f3aa2b23a67f4dbcce9fff7bb084e70127e3e0c4f2ab0f605487c570a7408960

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
Size

6.3MB
MD5

0e4a9a7f552ee8b6f3b47b82e70df7ff
SHA1

8a90ff94fd3be60c05ad054bde587cf10673bab1
SHA256

6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05
SHA512

ea9cf61d684f6903bbdd15c5e15a5b8f2ee9271cf8f1dfc993f6d276f7e9167b076dcaca46b265eadfc0575e650b76442b665998ba41556c76d9579946c39621
SSDEEP

98304:J10zXFg9bxfI3oZvBNHf72B6Rwxk7WN3Oo7Yb0QjY2ye8i2ylpPxh:kzXS9RI3cNHaB6X7S7bwHydev

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3920955164-3782810283-1225622749-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 18 IoCs

pid	Process
1232	ZoraraB.exe
3984	7281074781.exe
1872	ZoraraB.exe
1396	WebView2Runtime.exe
2964	MicrosoftEdgeUpdate.exe
5540	MicrosoftEdgeUpdate.exe
2696	MicrosoftEdgeUpdate.exe
4488	MicrosoftEdgeUpdateComRegisterShell64.exe
2208	MicrosoftEdgeUpdateComRegisterShell64.exe
1736	MicrosoftEdgeUpdateComRegisterShell64.exe
4264	MicrosoftEdgeUpdate.exe
2692	MicrosoftEdgeUpdate.exe
5924	MicrosoftEdgeUpdate.exe
1908	MicrosoftEdgeUpdate.exe
3260	MicrosoftEdgeUpdate.exe
3040	MicrosoftEdgeWebview_X64_132.0.2957.115.exe
3108	setup.exe
3168	setup.exe

