05aa7672e8d4e4baf5a38bd097b30ea3ff550653ab646315851f9c3a6a5b3b90a2ca0317d4142761623d842c32178ed695f27536b6efa0a35190cc8dda6dc5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58a9b8.TMP

Filesize
48B

MD5
0d054dbee259473d59f54762ed77f561

SHA1
e86a8f2200fc6f376d50fbbbf040dca51a815b4e

SHA256
bdd04568fe0622cbd63e741a0cc46ace38c551d14757f0c58e39605be7811294

SHA512
f893674f74477f85a85cf539670ae7f2e45802d4e401dfdb40620adef507ba749dd43c8c5957b3a49f005f69339879984117a75830e2289f250cb627acd87b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bfa07029f5f99ba3425158f9446c9bd3

SHA1
ed85ff2ed34577196ae7b03c039baf40336296bf

SHA256
bf58da5ff866dd288503a6c10ff176870391bf3a82a482985c3560aebdf71161

SHA512
abd2c848e57015a83cfb6e39464d4516effc816034dc67cfc2e751758c47dc972938502083e6e9b4ac32fea42fbf811dac26ab6ded98481cda1a8956d8a0c179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
369B

MD5
be05f7b7665a0e645354dbb6b91b741b

SHA1
baf1fd0226161523908590c89d5a170113fe669e

SHA256
5472ecb612b069f3efb1ef08b7581d0dd775fc3e371aa4b0fd2cd910a49ce5d9

SHA512
4aac87a2250614eaed69b757e1847879b02e7f3c4509f0140ad082fd89e49a51be2ffcd6a45b87bc338d55f8e7cd73cb7b2f7f06438d04a58c7522d0554dc82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582a09.TMP

Filesize
369B

MD5
e10b835961c8c2fa2b35a20758655e91

SHA1
c1e821366b34064384878a39402015506a10773d

SHA256
537eae244396c165a777cfcd38d00cbbbb4c1342007f740c4c358aefdfe62ed0

SHA512
ba30d0b2c63e8530396f61d80c915aab966124e83afa45ffef9a4bce96e3910861b8b613b9153af34c6f38c525e07192f9e9bbf34dac61115d602005f29b074e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a70867a69bdb4da2eda866d9da8c2a65

SHA1
3ed94b21c3a55e8186fe211e0e793ff68f9a3755

SHA256
8c3c35323fe57a2660b5b5ef277dda51db12ebd18d86deb1a59cce370f25f570

SHA512
4db4a74a4d9d23e26bd8f364f041b55df8384107bbbe68bbbd48b09958756d7e4807caed485557cc82759ceb5ab1293a83baf0504fdee695deb5ad867739906c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ae6e124197b1b8a8e5a9791b7701422e

SHA1
ac1948d02f37575e6580b4cb597a2ef63bfa11df

SHA256
4896d220345e7cf428ab4049402619d86078f5a6ad921bfee0d198af0c0c8990

SHA512
cf00e68a63b526d7ab26772799a2b75021928b4c13e732bac7f4aca8caba1c9d1b45eb98ae1058d2da020a91eaf3b9647bcc9f9cf75bb2a023b2caa878d6beb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7ed808b4e0840c016d004e40d3bdb0c8

SHA1
438525274b1297be50ba9c2e997474563c85286f

SHA256
76a1f055a3131e5e2d0d386e90153b48d3d863939504f97a12c404b3b23065d2

SHA512
c69c17f38ca28e00fc99a6ec21b09d375171894005ff9172d1fc2a20dd160c09f9650d7b34aa2dc7866a335764076bfc8f23f0b1cdea7f08ab7914bf3a118ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b57763dacce33b337a8af8d6cabc6e33

SHA1
817e6cba437d3a34a8267410b664d70e3ff9c8eb

SHA256
a02264a652e67b05a4b303cfb022c99b5c08523ac81a44fc7f2b9244e0532eeb

SHA512
10d6c06c239558b715c4da280c655378757d2e8a1c2a21264534334611ed0564c1071c0c84a0b4c3e9d138bed1180146683dc8d96c0ae8b075a5c2abfd7ec00e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
a192aaa147bca6dd795c5d743e6d164a

SHA1
55a413c67826c3d62bf4eedd610c9d5cc0be637a

SHA256
0c943ff5c13ad8ab576b6bf49d349d1a2577d01f3a3253db3b68c982cea4eaff

SHA512
ff9a33f27454d741910496c2ea8391dee1aff166a1fde900269ea14478cc9ea8fb6796473aa9186a7437db8a4ed1b573e875eefe367e4dcca80ca7cbc2aacb60

