Malware Analysis Report

2025-04-03 09:52

Sample ID 250216-ls8fksskfv
Target c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
SHA256 c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def
Tags
rat netwire warzonerat botnet discovery infostealer stealer adware persistence privilege_escalation
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def

Threat Level: Known bad

The file c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe was found to be: Known bad.

Malicious Activity Summary

rat netwire warzonerat botnet discovery infostealer stealer adware persistence privilege_escalation

Netwire

NetWire RAT payload

WarzoneRat, AveMaria

Warzonerat family

Netwire family

Warzone RAT payload

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Event Triggered Execution: Component Object Model Hijacking

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

AutoIT Executable

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

System policy modification

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-16 09:48

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Netwire family

netwire

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-16 09:48

Reported

2025-02-16 09:51

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1640 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1640 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1640 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 1640 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2120 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2120 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2120 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 2120 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 1640 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1640 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1640 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1640 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1640 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1640 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 1640 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 1640 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 1640 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 1640 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 1212 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2860 wrote to memory of 2768 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2768 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2768 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2768 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2768 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2768 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2768 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2768 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2768 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2768 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2768 wrote to memory of 2496 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2768 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2768 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2496 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2496 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2860 wrote to memory of 2372 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2372 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2372 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2372 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2372 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2372 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2372 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2372 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {0F06C430-BF93-4874-A13F-861EFD47F696} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/1640-0-0x0000000001050000-0x00000000011BB000-memory.dmp

\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/2120-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1212-39-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1212-36-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1212-29-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1212-27-0x0000000000080000-0x000000000009D000-memory.dmp

memory/1640-26-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/1640-41-0x0000000001050000-0x00000000011BB000-memory.dmp

memory/2248-42-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2248-44-0x0000000000120000-0x0000000000121000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 3c54630b57e4500803c9f48eb37ce746
SHA1 bca51b12cdc65f2e7c1cbfe2fa3b9e9a1db1a684
SHA256 47a5369713e1e284b16d1acfb0ab9d3614e9631f34c8c666a7123d432613d39d
SHA512 7d8b1172d713ac45211ee813167963d81a6613abe0a980876201c17c5353e6c71ed32adaecd81c8fde3de35526472251a80f09cafaa403cc1aec32df3a139fc0

memory/2768-49-0x0000000001130000-0x000000000129B000-memory.dmp

memory/2496-74-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2496-68-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2496-77-0x00000000000C0000-0x00000000000DD000-memory.dmp

memory/2768-78-0x0000000001130000-0x000000000129B000-memory.dmp

memory/2948-81-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2408-84-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2692-86-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1132-108-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2372-112-0x0000000001130000-0x000000000129B000-memory.dmp

memory/1832-117-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2848-154-0x0000000001130000-0x000000000129B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-16 09:48

Reported

2025-02-16 09:51

Platform

win10v2004-20250211-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Netwire family

netwire

WarzoneRat, AveMaria

rat infostealer warzonerat

Warzonerat family

warzonerat

Warzone RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1318997816-2171176372-1451785247-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files\msedge_installer.log C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\learning_tools.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Canary.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\or.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Entities C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Cryptomining C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\de.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Content C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Social C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-BR.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\en-US.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\lt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\mip_protection_sdk.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Beta.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\msedge.exe.sig C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\gd.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sv.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\LICENSE C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fr.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\tt.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dual_engine_adapter_x64.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msvcp140_codecvt_ids.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ca-Es-VALENCIA.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\metadata C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxil.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\libEGL.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\resources.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\elevation_service.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\da.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\fil.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\notification_helper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\Logo.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vcruntime140.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\vi.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest.xml C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gd.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\internal.identity_helper.exe.manifest C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Advertising C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ar.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\or.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Stable.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\pwahelper.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho.dll C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\gl.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\kok.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Internal.msix C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ar.pak C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Blasthost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.webp C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationCompany = "Microsoft Corporation" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe\"" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\ = "ie_to_edge_bho.IEToEdgeBHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\LocalService = "MicrosoftEdgeElevationService" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO\\ie_to_edge_bho_64.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\Version = "1.0" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.pdf C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\EBWebView\\x64\\EmbeddedBrowserWebView.dll" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32 C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds\MSEdgeHTM C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.mhtml\OpenWithProgids C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\AppUserModelId = "MSEdge" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\.html C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_helper.exe" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767} C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3716 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3716 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3716 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4360 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4360 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 4360 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Roaming\Blasthost.exe C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe
PID 3716 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 3716 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 3716 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 3716 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 3716 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe
PID 2848 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 3716 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 3716 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\schtasks.exe
PID 2848 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 2848 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3668 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3668 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 3668 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3668 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3668 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3668 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 3668 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 2280 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 3668 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 3668 wrote to memory of 3900 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 2280 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2280 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4360 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4360 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\Blasthost.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4360 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe
PID 4360 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4360 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4360 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\schtasks.exe
PID 4860 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 2032 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 2988 wrote to memory of 2032 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 2032 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 2032 wrote to memory of 1704 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 2032 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 2032 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 3876 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 3876 wrote to memory of 4512 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe
PID 2032 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2032 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2032 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 2032 wrote to memory of 2216 N/A C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
PID 1836 wrote to memory of 4076 N/A C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource core