Loads dropped DLL 34 IoCs

pid	Process
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
1872	ZoraraB.exe
2964	MicrosoftEdgeUpdate.exe
5540	MicrosoftEdgeUpdate.exe
2696	MicrosoftEdgeUpdate.exe
4488	MicrosoftEdgeUpdateComRegisterShell64.exe
2696	MicrosoftEdgeUpdate.exe
2208	MicrosoftEdgeUpdateComRegisterShell64.exe
2696	MicrosoftEdgeUpdate.exe
1736	MicrosoftEdgeUpdateComRegisterShell64.exe
2696	MicrosoftEdgeUpdate.exe
4264	MicrosoftEdgeUpdate.exe
2692	MicrosoftEdgeUpdate.exe
5924	MicrosoftEdgeUpdate.exe
5924	MicrosoftEdgeUpdate.exe
2692	MicrosoftEdgeUpdate.exe
1908	MicrosoftEdgeUpdate.exe
3260	MicrosoftEdgeUpdate.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_iw.dll	WebView2Runtime.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\MicrosoftEdgeWebview_X64_132.0.2957.115.exe	MicrosoftEdgeWebview_X64_132.0.2957.115.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_te.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_cy.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_nn.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\EdgeUpdate.dat	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_sr-Latn-RS.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\psuser_64.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_fil.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_el.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ur.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_mi.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_mk.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\97ab7209-9663-4efe-b781-2f9d5b86338c.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\psuser_arm64.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_lv.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ne.dll	WebView2Runtime.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\{375C633A-5C93-4088-A414-B70EC7EC851C}\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\MicrosoftEdge_X64_132.0.2957.115.exe	MicrosoftEdgeUpdate.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_de.dll	WebView2Runtime.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdateOnDemand.exe	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\NOTICE.TXT	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_zh-TW.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_km.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\psmachine.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ko.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ro.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_sl.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdge_X64_132.0.2957.115.exe.{0D50BFEC-CD6A-4F9A-964C-C7416E3ACB10}	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_es.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_pt-BR.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_sk.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_th.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\3108_13387098171368033_3108.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_en.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_az.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_mt.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_sq.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdateBroker.exe	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeComRegisterShellARM64.exe	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_it.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_nl.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_vi.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_gd.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_fa.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_fi.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_id.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_pl.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_tr.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe	MicrosoftEdgeWebview_X64_132.0.2957.115.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_es-419.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_sv.dll	WebView2Runtime.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe	MicrosoftEdgeWebview_X64_132.0.2957.115.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_cs.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_kn.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_pt-PT.dll	WebView2Runtime.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_kok.dll	WebView2Runtime.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_bg.dll	WebView2Runtime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wermgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7281074781.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WebView2Runtime.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4264	MicrosoftEdgeUpdate.exe
1908	MicrosoftEdgeUpdate.exe
3260	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\AppID = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\MicrosoftEdgeUpdateBroker.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41E1FADF-C62D-4DF4-A0A2-A3BEB272D8AF}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CurVer\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "ServiceModule"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2964	MicrosoftEdgeUpdate.exe
2964	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	MicrosoftEdgeUpdate.exe
Token: SeRestorePrivilege	5924	MicrosoftEdgeUpdate.exe
Token: SeBackupPrivilege	5924	MicrosoftEdgeUpdate.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 1232	4048	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	88
PID 4048 wrote to memory of 1232	4048	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	88
PID 4048 wrote to memory of 3984	4048	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	90
PID 4048 wrote to memory of 3984	4048	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	90
PID 4048 wrote to memory of 3984	4048	6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe	90
PID 3984 wrote to memory of 4408	3984	7281074781.exe	91
PID 3984 wrote to memory of 4408	3984	7281074781.exe	91
PID 1232 wrote to memory of 1872	1232	ZoraraB.exe	92
PID 1232 wrote to memory of 1872	1232	ZoraraB.exe	92
PID 1872 wrote to memory of 1396	1872	ZoraraB.exe	115
PID 1872 wrote to memory of 1396	1872	ZoraraB.exe	115
PID 1872 wrote to memory of 1396	1872	ZoraraB.exe	115
PID 1396 wrote to memory of 2964	1396	WebView2Runtime.exe	116
PID 1396 wrote to memory of 2964	1396	WebView2Runtime.exe	116
PID 1396 wrote to memory of 2964	1396	WebView2Runtime.exe	116
PID 2964 wrote to memory of 5540	2964	MicrosoftEdgeUpdate.exe	117
PID 2964 wrote to memory of 5540	2964	MicrosoftEdgeUpdate.exe	117
PID 2964 wrote to memory of 5540	2964	MicrosoftEdgeUpdate.exe	117
PID 2964 wrote to memory of 2696	2964	MicrosoftEdgeUpdate.exe	118
PID 2964 wrote to memory of 2696	2964	MicrosoftEdgeUpdate.exe	118
PID 2964 wrote to memory of 2696	2964	MicrosoftEdgeUpdate.exe	118
PID 2696 wrote to memory of 4488	2696	MicrosoftEdgeUpdate.exe	119
PID 2696 wrote to memory of 4488	2696	MicrosoftEdgeUpdate.exe	119
PID 2696 wrote to memory of 2208	2696	MicrosoftEdgeUpdate.exe	120
PID 2696 wrote to memory of 2208	2696	MicrosoftEdgeUpdate.exe	120
PID 2696 wrote to memory of 1736	2696	MicrosoftEdgeUpdate.exe	121
PID 2696 wrote to memory of 1736	2696	MicrosoftEdgeUpdate.exe	121
PID 2964 wrote to memory of 4264	2964	MicrosoftEdgeUpdate.exe	122
PID 2964 wrote to memory of 4264	2964	MicrosoftEdgeUpdate.exe	122
PID 2964 wrote to memory of 4264	2964	MicrosoftEdgeUpdate.exe	122
PID 2964 wrote to memory of 2692	2964	MicrosoftEdgeUpdate.exe	124
PID 2964 wrote to memory of 2692	2964	MicrosoftEdgeUpdate.exe	124
PID 2964 wrote to memory of 2692	2964	MicrosoftEdgeUpdate.exe	124
PID 5924 wrote to memory of 1908	5924	MicrosoftEdgeUpdate.exe	126
PID 5924 wrote to memory of 1908	5924	MicrosoftEdgeUpdate.exe	126
PID 5924 wrote to memory of 1908	5924	MicrosoftEdgeUpdate.exe	126
PID 5924 wrote to memory of 868	5924	MicrosoftEdgeUpdate.exe	128
PID 5924 wrote to memory of 868	5924	MicrosoftEdgeUpdate.exe	128
PID 5924 wrote to memory of 868	5924	MicrosoftEdgeUpdate.exe	128
PID 5924 wrote to memory of 3260	5924	MicrosoftEdgeUpdate.exe	131
PID 5924 wrote to memory of 3260	5924	MicrosoftEdgeUpdate.exe	131
PID 5924 wrote to memory of 3260	5924	MicrosoftEdgeUpdate.exe	131
PID 5924 wrote to memory of 3040	5924	MicrosoftEdgeUpdate.exe	132
PID 5924 wrote to memory of 3040	5924	MicrosoftEdgeUpdate.exe	132
PID 3040 wrote to memory of 3108	3040	MicrosoftEdgeWebview_X64_132.0.2957.115.exe	133
PID 3040 wrote to memory of 3108	3040	MicrosoftEdgeWebview_X64_132.0.2957.115.exe	133
PID 3108 wrote to memory of 3168	3108	setup.exe	134
PID 3108 wrote to memory of 3168	3108	setup.exe	134