Download Submit
C:\Windows\Installer\MSIE583.tmp

Filesize
195KB

MD5
c192517924eead8f673cdccae9454619

SHA1
002aef77ece1034e3cdf5e667f2016b706f06a41

SHA256
df167968d04a220415c4b659bfae552a5a322c6e79924b6bad36d45ecb6e1ab3

SHA512
a5e8c2687347e1405ff934b6c62dbad8621b40ffab1522c3621c869a8d042e1db5e225e3d00b74a85f1274c52d8dc14f5b7f90e28f30d667198ca60c51551dc2

Download Submit
C:\Windows\SoftwareDistribution\Download\49ba6ae83fe2a990fc76e38a96972f75\img\Windows-KB5001716-x64.msi

Filesize
860KB

MD5
9aa2d782c2474614301f5f484049ef00

SHA1
93ed79ecb4810a21beb4bbdc947b684198a4fb5b

SHA256
217086cf53124731dcc96ca0d060a00c076f0ed0bc43bc49b92573f35c84f614

SHA512
e464c29ad2bb1ba81a5a842daad99e2e68a57458100057a5affec09bcfcf4427e4592a8e0b4553604ac2901e9062daabb86a9e078f933d531caac84639b0a1c9

Download Submit
C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\Dpx.dll

Filesize
719KB

MD5
c80ce9163999cfdfc0eb43c47738ac04

SHA1
0a20918bd0e1518752117a40ce981c24145c4e32

SHA256
7486f7b5bb7892c46f24a8e5c54a36cad41a6974a7693f99696130e671b4745a

SHA512
48e071c7f63f2474f9920f0b296ed52b2b53a3f55f0f32eb1c4773b8b9f04c41af368f2aa3b98bcc34c68ce97950f31fb410fcad1ebe6184d2dc418b06f4bd08

Download Submit
C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\ExeUpdateAgent.dll

Filesize
1.1MB

MD5
cfa568e24ecfa3d69d121795ccba6a5f

SHA1
b7fff4fcb37ad274c3593933e679eaa61f06168f

SHA256
447a8f07dbb0370b33fc1c4ea82aee5dfa352db81176e5badf183a861221bb3b

SHA512
dbf16bb13a00c27877a97c8383b4c7ae167ceb957d03bfdc6d0d8e3065a7eec42266abbd45e7a2841e00b469bc0eb7d9df7544c2f5c399792f6db46be145ad26

Download Submit
C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\UAOneSettings.dll

Filesize
88KB

MD5
5b7b529ad6182b6c2d723fdcf01e0717

SHA1
bbaa7d30a383df93b7659ed95a8ad6ba9b851166

SHA256
d8b1fd676e0ae5b33154fe2949116b7aa4bbd35cb530dbed7f87b7d88e5d2bd9

SHA512
93f435a59476840ac2b958b9e4441a6b4736682c530ad034700646cc5ef6fef2a2e957b87e78ea4309988615523c3b09e86d446639c20353027df382410af5c5

Download Submit
C:\Windows\SoftwareDistribution\Download\4ec5014208710f214106704a9af5c25e\Metadata\UpdateAgent.dll

Filesize
2.6MB

MD5
49a564fe7e2519c4e74a1530d135d48a

SHA1
7f9e07687cd2b87e16de3d4349eb94a5fda1e2dd

SHA256
b4acc88a50d8ba584e59e8ab8e3de154a6f30ee32cfa5a89499989f5f58a9a63

SHA512
dc037871d5e2737ad4736314b7e59389ec54c6f811e92285bb5d0ea1699be32bb4b041805edb9b2a1a6eab303be5b86cc958e70b48242252593e10e4e9a6d059

Download Submit
C:\Windows\System32\MRT\4342F2FD-8452-C715-A739-B8361185B417\MPENGINE.DLL

Filesize
18.8MB

MD5
807f47f2bbcdb430bc1d9f07a8293540

SHA1
64b09605338f2b0e73b2fa396f2d8bb41a5ac0ab

SHA256
69e24472a2977868a260ba52078cc95cb3ec681c902a6fb9708beaefa6acf283

SHA512
1caa8a4316d3855542d31efeb6c02205f6d9e550f0b9c2278e9f74ce4ff13d008c5ef7f1f4c1bf6dae6264680ed7f4eb2c6dc6dcf27b27d33ee0a36cad2ae697

