47bc15b221a193ce995f1cee01ec44948d28480cbca32a9e66bd3bbf9dc79e5d

Resubmissions

30-12-2022 00:20

221230-am6t1see59 8

29-12-2022 23:59

221229-31shrsee28 8

29-12-2022 21:37

221229-1gmgashe3w 8

29-12-2022 18:49

221229-xgm62sha6w 8

Analysis

max time kernel
1621s
max time network
1624s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2022 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bol_setup.exe
Size

1.3MB
MD5

8303cfa6502fd0c42eff4133bc1938e4
SHA1

6cdbd45bb72b1524113bba8e613b21682b4af497
SHA256

47bc15b221a193ce995f1cee01ec44948d28480cbca32a9e66bd3bbf9dc79e5d
SHA512

a4c58e5e50a4ba5427267e54cd3a30df9c0d20db71c8b194e0d96827c27d0e7910e0bafefb231d9bf760910507a67812faa79ad4a359846bf8da8ab37e58bf2e
SSDEEP

24576:2CQjv/3EH3aLXerTO6uP7UJc9GA5bYUkDXZIxfqdPxw0pZHgbfeOqP:5aB6iJlxkzCJqdPxJwf+

Score

8^/10

adware bootkit discovery persistence stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 42 IoCs

pid	Process
760	LauncherAssistant.exe
5096	GameClient.exe
2896	GameBrowser.exe
544	GameBrowser.exe
3640	GameBrowser.exe
1080	GameBrowser.exe
3896	GameBrowser.exe
4304	GameBrowser.exe
3840	GameBrowser.exe
1736	GameBrowser.exe
2060	GameBrowser.exe
4656	msedgerecovery.exe
2868	MicrosoftEdgeUpdateSetup.exe
5640	MicrosoftEdgeUpdate.exe
4900	MicrosoftEdgeUpdate.exe
3752	MicrosoftEdgeUpdate.exe
5420	MicrosoftEdgeUpdateComRegisterShell64.exe
1836	MicrosoftEdgeUpdateComRegisterShell64.exe
3064	MicrosoftEdgeUpdateComRegisterShell64.exe
3892	MicrosoftEdgeUpdate.exe
5328	MicrosoftEdgeUpdate.exe
4836	MicrosoftEdgeUpdate.exe
3444	MicrosoftEdgeUpdate.exe
3152	MicrosoftEdgeUpdateSetup_X86_1.3.171.37.exe
4212	MicrosoftEdgeUpdate.exe
5780	MicrosoftEdgeUpdate.exe
5652	MicrosoftEdgeUpdate.exe
476	MicrosoftEdgeUpdate.exe
4292	MicrosoftEdgeUpdateComRegisterShell64.exe
5412	MicrosoftEdgeUpdateComRegisterShell64.exe
4596	MicrosoftEdgeUpdateComRegisterShell64.exe
2052	MicrosoftEdgeUpdate.exe
5860	MicrosoftEdgeUpdate.exe
6124	MicrosoftEdgeUpdate.exe
4496	MicrosoftEdge_X64_108.0.1462.54.exe
5620	setup.exe
3128	MicrosoftEdgeUpdate.exe
4848	MicrosoftEdgeUpdate.exe
5896	MicrosoftEdge_X64_108.0.1462.54.exe
5752	setup.exe
1440	setup.exe
5908	MicrosoftEdgeUpdate.exe

Modifies Installed Components in the registry 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\108.0.1462.54\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\108.0.1462.54\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\108.0.1462.54\\notification_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\108.0.1462.54\\notification_helper.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\108.0.1462.54\\BHO\\ie_to_edge_bho_64.dll"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DD327221-7139-4D2E-8B0B-018B525DFEFF}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.37\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/380-132-0x0000000000400000-0x0000000000698000-memory.dmp	upx
behavioral1/memory/380-136-0x0000000000400000-0x0000000000698000-memory.dmp	upx
behavioral1/memory/380-204-0x0000000000400000-0x0000000000698000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	bol_setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GameBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GameBrowser.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	GameBrowser.exe