C:\Users\Admin\AppData\Local\Temp\6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe
"C:\Users\Admin\AppData\Local\Temp\6f456ca5318d53c7577e67e641dbb36c8380514e08a7c4dd8ba88f15cebded05.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe
  "C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\ZoraraB.exe
    C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Users\Admin\AppData\Local\Temp\WebView2Runtime.exe
      C:\Users\Admin\AppData\Local\Temp\WebView2Runtime.exe /silent /install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5540
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4488
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2208
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1736
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDcyRUMwRTAtNEI4MC00MUIwLUJFRjMtQjQ3NEI4NDQwNzQ1fSIgdXNlcmlkPSJ7QUFBMTEyRDEtNDQwQy00MkZCLTlBQTgtRkU3ODY5RUJBRDFEfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1OTA5QzUwQS05Rjc1LTQ1Q0ItQjA3Ni1EM0I0NTlGRUFERjd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS40MyIgbmV4dHZlcnNpb249IjEuMy4xOTUuNDMiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3Mjc1ODgyOTIiIGluc3RhbGxfdGltZV9tcz0iMjk3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4264
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{072EC0E0-4B80-41B0-BEF3-B474B8440745}" /silent /offlinedir "{375C633A-5C93-4088-A414-B70EC7EC851C}"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2692
- C:\Users\Admin\AppData\Local\Temp\7281074781.exe
  "C:\Users\Admin\AppData\Local\Temp\7281074781.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\7281074781.exe"
    3⤵
    PID:4408

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5924
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDcyRUMwRTAtNEI4MC00MUIwLUJFRjMtQjQ3NEI4NDQwNzQ1fSIgdXNlcmlkPSJ7QUFBMTEyRDEtNDQwQy00MkZCLTlBQTgtRkU3ODY5RUJBRDFEfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MTMzQzlDMTYtNTEwMC00Q0IwLUJFMTQtRjNGMEQ0QzQ2NTdFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEzMy4wLjY5NDMuNjAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjciIGluc3RhbGxkYXRldGltZT0iMTc0MTkzNDU5NSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzg2NDA3MTU3ODE4MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3MzI1ODg0MjgiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1908
- C:\Windows\SysWOW64\wermgr.exe
  "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5924" "1100" "1064" "1116" "0" "0" "0" "0" "0" "0" "0" "0"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:868
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDcyRUMwRTAtNEI4MC00MUIwLUJFRjMtQjQ3NEI4NDQwNzQ1fSIgdXNlcmlkPSJ7QUFBMTEyRDEtNDQwQy00MkZCLTlBQTgtRkU3ODY5RUJBRDFEfSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7QTU5MDNCQkEtOEZFNi00MjE1LUI3MjYtQTg1NUFDMERBMUZFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjEzMy4wLjMwNjUuNjkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3NDE5MzM4OTIiPjxldmVudCBldmVudHR5cGU9IjMyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI0IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzM3MTE5NjE5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:3260
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\MicrosoftEdgeWebview_X64_132.0.2957.115.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\MicrosoftEdgeWebview_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\MicrosoftEdgeWebview_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.115 --initial-client-data=0x21c,0x220,0x224,0x1fc,0x228,0x7ff7993aa818,0x7ff7993aa824,0x7ff7993aa830
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{77A2826D-C04E-4003-9DF1-DFE33977161F}\EDGEMITMP_1A1CF.tmp\setup.exe