Download Submit
C:\Windows\System32\MRT\4342F2FD-8452-C715-A739-B8361185B417\MPGEAR.DLL

Filesize
607KB

MD5
a0c4ac6378ce0313955dccfd2d9208a6

SHA1
7ee2f0f3bf4504f4f7bbc63cb5fa883711c13801

SHA256
abbe3285c58c830314f9f0ad2ddc769139c0d808e27893290adc69a535b996b1

SHA512
72ea9f0d7399fa5d6865f3f887ffa07098b883b1428b33dcb552a40bb22ca6a461a546736667ca1aa97e5f06dffd10dab765c7f6e3e827dd0335b562b27d2fb5

Download Submit
C:\Windows\TEMP\UpdHealthTools.msi

Filesize
1.0MB

MD5
9b8135c9c160f1ee6cf39566948ca11b

SHA1
ccd0157fac545a963a2628022f4238c5baf52359

SHA256
acfabfd776b15c8a794cac58194293034420a680726334e9efb7b4582a17c0f7

SHA512
ff1a0dd58a3bbd98a960be704de4c44ff5b29e869f03e34db2a57c6f08cc63798c390486a4e605a58749f6d1293a450bbb48619f5c1283664779f7b979a0b7e8

Download Submit
memory/1316-784-0x000001F807240000-0x000001F807241000-memory.dmp

Filesize
4KB

Download
memory/1316-763-0x000001F87D670000-0x000001F87D671000-memory.dmp

Filesize
4KB

Download
memory/1316-792-0x000001F8072D0000-0x000001F8072D1000-memory.dmp

Filesize
4KB

Download
memory/1316-791-0x000001F8072C0000-0x000001F8072C1000-memory.dmp

Filesize
4KB

Download
memory/1316-790-0x000001F8072A0000-0x000001F8072A1000-memory.dmp

Filesize
4KB

Download
memory/1316-789-0x000001F807290000-0x000001F807291000-memory.dmp

Filesize
4KB

Download
memory/1316-788-0x000001F807280000-0x000001F807281000-memory.dmp

Filesize
4KB

Download
memory/1316-787-0x000001F807270000-0x000001F807271000-memory.dmp

Filesize
4KB

Download
memory/1316-786-0x000001F807260000-0x000001F807261000-memory.dmp

Filesize
4KB

Download
memory/1316-785-0x000001F807250000-0x000001F807251000-memory.dmp

Filesize
4KB

Download
memory/1316-794-0x000001F8072F0000-0x000001F8072F1000-memory.dmp

Filesize
4KB

Download
memory/1316-783-0x000001F807230000-0x000001F807231000-memory.dmp

Filesize
4KB

Download
memory/1316-782-0x000001F807220000-0x000001F807221000-memory.dmp

Filesize
4KB

Download
memory/1316-781-0x000001F807060000-0x000001F807061000-memory.dmp

Filesize
4KB

Download
memory/1316-780-0x000001F807050000-0x000001F807051000-memory.dmp

Filesize
4KB

Download
memory/1316-779-0x000001F807040000-0x000001F807041000-memory.dmp

Filesize
4KB

Download
memory/1316-778-0x000001F807030000-0x000001F807031000-memory.dmp

Filesize
4KB

Download
memory/1316-777-0x000001F807020000-0x000001F807021000-memory.dmp

Filesize
4KB

Download
memory/1316-776-0x000001F807010000-0x000001F807011000-memory.dmp

Filesize
4KB

Download
memory/1316-775-0x000001F807000000-0x000001F807001000-memory.dmp

Filesize
4KB

Download
memory/1316-774-0x000001F806FF0000-0x000001F806FF1000-memory.dmp

Filesize
4KB

Download
memory/1316-773-0x000001F806FE0000-0x000001F806FE1000-memory.dmp

Filesize
4KB

Download
memory/1316-772-0x000001F806FD0000-0x000001F806FD1000-memory.dmp

Filesize
4KB

Download
memory/1316-771-0x000001F806FB0000-0x000001F806FB1000-memory.dmp

Filesize
4KB

Download
memory/1316-770-0x000001F806FA0000-0x000001F806FA1000-memory.dmp

Filesize
4KB

Download
memory/1316-769-0x000001F806F90000-0x000001F806F91000-memory.dmp

Filesize
4KB

Download
memory/1316-768-0x000001F806F80000-0x000001F806F81000-memory.dmp

Filesize
4KB

Download
memory/1316-767-0x000001F87DF60000-0x000001F87DF61000-memory.dmp

Filesize