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe

"C:\Users\Admin\AppData\Roaming\Imgburn\Host.exe"

C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe

"C:\Users\Admin\AppData\Local\Temp\c2d2d4a120598d53049e123fb20fb0299ffa93258cb423c4dfb6cbb5089a6def.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDM0NTIyREMtODNBNC00MDVELUJGM0UtRUJBRTk2MUM3NjE2fSIgdXNlcmlkPSJ7NEVCQ0EwRkUtODQ0OS00MzQ3LTkwNTItQ0Y5NkFFMEMwODBFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjAwMzlEODktRjIxMC00Mjc3LUJFODMtQ0Y4OUNGNTZERkU1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDE5NjEyMjYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff636f16a68,0x7ff636f16a74,0x7ff636f16a80

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe

"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff636f16a68,0x7ff636f16a74,0x7ff636f16a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6539a6a68,0x7ff6539a6a74,0x7ff6539a6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6539a6a68,0x7ff6539a6a74,0x7ff6539a6a80

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6539a6a68,0x7ff6539a6a74,0x7ff6539a6a80

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

C:\Users\Admin\AppData\Roaming\Blasthost.exe

"C:\Users\Admin\AppData\Roaming\Blasthost.exe"

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

"C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\SysWOW64\schtasks.exe" /create /tn raserver /tr "C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe" /sc minute /mo 1 /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 msedge.api.cdp.microsoft.com udp
IE 4.245.161.190:443 msedge.api.cdp.microsoft.com tcp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 msedge.b.tlu.dl.delivery.mp.microsoft.com udp
GB 96.17.178.199:80 msedge.b.tlu.dl.delivery.mp.microsoft.com tcp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 Wealthy2019.com.strangled.net udp
US 8.8.8.8:53 wealth.warzonedns.com udp
US 8.8.8.8:53 wealthyme.ddns.net udp

Files

memory/3716-0-0x0000000000FA0000-0x000000000110B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Blasthost.exe

MD5 6087bf6af59b9c531f2c9bb421d5e902
SHA1 8bc0f1596c986179b82585c703bacae6d2a00316
SHA256 3a8ffff8485c9ed35dae82574ea1a455ea2ead532251cebea19149d78dfd682c
SHA512 c8ed34470a874ce21c91cb7843521d66decc32c3f0a9c8d5b55889a7b990dfe5199ade8b6c6ef94b1bced6d3b5f0721e14bcc06320e8efe73ca3fe27fd6b9292

memory/4360-13-0x0000000000400000-0x000000000042C000-memory.dmp

memory/3716-15-0x00000000016A0000-0x00000000016A1000-memory.dmp

memory/2848-16-0x0000000000340000-0x000000000035D000-memory.dmp

memory/2848-24-0x0000000000340000-0x000000000035D000-memory.dmp

memory/3716-26-0x0000000000FA0000-0x000000000110B000-memory.dmp

memory/3472-27-0x00000000003F0000-0x00000000003F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\aepic\RtDCpl64.exe