Filesize
6.6MB

MD5
c2f035293e07aaa688bc9457e695f0f9

SHA1
c5531aa40349601a23b01f8f24f4162958b7ab72

SHA256
704df2272e51fce395c576e4090270e0db7c7562f5b59779d36ca0563505cc91

SHA512
70228567ef097bee2b3e04a5300437adb3615d4217d3a2d08fbef364afbb54e43ffb5dd0e5f3931737d648f56f912ebe35121cc8421354d8c2292fe48f5efc51

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
182KB

MD5
8f7c44e937ecc243d05eab5bb218440b

SHA1
57cd89be48efe4cad975044315916cf5060bc096

SHA256
bc3cdd57a892ce1841787061e23e526ad46575460cd66c1dc6dcf0f811563d59

SHA512
9f0020b81d1945fea12efe1a0a5e59caae4a01432429e065e35c73b15db873253094b2ff1f8903a348446dfc9c9fb658f8bfed8c25bc56e8b546c16304a385a3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
70cc35c7fb88d650902e7a5611219931

SHA1
85a28c8f49e36583a2fa9969e616ec85da1345b8

SHA256
7eca199201273f0bcff1e26778cb535e69c74a69064e7759ff8dad86954d42b1

SHA512
3906ddb96b4b1b68b8c2acc940a62c856e8c3415a1b459f17cf2afc09e05751e0086f8e4e5e0ddd8e45cfb61f811bbe4dd96198db68072b45b6379c88d9ea055

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
215KB

MD5
714c34fe6098b45a3303c611c4323eae

SHA1
9dc52906814314cad35d3408427c28801b816203

SHA256
fbf495968c4a385ff0790e6b65d26610ef917a2b36a5387eff7ae79d7a980ac5

SHA512
68a65496275a1511b2d3bd98ac5592cb1c1eb9df0448471a8985cb2f458c66163e6d55545940de72dea80118ff8ec7ba0ad3276f51095f55c1243fb9f3311345

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
262KB

MD5
c8b26176e536e1bce918ae8b1af951a2

SHA1
7d31be0c3398d3bad91d2b7c9bc410f4e45f37be

SHA256
be6ab7dd506e44a0a9eb0dd531929bd8aa0796d85a0353e6944bc6bf1630b717

SHA512
5a362cbabebbffbb0797646576b65e2934a3b0a30306d74078ef2448fea3940df14f0b8f149691a100cc170bd548c9b420dcc8aa41eb1ea0700c9f155626c565

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
40cd707dd3011a9845ff9c42256ea7e3

SHA1
4045ae709979f75b1cf32142c1137b4be2ab9908

SHA256
9f4c7072716e0be1be08207a7024a5e41162e288e677d805be8e5469a8bd4909

SHA512
bf1ada8a0d9c3d9f39fb739d05fc4a61f0a7e0e1bb5eb44e6f0f5f58381ee6d80aad89dbc3211b70a6294fc69d5820c70fa8488ef2f793a3710ecff5ee90422e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
e91e279752e741b25cf473338d5aac88

SHA1
2b8ea61868a26408cd1dd351cca5139a046bbb7b

SHA256
5635ecedd84330f070a9d6f4cea8b8b81e9dad8592d336ebfd236b7d67e58acc

SHA512
7404cdb82309351a21415b045fc7165137492aa262d00fd0f74bad4262ce10e86c3bde1718c38757b7133e41d044035e731c52cccea285d659c4a570776ae535

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
bd175cb3dfc1d43944223bd5d7177539