4KB

Download
memory/1316-766-0x000001F87DE80000-0x000001F87DE81000-memory.dmp

Filesize
4KB

Download
memory/1316-765-0x000001F87DE70000-0x000001F87DE71000-memory.dmp

Filesize
4KB

Download
memory/1316-764-0x000001F87DD60000-0x000001F87DD61000-memory.dmp

Filesize
4KB

Download
memory/1316-793-0x000001F8072E0000-0x000001F8072E1000-memory.dmp

Filesize
4KB

Download
memory/1316-762-0x000001F87CCE0000-0x000001F87CCE1000-memory.dmp

Filesize
4KB

Download
memory/1316-761-0x000001F8790E0000-0x000001F8790E1000-memory.dmp

Filesize
4KB

Download
memory/1316-760-0x000001F8097A0000-0x000001F809832000-memory.dmp

Filesize
584KB

Download
memory/1316-757-0x000001F809310000-0x000001F809314000-memory.dmp

Filesize
16KB

Download
memory/1316-756-0x000001F809300000-0x000001F809304000-memory.dmp

Filesize
16KB

Download
memory/1316-755-0x000001F8092F0000-0x000001F8092F4000-memory.dmp

Filesize
16KB

Download
memory/1316-752-0x000001F8092C0000-0x000001F8092C4000-memory.dmp

Filesize
16KB

Download
memory/1316-751-0x000001F8092B0000-0x000001F8092B4000-memory.dmp

Filesize
16KB

Download
memory/1316-750-0x000001F8092A0000-0x000001F8092A4000-memory.dmp

Filesize
16KB

Download
memory/1316-749-0x000001F809290000-0x000001F809294000-memory.dmp

Filesize
16KB

Download
memory/1316-748-0x000001F809280000-0x000001F809284000-memory.dmp

Filesize
16KB

Download
memory/1316-747-0x000001F809270000-0x000001F809274000-memory.dmp

Filesize
16KB

Download
memory/1316-746-0x000001F809260000-0x000001F809264000-memory.dmp

Filesize
16KB

Download
memory/1316-745-0x000001F809250000-0x000001F809254000-memory.dmp

Filesize
16KB

Download
memory/1316-744-0x000001F809240000-0x000001F809244000-memory.dmp

Filesize
16KB

Download
memory/1316-743-0x000001F809230000-0x000001F809234000-memory.dmp

Filesize
16KB

Download
memory/1316-742-0x000001F806F30000-0x000001F806F34000-memory.dmp

Filesize
16KB

Download
memory/1316-741-0x000001F8070A0000-0x000001F8070A4000-memory.dmp

Filesize
16KB

Download
memory/1316-740-0x000001F807090000-0x000001F807094000-memory.dmp

Filesize
16KB

Download
memory/1316-739-0x000001F807080000-0x000001F807084000-memory.dmp

Filesize
16KB

Download
memory/1316-738-0x000001F807070000-0x000001F807074000-memory.dmp

Filesize
16KB

Download
memory/1316-737-0x000001F806F20000-0x000001F806F24000-memory.dmp

Filesize
16KB

Download
memory/1316-795-0x000001F807300000-0x000001F807301000-memory.dmp

Filesize
4KB

Download
memory/1316-796-0x000001F807310000-0x000001F807311000-memory.dmp

Filesize
4KB

Download
memory/1316-797-0x000001F807320000-0x000001F807321000-memory.dmp

Filesize
4KB

Download
memory/1316-759-0x000001F809750000-0x000001F80979A000-memory.dmp

Filesize
296KB

Download
memory/1316-758-0x000001F8096F0000-0x000001F809741000-memory.dmp

Filesize
324KB

Download
memory/1316-753-0x000001F8092D0000-0x000001F8092D4000-memory.dmp

Filesize
16KB

Download
memory/1316-754-0x000001F8092E0000-0x000001F8092E4000-memory.dmp

Filesize
16KB

Download
memory/1316-736-0x000001F8790C0000-0x000001F8790C4000-memory.dmp

Filesize
16KB

Download
memory/1316-735-0x000001F809340000-0x000001F8096E8000-memory.dmp

Filesize
3.7MB

Download
memory/1316-734-0x000001F809080000-0x000001F8091D8000-memory.dmp

Filesize
1.3MB

Download