Malware Analysis Report

2025-04-03 10:14

Sample ID 250213-b1xc6s1khp
Target 7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa
SHA256 7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa
Tags
upx blackshades defense_evasion discovery persistence rat adware privilege_escalation stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa

Threat Level: Known bad

The file 7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa was found to be: Known bad.

Malicious Activity Summary

upx blackshades defense_evasion discovery persistence rat adware privilege_escalation stealer

Blackshades payload

Modifies firewall policy service

Blackshades family

Blackshades

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

UPX packed file

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of AdjustPrivilegeToken

System policy modification

Modifies registry key

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-13 01:37

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-13 01:37

Reported

2025-02-13 01:39

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3052 set thread context of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2552 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Windows\SysWOW64\cmd.exe
PID 2552 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1900 wrote to memory of 980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2552 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2552 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2552 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2552 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3052 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2836 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2900 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2900 wrote to memory of 2336 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2868 wrote to memory of 2344 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2732 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3004 wrote to memory of 2428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe

"C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\XfSiu.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 havefunnuke.servequake.com udp

Files

memory/2552-2-0x0000000000400000-0x0000000000591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\XfSiu.bat

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

MD5 c95604c390985681c986a3ecf2ed5b3c
SHA1 f5f26b79b81a0536d28c063ccc26685b14bcd05d
SHA256 a7c4c748af6a300d968569f54a7dcc16197c697025e2b05bbda03475d3121882
SHA512 c0d946c82593e16f499017e752941ed5d62bd2c43334a05f6b99abbbd5b8b0f8fdcbada893a6bc5a22c192a010c269275778117e4d999a7c7e140cff04fec8dc

memory/2552-43-0x0000000000400000-0x0000000000591000-memory.dmp

memory/2836-50-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3052-49-0x0000000002910000-0x0000000002AA1000-memory.dmp

memory/3052-48-0x0000000000400000-0x0000000000591000-memory.dmp

memory/2836-54-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-55-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3052-52-0x0000000000400000-0x0000000000591000-memory.dmp

memory/2836-56-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-62-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-64-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-66-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-67-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-68-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-69-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-72-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-75-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2836-77-0x0000000000400000-0x000000000045C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-13 01:37

Reported

2025-02-13 01:39

Platform

win10v2004-20250207-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe"

Signatures

Blackshades

rat blackshades

Blackshades family

blackshades

Blackshades payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies firewall policy service

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Updater.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Updater.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe:*:Enabled:Windows Messanger" C:\Windows\SysWOW64\reg.exe N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Window Updates = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Update\\winupdt.exe" C:\Windows\SysWOW64\reg.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2212 set thread context of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\dev.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ca.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\pt-BR.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gd.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files\msedge_installer.log C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\mi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\qu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\te.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\notification_helper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Entities C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\et.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fil.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gu.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ko.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Temp\source3984_1000191167\MSEDGE.7z C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ur.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vcruntime140_1.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Entities C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\cookie_exporter.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\is.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bn-IN.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ur.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nn.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\stable.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vulkan-1.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Analytics C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\et.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\it.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_elf.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\resources.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\AdSelectionAttestationsPreloaded\manifest.json C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bg.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\libEGL.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cy.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ga.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_feedback\mf_trace.wprp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\nb.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Latn-RS.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\da.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\show_third_party_software_licenses.bat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoDev.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\vi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1639772215-809007892-4072230623-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\system32\wwahost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\DefaultIcon C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.htm C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xht\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\DefaultIcon C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\ = "Microsoft Edge HTML Document" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.xhtml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\elevation_service.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 1 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeAuditPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 31 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 32 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe N/A
Token: 33 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Windows\SysWOW64\cmd.exe
PID 2096 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2096 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2096 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3544 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3544 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3544 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 2212 wrote to memory of 3404 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe
PID 3404 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 812 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 3404 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe C:\Windows\SysWOW64\cmd.exe
PID 812 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 812 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4788 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4788 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4788 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3316 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3316 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3316 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1204 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1204 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1204 wrote to memory of 3384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1192 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 1192 wrote to memory of 3984 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 3984 wrote to memory of 4000 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 3984 wrote to memory of 4000 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 3984 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 3984 wrote to memory of 1292 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 1292 wrote to memory of 852 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 1292 wrote to memory of 852 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe
PID 3984 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3984 wrote to memory of 3548 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3984 wrote to memory of 3028 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3984 wrote to memory of 3028 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3984 wrote to memory of 4260 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3984 wrote to memory of 4260 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3028 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3028 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3548 wrote to memory of 4328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 3548 wrote to memory of 4328 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4260 wrote to memory of 3484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 4260 wrote to memory of 3484 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe

"C:\Users\Admin\AppData\Local\Temp\7935c2ea4f95626055b531a4e7a844cc7c1ffadb34569cfbba5036512b4a73aa.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TSNMX.bat" "

C:\Windows\SysWOW64\reg.exe

REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Window Updates" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /f

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe

"C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\cmd.exe

cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.exe:*:Enabled:Windows Messanger" /f

C:\Windows\SysWOW64\reg.exe

REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\Windows Updater.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Windows Updater.exe:*:Enabled:Windows Messanger" /f