SHA1
193623dc372937f31a545344d340360665b8d69a

SHA256
bf0d65cebe0c29f15a616a0dda2f1a414e3f96fe7a28ff7876e811855be6621b

SHA512
f5742352852837ce16f3cf1655e4d41e301f0351b68c7346457978aa310b95b69b1070741fc2ab8be5ff449f6fd44660df3b15811630efc1420ced1455fcaf5f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
42015aafd53012b9c8afa009ee501fa0

SHA1
c1fc049feab4fb4b87faf96c31b3d1160f1c1d39

SHA256
86858a1807e6cf0b91565ed7a5a15db24720b0a7f60ae41e67dbf9faeb6ef2fa

SHA512
9ce323da000b51480ee35973872fc7d181e1f69e820ac737c62c36eaa81eb99965bae39fdd394459adfaf8f746f5dc3b768015e01d8724e2d0718f5286c29389

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
8a54873d54a41442b62f9fea9492d3a6

SHA1
fb19af151b15f4bdb7a555924f1835b0337ff1d7

SHA256
af9bdd050b27b8883f72e3596179fe244a6a2e3545950c82889aac7198cf3c32

SHA512
7cc0a578586853afd027264c3898cb1460b23a47eab9c79e064b9f327fbdee6e3f9bc7043a5a76a710ada05edae4ac0b47529be3ae67ca9b5afaaa16151797c7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
e47db9afb646fb31cc8650837f487134

SHA1
f304204c908ea1fe2bcaf76040d5d1f13f1e99e0

SHA256
4e03ed7a538793fdcd4c646c62ddd278c46911099e6485bb2644a17ad3a8ecf6

SHA512
b2b01c86c78ec3450635c0fdef9666ce302600956e8def3bb02d205ba2a11b3d422520a64361c6f666998bd82b5557ec96cbcaba9e1b712c756e75128c8f9bc0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
5887cd452245dc7bd0389a0ad5db98e0

SHA1
6486d0ae59ba338e8bce87b438f86691e955840d

SHA256
922a102cae4e74bfc0b402bbb136116eddc71a8adcf7f1268d48006c858d1d60

SHA512
0720aaebca04e84d8af2d7b153b0fc51e5651cf664051b8c4b44159ed4c6328eb237ba4f4c97bebedbb1a45ca5c1d0f249cdccac76c6d5619e0e761d12aaaba1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
6aab6d42c7b7a90523a3272ad3916096

SHA1
cc638bd6ec6478734b243de2daa4a80f03f37564

SHA256
67180722f255985e849ec3ab313dcdc0bf2834bad7b6163a0b14587fdf4b4c66

SHA512
ebc17e0ef86b8e5bb938040ad78b299e33d1228c730666526aab27e464626b71ea900cb6dbe074bda5e42e77cd569b083637e233d757b8b0bdee2df2e0c509f2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
abc20df0545611a835dcd895d2832cca

SHA1
39e90363156c461e5aef64a714ba43cc61617ee5

SHA256
75d8c2e259b4d113c0967615af61e8f54eafb49c498767291627faae9fcf504b

SHA512
732f31d175f08c5c69b9cf540e2b0e72b8986b44d1ebfdf0e56eb56b68bea64e6446932a546f1fc30dbbbad4ccaf6bc935177a6348c5280ef786d6d8dfa7b325

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
327e92c7a55ec996ce09dfcf8c89e753

SHA1
2a51c99519257ddebf0d8280d46e0c0fd416e7a5

SHA256
2b61608a7aca43b7ea4374b79acc6e15deb382eef0fa8751c8e57e03e061cab0

SHA512
ac3ca0f66b899759f0d23ba64ff291486edb1e1d3bb626ad3efe3e3a6fd2aa4081411546e4849ff1645dcd26161f35defbd8442278e6d6f66311780c60474296

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
e0d2675c6de1b8d4e5e463246529a304

SHA1
132dace535b9cdc7a4e5f6137407d5becb23c4c6

SHA256
4af082aa0193b9b15622eba1f6165d0b6032b4dab17ba16a8a9affb267ebec34

SHA512
afafc1ca5abc636066ee98a6c68356d68f506fe3734a4b3e68073eed1f2ddc51840464e91d3cd3b28648fcc26b9457ef6484100f9543739220ad75a9eecb1e90