Loads dropped DLL 64 IoCs

pid	Process
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
2896	GameBrowser.exe
2896	GameBrowser.exe
544	GameBrowser.exe
544	GameBrowser.exe
544	GameBrowser.exe
544	GameBrowser.exe
544	GameBrowser.exe
3640	GameBrowser.exe
3640	GameBrowser.exe
1080	GameBrowser.exe
1080	GameBrowser.exe
3896	GameBrowser.exe
3896	GameBrowser.exe
4304	GameBrowser.exe
4304	GameBrowser.exe
3840	GameBrowser.exe
3840	GameBrowser.exe
3840	GameBrowser.exe
3840	GameBrowser.exe
3840	GameBrowser.exe
1736	GameBrowser.exe
1736	GameBrowser.exe
2060	GameBrowser.exe
2060	GameBrowser.exe
5640	MicrosoftEdgeUpdate.exe
4900	MicrosoftEdgeUpdate.exe
3752	MicrosoftEdgeUpdate.exe
5420	MicrosoftEdgeUpdateComRegisterShell64.exe
3752	MicrosoftEdgeUpdate.exe
1836	MicrosoftEdgeUpdateComRegisterShell64.exe
3752	MicrosoftEdgeUpdate.exe
3064	MicrosoftEdgeUpdateComRegisterShell64.exe
3752	MicrosoftEdgeUpdate.exe
3892	MicrosoftEdgeUpdate.exe
5328	MicrosoftEdgeUpdate.exe
4836	MicrosoftEdgeUpdate.exe
4836	MicrosoftEdgeUpdate.exe
5328	MicrosoftEdgeUpdate.exe
3444	MicrosoftEdgeUpdate.exe
4212	MicrosoftEdgeUpdate.exe
5780	MicrosoftEdgeUpdate.exe
5652	MicrosoftEdgeUpdate.exe
476	MicrosoftEdgeUpdate.exe
4292	MicrosoftEdgeUpdateComRegisterShell64.exe
476	MicrosoftEdgeUpdate.exe
5412	MicrosoftEdgeUpdateComRegisterShell64.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	GameClient.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\profiles\images\bitmap_info.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\data\images\game\Move_table_red.png	bol_setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\108.0.1462.54\Locales\lo.pak	setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\data\images\cards\back\preview_selector\CARDS_BACK_GREEN.png	bol_setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\Trust Protection Lists\Mu\Analytics	setup.exe
File created	C:\Program Files (x86)\BetOnline\GameBrowser64\locales\it.pak	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\_theme_Move\gui\profiles\images\Move_bb_main_chip_stack.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\profiles\images\button_open_file.png	bol_setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\108.0.1462.54\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\oneds.dll	setup.exe
File created	C:\Program Files (x86)\BetOnline\_mods\Game\TopButtonsPanel\Move\gui\profiles\images\Move_button_top_panel_right.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\gui\profiles\images\bb_form.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\gui\profiles\images\button_tlobby.png	bol_setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\BetOnline\icons\19c-1895ff6d3f634.png	GameClient.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\108.0.1462.54\VisualElements\SmallLogoCanary.png	setup.exe
File created	C:\Program Files (x86)\BetOnline\_mods\Game\RaiseValueAndGameButtonsPanel\Edge\gui\profiles\images\Move_icon_button_wl_info_size1.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\TournamentInfoDlg.gui.dso	bol_setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU271F.tmp\msedgeupdateres_ne.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.37.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\BetOnline\GameBrowser64\locales\uk.pak	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\_theme_Edge\data\levels\LevelOmahaEdge6.t2d.dso	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\data\images\cards\deck\move\kind_6huge.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\common\gameScripts\cursor.cs.dso	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\data\images\cards\deck\big\preview_selector_round4.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\TableButtonUserColor.gui.dso	bol_setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\108.0.1462.54\Trust Protection Lists\Sigma\Staging	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU18CC.tmp\msedgeupdateres_fa.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\data\audio\RandomPrizeSelect.ogg	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\data\images\cards\back\BOL_black.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\QuickSeatDlg.gui.dso	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\gui\profiles\images\contest_prize.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\icons\1bc-259a54de79331736c.png	GameClient.exe
File created	C:\Program Files (x86)\BetOnline\common\gui\profiles\ProfilesControl.cs.dso	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\OptionsNewPageOther.gui.dso	bol_setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU18CC.tmp\msedgeupdateres_pt-BR.dll	MicrosoftEdgeUpdateSetup.exe
