hxxps://github[.]com/ShadowWhisperer/Remove-MS-Edge/blob/main/Remove-Edge[.]exe?raw=true

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\SOFTWARE\MICROSOFT\ACTIVE SETUP\INSTALLED COMPONENTS\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
11	1444	chrome.exe

Possible privilege escalation attempt 4 IoCs

exploit

pid	Process
5284	takeown.exe
1968	icacls.exe
5132	takeown.exe
5240	icacls.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1062200478-553497403-3857448183-1000\Control Panel\International\Geo\Nation	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
1632	Remove-Edge.exe
1768	Remove-Edge.exe
6000	setup.exe
4476	setup.exe

Loads dropped DLL 6 IoCs

pid	Process
1768	Remove-Edge.exe
1768	Remove-Edge.exe
1768	Remove-Edge.exe
1768	Remove-Edge.exe
1768	Remove-Edge.exe
1768	Remove-Edge.exe

Modifies file permissions 1 TTPs 4 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5284	takeown.exe
1968	icacls.exe
5132	takeown.exe
5240	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\pris	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
748	sc.exe
5172	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3892	powershell.exe
1784	powershell.exe
5356	powershell.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000700000002427f-40.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remove-Edge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remove-Edge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
228	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1260	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133880853554784828"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "127"	LogonUI.exe

Modifies registry class 56 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\PROXYSTUBCLSID32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INTERFACE\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TYPELIB	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TYPELIB\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\WIN64	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\APPLICATION	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\DEFAULTICON	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEPDF\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LOCALSERVER32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MSEDGEHTM\SHELL\RUNAS\COMMAND	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1	setup.exe

Modifies registry key 1 TTPs 5 IoCs

Modify Registry

pid	Process
3180	reg.exe
5020	reg.exe
5252	reg.exe
2240	reg.exe
1356	reg.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5984	chrome.exe
5984	chrome.exe
6000	setup.exe
6000	setup.exe
6000	setup.exe
6000	setup.exe
6000	setup.exe
6000	setup.exe
6100	powershell.exe
6100	powershell.exe
6100	powershell.exe
5356	powershell.exe
5356	powershell.exe
5356	powershell.exe
3892	powershell.exe
3892	powershell.exe
3892	powershell.exe
1784	powershell.exe
1784	powershell.exe
1784	powershell.exe
5984	chrome.exe
5984	chrome.exe
1156	chrome.exe
1156	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeManageVolumePrivilege	2580	svchost.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeDebugPrivilege	6100	powershell.exe
Token: SeBackupPrivilege	6000	setup.exe
Token: SeRestorePrivilege	6000	setup.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeTakeOwnershipPrivilege	5284	takeown.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeTakeOwnershipPrivilege	5132	takeown.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeDebugPrivilege	1260	taskkill.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe
Token: SeShutdownPrivilege	5984	chrome.exe
Token: SeCreatePagefilePrivilege	5984	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe
5984	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5584	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5984 wrote to memory of 3640	5984	chrome.exe	86
PID 5984 wrote to memory of 3640	5984	chrome.exe	86
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1444	5984	chrome.exe	88
PID 5984 wrote to memory of 1444	5984	chrome.exe	88
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 1476	5984	chrome.exe	87
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89
PID 5984 wrote to memory of 552	5984	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/ShadowWhisperer/Remove-MS-Edge/blob/main/Remove-Edge.exe?raw=true
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa9777dcf8,0x7ffa9777dd04,0x7ffa9777dd10
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2148,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1548,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:1444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2352,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4396,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4432 /prefetch:2
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5556,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5404,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:4532
- C:\Users\Admin\Downloads\Remove-Edge.exe
  "C:\Users\Admin\Downloads\Remove-Edge.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1632
- - C:\Users\Admin\Downloads\Remove-Edge.exe
    "C:\Users\Admin\Downloads\Remove-Edge.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1768
  - - C:\Users\Admin\AppData\Local\Temp\_MEI16322\setup.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI16322\setup.exe --uninstall --system-level --force-uninstall
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Checks computer location settings
      Executes dropped EXE
      Installs/modifies Browser Helper Object
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6000
    - - C:\Users\Admin\AppData\Local\Temp\_MEI16322\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\_MEI16322\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI16322\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x128,0x224,0x22c,0xa0,0x230,0x7ff745a6eb10,0x7ff745a6eb20,0x7ff745a6eb30
        5⤵
        Executes dropped EXE
        
        PID:4476
    - - C:\Windows\system32\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6000" "1744" "1596" "1748" "0" "0" "0" "0" "0" "0" "0" "0"
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        
        PID:2456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c timeout /t 2 >nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:872
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 2
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:228
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -NoProfile -Command "Get-AppxPackage -AllUsers | Where-Object {$_.PackageFullName -like \"*microsoftedge*\"} | Select-Object -ExpandProperty PackageFullName"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5356
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe 2>$null"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.19041.1266.0_neutral__8wekyb3d8bbwe -AllUsers 2>$null"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1784
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:3976
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /query /fo csv
      4⤵
      System Location Discovery: System Language Discovery
      PID:3488
  - - C:\Windows\SysWOW64\sc.exe
      sc delete edgeupdate
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:748
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5252
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:2240
  - - C:\Windows\SysWOW64\sc.exe
      sc delete edgeupdatem
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:5172
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\edgeupdate /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1356
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SYSTEM\CurrentControlSet\Services\edgeupdatem /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:3180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe""
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      PID:5472
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5284
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5128
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5132
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5240
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:5020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /IM MicrosoftEdgeUpdate.exe /F
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\Edge""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\EdgeCore""
      4⤵
      System Location Discovery: System Language Discovery
      PID:4628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\EdgeUpdate""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\Temp""
      4⤵
      System Location Discovery: System Language Discovery
      PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5788,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5808,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5992,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6068 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=6096,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=6200,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4460,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=6400,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3360,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3660,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=6108,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=732 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=6452,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=6496,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=6464,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=3868,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6864,i,7756931522881231128,15064725402895090395,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6896 /prefetch:8
  2⤵
  PID:4192

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4216

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe
1⤵
PID:5496

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x49c
1⤵
PID:3932

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3883055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Modify Registry

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

System Information Discovery