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
bfac1c3869df5375aedb24458cf321b7

SHA1
848232c155c7dca65f6cb22d27a72f2c78e964d8

SHA256
a9f5cf25b9512e1d30ecb769a5eeb694888b72b7f05b78c417814802c5aedbd7

SHA512
732270e8e8036f8ec59c214ca3804c6c67420bcf5fd633347c764f90b06b25fd73a0c7aa75ec42461ae3d3570fbfec5c5a7eee10e8d494b805b7c7e0d4aa227e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUE46F.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
cfb71031c56d9e8b9490d01fbe86302c

SHA1
9e11ecf5efc88e0beee1db46620bebc73f86dd21

SHA256
b18e14d0e24546193822b83996c5b311500ca213beb4d497cbd1dda9dac9db2f

SHA512
9cf993ea53673e416eead78d45a6d700b74001b69b1b987d479e77348ea8dc151f4ba6d6b1220db21ce792f9da51b9c83f33663621f9350b848a766ceae92370

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
381KB

MD5
3446f03673431abca7f33f94b2cc0595

SHA1
d702fe77590d365410adb2d1580288da9341cda6

SHA256
1acf948225eb41a0f748a455473bf2648c4a2662ad88a5fc40a3ae5040e26f41

SHA512
3ee5aa5749ccfd5aa1388f410593286633728d70d5c1ef2fac22fe6875fa1c0dd7cab1af3607f0139e58556d6d258b123754a611c147f1e703551d6d80b64c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7281074781.exe

Filesize
68KB

MD5
674ef5ff59091fe0c6b97660a118df3f

SHA1
cfa1b9f7389d24b097c30cb6d08628a2b2c3a4e4

SHA256
458737d49b9ef981e035cbdee6dbe81b143a9134b628af901b59caf2fbb82054

SHA512
5f16f074d649e2ab35a1980660ff65a47b202f2e35ae24286fe4b23a538c6eac947cbcc3eadeab010d3094b510b389cbaf3c8241c09e7f418af20528fb4dde12

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
122KB

MD5
29da9b022c16da461392795951ce32d9

SHA1
0e514a8f88395b50e797d481cbbed2b4ae490c19

SHA256
3b4012343ef7a266db0b077bbb239833779192840d1e2c43dfcbc48ffd4c5372

SHA512
5c7d83823f1922734625cf69a481928a5c47b6a3bceb7f24c9197175665b2e06bd1cfd745c55d1c5fe1572f2d8da2a1dcc1c1f5de0903477bb927aca22ecb26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

Filesize
287KB

MD5
52a8319281308de49ccef4850a7245bc

SHA1
43d20d833b084454311ca9b00dd7595c527ce3bb

SHA256
807897254f383a27f45e44f49656f378abab2141ede43a4ad3c2420a597dd23f

SHA512
2764222c0cd8c862906ac0e3e51f201e748822fe9ce9b1008f3367fdd7f0db7cc12bf86e319511157af087dd2093c42e2d84232fae023d35ee1e425e7c43382d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZoraraB.exe

Filesize
6.4MB

MD5
884c97680495567e6bca7be899567062

SHA1
7e7026f24fb04ae6830391e1c9ac702df4213199

SHA256
f518d247cc80f0b26dc462c3d31fe5533701429310386c9f1f27ec7eb54afe97

SHA512
ce5b9775ff85905563a3bbefa307ec8de7c02b38fedb09a8c68f428f67df75b7228a16a178637d0b87372096c96ca70fefeeb4ba74f85f641ce5f240973fa3d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\ZoraraB.exe

Filesize
7.8MB

MD5
a5dd2c9b93007d30e8f0df8e81d2d5c8

SHA1
3910e827e31ca413b4842d7643e0cca2a973dbcb

SHA256
b6c23eb719766ee1df6b2438b90751a24c105dc67fa3168f4b97c131c528b7f6

SHA512
9f62ccb3c308f401e9d5fd4c767694a1240902d31e8bd048298133ee28bf034ed76e79b4872a109b448b201f593041afd702881e3a6d67e94ebca31360a16c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\_bz2.pyd