MD5 766f38e12c6d2788f9e2b3a301512d28
SHA1 e33621cc81d716fa92116c37130a5f81de766294
SHA256 aaffd10774584278973faf1c8e619c741aaf6653bd46c232aee8eec8ee5d8bce
SHA512 3d79d6c0b1b3bcdbaed3e4d99185415e2bbdca2351ba11afbf6b7a03d2a6c16801d37ad20380f9477765b75c65fbee22e155f45e080df20313fb4026d3a98336

memory/3668-30-0x0000000000ED0000-0x000000000103B000-memory.dmp

memory/2280-39-0x0000000000400000-0x000000000041D000-memory.dmp

memory/2280-47-0x0000000000400000-0x000000000041D000-memory.dmp

memory/3668-48-0x0000000000ED0000-0x000000000103B000-memory.dmp

memory/3016-49-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/1052-51-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1568-53-0x0000000000400000-0x000000000042C000-memory.dmp

C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

MD5 d2e323631dbb4e63dbcca7d9c1fbed76
SHA1 3945d53608db21d4366ab583f7eacc15607785e7
SHA256 dd0b50ed28fea531fb7fcc8d4d455633b30810aabd2e33b481a388fa3a1436bd
SHA512 a0304e6e49bd9164710803dd56552f0e400682ac4180c3f49c6d06b9ebb48c35171f9eaded2f5467aba3bf1740d6dcbcc1b1b6e22e7d4fce111816d837703b38

memory/1052-62-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1568-63-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4860-67-0x00000000001E0000-0x00000000001FD000-memory.dmp

memory/4860-76-0x00000000001E0000-0x00000000001FD000-memory.dmp

memory/4360-77-0x0000000000ED0000-0x000000000103B000-memory.dmp

memory/5040-78-0x0000000001300000-0x0000000001301000-memory.dmp

memory/1344-82-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{43BD2E3C-BED7-4996-AB24-9D8E8D884BC4}\EDGEMITMP_3298B.tmp\setup.exe

MD5 1b3e9c59f9c7a134ec630ada1eb76a39
SHA1 a7e831d392e99f3d37847dcc561dd2e017065439
SHA256 ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae
SHA512 c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

C:\Program Files\msedge_installer.log

MD5 a0546d81a2aecdb044b5aabd4e028f52
SHA1 6bd15ba7de411b3d2a778f8bd12bc648ca12842f
SHA256 10fabb814e9661cf1a240df63cb42e2591e29cabaac347b4676a253bf588655e
SHA512 157310168ca03e3bffe8ee14912d666604642c29b68536e85ab31be9b19cce41572a1389b3f172252126495160472978019d1de64874009dc93662798a00d2ab

\??\PIPE\wkssvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

MD5 ad5f7dc7ca3e67dce70c0a89c04519e0
SHA1 a10b03234627ca8f3f8034cd5637cda1b8246d83
SHA256 663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31
SHA512 ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

C:\Program Files\msedge_installer.log

MD5 27b53c27979800c7045eca4b709cbde1
SHA1 e3dba3cb64fdf96119f761b0f6c77409fc42900e
SHA256 e03521423a2dd64be686e5bb2be5ccc93313e99233cd1bdc4a1ad7db4f1836f9
SHA512 610ee814993dbe245c9db346613b0320c672aa72236434bd5eba8b9cbc9f4589f664d65ccea3f74a9ff9dc0206f6ffa64955c931ef86c9d3f36ef43bbefcc889

C:\Program Files\msedge_installer.log

MD5 b2a977d4ddfc2e12ecdce1e481532801
SHA1 c71c462ec9d8ef346d8cafef41279b7a83d9c444
SHA256 02704781ea8669e5f7f36ab32a4297ce274355d731f531d06461435e87dc0217
SHA512 eddc95598dbf181c85261b398839bcb5e32b38e7acc921dd771b63040a1857a2c61f36f736b322d46afa15920e5edacc1284a0919d22604376e0482b29b85dce

C:\Program Files\msedge_installer.log

MD5 a19a0114610fa9e2df98bd1be4865332
SHA1 d7d01efdb78a74c37951afd7fd61ee4372a82fba
SHA256 9ce0640156bee2c3af67c36bc4619f2f82807480ef52bf5b2a9fd02ea750cad8
SHA512 f54036ddffb70c5a4b39c9e06346ece9683e45b0130a639856340b27e822ef202701624634225fe3c35aad2d0f1d787bf8fff230db2cfb90032cace512768bc5

memory/5060-167-0x0000000000ED0000-0x000000000103B000-memory.dmp

memory/5060-179-0x0000000000ED0000-0x000000000103B000-memory.dmp