File created	C:\Program Files (x86)\BetOnline\icons\19c-14d8ea532fe98.png	GameClient.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\profiles\images\icon_maximize_size4.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\data\images\cards\deck\fullcolor_gloss\base_round.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\data\images\cards\deck\fine_beige\preview_table_round.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\data\images\casino\Super_7_Blackjack.png	bol_setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\Locales\kn.pak	setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\gui\profiles\images\Edge_icon_options.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\icons\19c-1475bb9ae5a55.png	GameClient.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\108.0.1462.54\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\BetOnline\_theme_Edge\gui\profiles\ProfilesCheckbox.cs.dso	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\_theme_Move\data\levels\LevelOmahaMove3.t2d.dso	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\data\fonts\LeagueGothic-Regular.otf	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\icons\1a6-1314f7f9813f8b1200.png	GameClient.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\profiles\images\icon_prize_cash.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\GameBrowser64\locales\sv.pak	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\common\gui\images\folder.png	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\data\fonts\Roboto-Medium.ttf	bol_setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\108.0.1462.54\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\BetOnline\icons\19c-477db07c27b3.png	GameClient.exe
File created	C:\Program Files (x86)\BetOnline\commonTG\gui\TablesFilter.gui.dso	bol_setup.exe
File created	C:\Program Files (x86)\BetOnline\BOL\gui\profiles\images\button_dialog_options.png	bol_setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU271F.tmp\msedgeupdateres_zh-TW.dll	MicrosoftEdgeUpdateSetup_X86_1.3.171.37.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\108.0.1462.54\Trust Protection Lists\Sigma\Analytics	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 16 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	GameClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\MultifunctionAdapter	GameClient.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\MultifunctionAdapter\0	GameClient.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	GameClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier	GameClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	GameClient.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\MultifunctionAdapter\0\DiskController	GameClient.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\MultifunctionAdapter\0\DiskController\0	GameClient.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	GameClient.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	GameClient.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\108.0.1462.54\\BHO"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE\GameClient.exe = "0"	GameClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\GameClient.exe = "11000"	GameClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_NINPUT_LEGACYMODE	GameClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	GameClient.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING	GameClient.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\GameClient.exe = "1"	GameClient.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\108.0.1462.54\\BHO"	setup.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{479A50AD-067E-4594-88CE-01A45BDF1CE8}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{DD327221-7139-4D2E-8B0B-018B525DFEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{DD327221-7139-4D2E-8B0B-018B525DFEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "Update3COMClass"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{DD327221-7139-4D2E-8B0B-018B525DFEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{DD327221-7139-4D2E-8B0B-018B525DFEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{479A50AD-067E-4594-88CE-01A45BDF1CE8}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ProxyStubClsid32\ = "{DD327221-7139-4D2E-8B0B-018B525DFEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{0CCB8559-9E10-4759-AEFD-51815C3677E3}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0CCB8559-9E10-4759-AEFD-51815C3677E3}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.169.31\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{DD327221-7139-4D2E-8B0B-018B525DFEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\Application	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ = "ServiceModule"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{DD327221-7139-4D2E-8B0B-018B525DFEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{479A50AD-067E-4594-88CE-01A45BDF1CE8}\InprocHandler32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CurVer\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.37\\msedgeupdate.dll,-3000"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
380	bol_setup.exe
380	bol_setup.exe
380	bol_setup.exe
380	bol_setup.exe
380	bol_setup.exe
380	bol_setup.exe
380	bol_setup.exe
380	bol_setup.exe
5096	GameClient.exe
5096	GameClient.exe
2896	GameBrowser.exe
2896	GameBrowser.exe
5096	GameClient.exe
5096	GameClient.exe
1564	msedge.exe
1564	msedge.exe
3112	msedge.exe
3112	msedge.exe
5096	GameClient.exe
5096	GameClient.exe
5144	identity_helper.exe
5144	identity_helper.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5640	MicrosoftEdgeUpdate.exe
5640	MicrosoftEdgeUpdate.exe
5640	MicrosoftEdgeUpdate.exe
5640	MicrosoftEdgeUpdate.exe
5640	MicrosoftEdgeUpdate.exe
5640	MicrosoftEdgeUpdate.exe
5328	MicrosoftEdgeUpdate.exe
5328	MicrosoftEdgeUpdate.exe
5328	MicrosoftEdgeUpdate.exe
5328	MicrosoftEdgeUpdate.exe
4836	MicrosoftEdgeUpdate.exe
4836	MicrosoftEdgeUpdate.exe
5780	MicrosoftEdgeUpdate.exe
5780	MicrosoftEdgeUpdate.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5096	GameClient.exe