Filesize
83KB

MD5
6c7565c1efffe44cb0616f5b34faa628

SHA1
88dd24807da6b6918945201c74467ca75e155b99

SHA256
fe63361f6c439c6aa26fd795af3fd805ff5b60b3b14f9b8c60c50a8f3449060a

SHA512
822445c52bb71c884461230bb163ec5dee0ad2c46d42d01cf012447f2c158865653f86a933b52afdf583043b3bf8ba7011cc782f14197220d0325e409aa16e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\_hashlib.pyd

Filesize
63KB

MD5
f377a418addeeb02f223f45f6f168fe6

SHA1
5d8d42dec5d08111e020614600bbf45091c06c0b

SHA256
9551431425e9680660c6baf7b67a262040fd2efceb241e4c9430560c3c1fafac

SHA512
6f60bfac34ed55ff5d6ae10c6ec5511906c983e0650e5d47dac7b8a97a2e0739266cae009449cced8dff59037e2dbfc92065fbbdfde2636d13679e1629650280

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\_lzma.pyd

Filesize
157KB

MD5
b5355dd319fb3c122bb7bf4598ad7570

SHA1
d7688576eceadc584388a179eed3155716c26ef5

SHA256
b9bc7f1d8aa8498cb8b5dc75bb0dbb6e721b48953a3f295870938b27267fb5f5

SHA512
0e228aa84b37b4ba587f6d498cef85aa1ffec470a5c683101a23d13955a8110e1c0c614d3e74fb0aa2a181b852bceeec0461546d0de8bcbd3c58cf9dc0fb26f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\_queue.pyd

Filesize
27KB

MD5
4ab2ceb88276eba7e41628387eacb41e

SHA1
58f7963ba11e1d3942414ef6dab3300a33c8a2bd

SHA256
d82ab111224c54bab3eefdcfeb3ba406d74d2884518c5a2e9174e5c6101bd839

SHA512
b0d131e356ce35e603acf0168e540c89f600ba2ab2099ccf212e0b295c609702ac4a7b0a7dbc79f46eda50e7ea2cf09917832345dd8562d916d118aba2fa3888

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\_socket.pyd

Filesize
77KB

MD5
f5dd9c5922a362321978c197d3713046

SHA1
4fbc2d3e15f8bb21ecc1bf492f451475204426cd

SHA256
4494992665305fc9401ed327398ee40064fe26342fe44df11d89d2ac1cc6f626

SHA512
ce818113bb87c6e38fa85156548c6f207aaab01db311a6d8c63c6d900d607d7beff73e64d717f08388ece4b88bf8b95b71911109082cf4b0c0a9b0663b9a8e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\_ssl.pyd

Filesize
149KB

MD5
ef4755195cc9b2ff134ea61acde20637

SHA1
d5ba42c97488da1910cf3f83a52f7971385642c2

SHA256
8a86957b3496c8b679fcf22c287006108bfe0bb0aaffea17121c761a0744b470

SHA512
63ad2601fb629e74cf60d980cec292b6e8349615996651b7c7f68991cdae5f89b28c11adb77720d7dbbd7700e55fdd5330a84b4a146386cf0c0418a8d61a8a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\charset_normalizer\md.pyd

Filesize
10KB

MD5
54d9fd50b71389328e8ff2febeab7f69

SHA1
643843de84a606a980885c2963ac9c67fe97d64b

SHA256
727848d24afd36d977e64faa6276ea083d3878be20fc8fdef478265d0a3c823c

SHA512
eba585de1d1a098b0d80804bda26521765ea448325aa02dc09e209b1672ce585ccb62677d7ef44b701cd0c8e927fd69a5e3570a8ae389a898d31980e93fea295

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\charset_normalizer\md__mypyc.pyd

Filesize
119KB

MD5
4c07ba11446bbf057b064a72fe51312f

SHA1
9e872576bc36f2927275eeddf45fe508658c76ba

SHA256
a1638240d494b519e5c54ab93df98cd85649db752be6dd04774389e8f88ea88a

SHA512
3ce29c06c796ec00714b6f71777dc2d80ebc7e1b08672b71275b35b1a04631ee6615800414cae0860c7361de5c1745210022feb8c0de0f7695bd1a09683bc636