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODk0OUVCRTQtOURGQS00MzQ2LUFDMUYtMDFGRjUwMjdDRTk5fSIgdXNlcmlkPSJ7MEJBOUEwNUItRTUyNS00OUVFLTlGRDUtNTk1MzQyOUY5MkI1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QzlFQjFBOTgtQjI4MC00MTNGLUJGQ0QtRjY3ODQ3ODJBNkNDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTI2MzU3Mjg2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff67d326a68,0x7ff67d326a74,0x7ff67d326a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff67d326a68,0x7ff67d326a74,0x7ff67d326a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0xd0,0x230,0x7ff700e56a68,0x7ff700e56a74,0x7ff700e56a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff700e56a68,0x7ff700e56a74,0x7ff700e56a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff700e56a68,0x7ff700e56a74,0x7ff700e56a80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe

"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch

C:\Windows\system32\wwahost.exe

"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
US 4.155.164.36:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 104.91.71.146:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 havefunnuke.servequake.com udp
US 8.8.8.8:53 www.office.com udp
US 13.107.6.156:443 www.office.com tcp
US 8.8.8.8:53 res.cdn.office.net udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 104.91.71.145:443 res.cdn.office.net tcp
GB 104.91.71.145:443 res.cdn.office.net tcp
GB 104.91.71.145:443 res.cdn.office.net tcp
GB 104.91.71.145:443 res.cdn.office.net tcp
GB 104.91.71.145:443 res.cdn.office.net tcp
GB 104.91.71.145:443 res.cdn.office.net tcp
GB 172.165.61.93:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp

Files

memory/3544-0-0x0000000000400000-0x0000000000591000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TSNMX.txt

MD5 1954c7e666c5b4d1117ef07bc0c9b8ec
SHA1 559e3c0273c1463e9184027b749bdaad0a372681
SHA256 35e0dbc8b455ca38976157ce9d0293fd6cdca20f46f1cb69058a1e0f0af6f693
SHA512 3939de8d0ab7e67b59ff8bebed5580dafd38d8785193fd42a289728500761a68b9e6660605e19e10d4278dd106fea4b273a208f25485e7389c8f19b2958c926a

C:\Users\Admin\AppData\Roaming\Windows Update\winupdt.txt

MD5 5b04c56b351b792bf5d3392a4f0fa9d4
SHA1 d6a828d286e90b780eadb724208d74c7133dd4b5
SHA256 b678c472970c28c4ae14fd7e99e26e0431a21a6a5ecc02da8874516795d88c8e
SHA512 6d41c56c08077175340ae1c4a3b439982b2a2793324fc95399237e52e5da3f3b2a25832252421f7101cc3f60606182864a4cd73e5ae594b6e709ffce3c342001

memory/3544-28-0x0000000000400000-0x0000000000591000-memory.dmp

memory/3404-31-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-36-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-34-0x0000000000400000-0x000000000045C000-memory.dmp

memory/2212-40-0x0000000000400000-0x0000000000591000-memory.dmp

memory/3404-43-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-45-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-47-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-48-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-49-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-52-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-53-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-54-0x0000000000400000-0x000000000045C000-memory.dmp

memory/3404-56-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{F64D72D3-6E23-404F-ABCA-BD2B469A1E2D}\EDGEMITMP_20B74.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

C:\Program Files\msedge_installer.log

MD5 b747f375d7b6b51247eb3e8fdb15fa23
SHA1 b169a486e029e815130914f61cbd491542d4aab2
SHA256 b6dea9c42b81af65eb3c19185d14812b5c6dbcf84d8f49b0dbddb32084f7309a
SHA512 3316248b220ef11d533ce60be411ce5539e6e0d7edc89b4fedc5672451abb77794249ed2ac782a2427fb5cd53fb79a2129e1853968c115f8f70ec59095857f35

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Program Files\msedge_installer.log

MD5 155ad5bee8617e5734cba9bd6995f267
SHA1 8f3a9754e4c0e034ecefa45b0e361517f6719a17
SHA256 ca4d9e3fe5c65c2b8ac4f7b321a01631a79f4b76088d3639d9a17a8cc830ee0f
SHA512 11e968c3f99a7fe5243d3dd57897738d495474c711de612062d1f5e6ad0e5bafc82976342ed48df2eadbcc2cbff8e9ff3a65dcdb04b1a142c18add3bd70b0d2a

C:\Program Files\msedge_installer.log

MD5 fa99f88cce432f18002667590d927a08
SHA1 674e617ddff9d51d6a67ccc18ca7d20683c86a8e
SHA256 08f078cb28f6244193dc1bf4a8d322ed7a66b3df978ca5c86128c763fdb07f43
SHA512 efa93ee94b2cd6612dd2b2866aec2d0f62bd00cf710701f31e369f3bbbe8f9683655fc91933304596e4c25ab6c9ae2cf7b2797e8a928a52dff67488785e775d1

memory/2340-132-0x00000254B4120000-0x00000254B412E000-memory.dmp

memory/2340-133-0x00000254B45D0000-0x00000254B45DA000-memory.dmp

memory/2340-134-0x00000254CE660000-0x00000254CE668000-memory.dmp

memory/2340-135-0x00000254CEA00000-0x00000254CEC49000-memory.dmp