5860	MicrosoftEdgeUpdate.exe
5860	MicrosoftEdgeUpdate.exe
5860	MicrosoftEdgeUpdate.exe
5860	MicrosoftEdgeUpdate.exe
4492	msedge.exe
4492	msedge.exe
5708	msedge.exe
5708	msedge.exe
1040	identity_helper.exe
1040	identity_helper.exe
5096	GameClient.exe
5096	GameClient.exe
3804	msedge.exe
3804	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5096	GameClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	636	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	840	wmic.exe
Token: SeSecurityPrivilege	840	wmic.exe
Token: SeTakeOwnershipPrivilege	840	wmic.exe
Token: SeLoadDriverPrivilege	840	wmic.exe
Token: SeSystemProfilePrivilege	840	wmic.exe
Token: SeSystemtimePrivilege	840	wmic.exe
Token: SeProfSingleProcessPrivilege	840	wmic.exe
Token: SeIncBasePriorityPrivilege	840	wmic.exe
Token: SeCreatePagefilePrivilege	840	wmic.exe
Token: SeBackupPrivilege	840	wmic.exe
Token: SeRestorePrivilege	840	wmic.exe
Token: SeShutdownPrivilege	840	wmic.exe
Token: SeDebugPrivilege	840	wmic.exe
Token: SeSystemEnvironmentPrivilege	840	wmic.exe
Token: SeRemoteShutdownPrivilege	840	wmic.exe
Token: SeUndockPrivilege	840	wmic.exe
Token: SeManageVolumePrivilege	840	wmic.exe
Token: 33	840	wmic.exe
Token: 34	840	wmic.exe
Token: 35	840	wmic.exe
Token: 36	840	wmic.exe
Token: SeIncreaseQuotaPrivilege	840	wmic.exe
Token: SeSecurityPrivilege	840	wmic.exe
Token: SeTakeOwnershipPrivilege	840	wmic.exe
Token: SeLoadDriverPrivilege	840	wmic.exe
Token: SeSystemProfilePrivilege	840	wmic.exe
Token: SeSystemtimePrivilege	840	wmic.exe
Token: SeProfSingleProcessPrivilege	840	wmic.exe
Token: SeIncBasePriorityPrivilege	840	wmic.exe
Token: SeCreatePagefilePrivilege	840	wmic.exe
Token: SeBackupPrivilege	840	wmic.exe
Token: SeRestorePrivilege	840	wmic.exe
Token: SeShutdownPrivilege	840	wmic.exe
Token: SeDebugPrivilege	840	wmic.exe
Token: SeSystemEnvironmentPrivilege	840	wmic.exe
Token: SeRemoteShutdownPrivilege	840	wmic.exe
Token: SeUndockPrivilege	840	wmic.exe
Token: SeManageVolumePrivilege	840	wmic.exe
Token: 33	840	wmic.exe
Token: 34	840	wmic.exe
Token: 35	840	wmic.exe
Token: 36	840	wmic.exe
Token: SeShutdownPrivilege	2896	GameBrowser.exe
Token: SeCreatePagefilePrivilege	2896	GameBrowser.exe
Token: SeIncreaseQuotaPrivilege	2688	wmic.exe
Token: SeSecurityPrivilege	2688	wmic.exe
Token: SeTakeOwnershipPrivilege	2688	wmic.exe
Token: SeLoadDriverPrivilege	2688	wmic.exe
Token: SeSystemProfilePrivilege	2688	wmic.exe
Token: SeSystemtimePrivilege	2688	wmic.exe
Token: SeProfSingleProcessPrivilege	2688	wmic.exe
Token: SeIncBasePriorityPrivilege	2688	wmic.exe
Token: SeCreatePagefilePrivilege	2688	wmic.exe
Token: SeBackupPrivilege	2688	wmic.exe
Token: SeRestorePrivilege	2688	wmic.exe
Token: SeShutdownPrivilege	2688	wmic.exe
Token: SeDebugPrivilege	2688	wmic.exe
Token: SeSystemEnvironmentPrivilege	2688	wmic.exe
Token: SeRemoteShutdownPrivilege	2688	wmic.exe
Token: SeUndockPrivilege	2688	wmic.exe
Token: SeManageVolumePrivilege	2688	wmic.exe
Token: 33	2688	wmic.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
380	bol_setup.exe
5096	GameClient.exe
2896	GameBrowser.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
3112	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
760	LauncherAssistant.exe
5096	GameClient.exe
5096	GameClient.exe
1960	SystemSettingsAdminFlows.exe
4232	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 380 wrote to memory of 760	380	bol_setup.exe	83
PID 380 wrote to memory of 760	380	bol_setup.exe	83
PID 380 wrote to memory of 760	380	bol_setup.exe	83
PID 380 wrote to memory of 5096	380	bol_setup.exe	96
PID 380 wrote to memory of 5096	380	bol_setup.exe	96
PID 380 wrote to memory of 5096	380	bol_setup.exe	96
PID 5096 wrote to memory of 2896	5096	GameClient.exe	98
PID 5096 wrote to memory of 2896	5096	GameClient.exe	98
PID 5096 wrote to memory of 840	5096	GameClient.exe	99
PID 5096 wrote to memory of 840	5096	GameClient.exe	99
PID 5096 wrote to memory of 840	5096	GameClient.exe	99
PID 2896 wrote to memory of 544	2896	GameBrowser.exe	102
PID 2896 wrote to memory of 544	2896	GameBrowser.exe	102
PID 2896 wrote to memory of 3640	2896	GameBrowser.exe	103
PID 2896 wrote to memory of 3640	2896	GameBrowser.exe	103
PID 2896 wrote to memory of 1080	2896	GameBrowser.exe	104
PID 2896 wrote to memory of 1080	2896	GameBrowser.exe	104
PID 2896 wrote to memory of 3896	2896	GameBrowser.exe	105
PID 2896 wrote to memory of 3896	2896	GameBrowser.exe	105
PID 2896 wrote to memory of 4304	2896	GameBrowser.exe	106
PID 2896 wrote to memory of 4304	2896	GameBrowser.exe	106
PID 5096 wrote to memory of 2688	5096	GameClient.exe	108
PID 5096 wrote to memory of 2688	5096	GameClient.exe	108
PID 5096 wrote to memory of 2688	5096	GameClient.exe	108
PID 2896 wrote to memory of 3840	2896	GameBrowser.exe	110
PID 2896 wrote to memory of 3840	2896	GameBrowser.exe	110
PID 2896 wrote to memory of 1736	2896	GameBrowser.exe	111
PID 2896 wrote to memory of 1736	2896	GameBrowser.exe	111
PID 2896 wrote to memory of 2060	2896	GameBrowser.exe	124
PID 2896 wrote to memory of 2060	2896	GameBrowser.exe	124
PID 5096 wrote to memory of 3112	5096	GameClient.exe	137
PID 5096 wrote to memory of 3112	5096	GameClient.exe	137
PID 3112 wrote to memory of 4348	3112	msedge.exe	138
PID 3112 wrote to memory of 4348	3112	msedge.exe	138
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139
PID 3112 wrote to memory of 544	3112	msedge.exe	139