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\libcrypto-1_1.dll

Filesize
3.2MB

MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\libssl-1_1.dll

Filesize
673KB

MD5
bc778f33480148efa5d62b2ec85aaa7d

SHA1
b1ec87cbd8bc4398c6ebb26549961c8aab53d855

SHA256
9d4cf1c03629f92662fc8d7e3f1094a7fc93cb41634994464b853df8036af843

SHA512
80c1dd9d0179e6cc5f33eb62d05576a350af78b5170bfdf2ecda16f1d8c3c2d0e991a5534a113361ae62079fb165fff2344efd1b43031f1a7bfda696552ee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\select.pyd

Filesize
26KB

MD5
7a442bbcc4b7aa02c762321f39487ba9

SHA1
0fcb5bbdd0c3d3c5943e557cc2a5b43e20655b83

SHA256
1dd7bba480e65802657c31e6d20b1346d11bca2192575b45eb9760a4feb468ad

SHA512
3433c46c7603ae0a73aa9a863b2aecd810f8c0cc6c2cd96c71ef6bde64c275e0fceb4ea138e46a5c9bf72f66dcdea3e9551cf2103188a1e98a92d8140879b34c

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\unicodedata.pyd

Filesize
1.1MB

MD5
8320c54418d77eba5d4553a5d6ec27f9

SHA1
e5123cf166229aebb076b469459856a56fb16d7f

SHA256
7e719ba47919b668acc62008079c586133966ed8b39fec18e312a773cb89edae

SHA512
b9e6cdcb37d26ff9c573381bda30fa4cf1730361025cd502b67288c55744962bdd0a99790cedd4a48feef3139e3903265ab112ec545cb1154eaa2a91201f6b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\vcruntime140.dll

Filesize
99KB

MD5
8697c106593e93c11adc34faa483c4a0

SHA1
cd080c51a97aa288ce6394d6c029c06ccb783790

SHA256
ff43e813785ee948a937b642b03050bb4b1c6a5e23049646b891a66f65d4c833

SHA512
724bbed7ce6f7506e5d0b43399fb3861dda6457a2ad2fafe734f8921c9a4393b480cdd8a435dbdbd188b90236cb98583d5d005e24fa80b5a0622a6322e6f3987

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1232_133870980610030307\zstandard\backend_c.pyd

Filesize
508KB

MD5
2dcee3aed139b2fe36beaac7ef702fd7

SHA1
3900be074b35868c20b02a1a73bb3ca23bc8a993

SHA256
c14dbedc05695c70c75e98368fb01ed898131d104e1e4c006d5a57e1294177e6

SHA512
8b8e063901a0335149e93e8af484c47be101cf1f914e5d24766243c20740d6eda6853160f5c304faab2c207652ee9627e0a9615350e02ac6b86448f5239280f9

Download Submit
memory/2964-324-0x0000000075210000-0x0000000075436000-memory.dmp

Filesize
2.1MB

Download
memory/2964-637-0x0000000075210000-0x0000000075436000-memory.dmp

Filesize
2.1MB

Download
memory/2964-323-0x0000000000D20000-0x0000000000D55000-memory.dmp

Filesize
212KB

Download
memory/3984-24-0x0000000000160000-0x000000000017F000-memory.dmp

Filesize
124KB

Download
memory/4048-1-0x0000000000020000-0x0000000000674000-memory.dmp

Filesize
6.3MB

Download
memory/4048-0-0x00007FFAD6723000-0x00007FFAD6725000-memory.dmp

Filesize
8KB

Download
memory/4048-5-0x00007FFAD6720000-0x00007FFAD71E1000-memory.dmp

Filesize
10.8MB

Download
memory/4048-23-0x00007FFAD6720000-0x00007FFAD71E1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-139-0x000001C8214F0000-0x000001C8214F1000-memory.dmp

Filesize
4KB

Download
memory/4408-125-0x000001C8214F0000-0x000001C8214F1000-memory.dmp

Filesize
4KB

Download
memory/4408-95-0x000001C8214F0000-0x000001C8214F1000-memory.dmp

Filesize
4KB

Download