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

C:\Users\Admin\AppData\Local\Temp\bol_setup.exe
"C:\Users\Admin\AppData\Local\Temp\bol_setup.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\LauncherAssistant.exe
  "C:\Users\Admin\AppData\Local\Temp\LauncherAssistant.exe" 720954
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:760
- C:\Program Files (x86)\BetOnline\GameClient.exe
  "C:\Program Files (x86)\BetOnline\GameClient.exe" -server https://poker.betonline.ag -appID "AppID_BetOnline_1685449045"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
    "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --main_proc=true --hwndgc=393656 --pipename=cg_browser_1672353587 --lop="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --appid="AppID_BetOnline_1685449045" --ln="BetOnline" --lp="C:\Program Files (x86)\BetOnline\Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --mojo-platform-channel-handle=1556 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:544
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --mojo-platform-channel-handle=2028 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3640
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --mojo-platform-channel-handle=2068 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1080
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --first-renderer-process --no-sandbox --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --mojo-platform-channel-handle=2352 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      PID:3896
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --no-sandbox --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --mojo-platform-channel-handle=2368 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:1
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      PID:4304
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --mojo-platform-channel-handle=2020 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3840
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=gpu-process --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --mojo-platform-channel-handle=1572 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1736
  - - C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe
      "C:\Program Files (x86)\BetOnline\GameBrowser64\GameBrowser.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --no-sandbox --lang=en-US --user-data-dir="C:\Users\Admin\AppData\LocalLow\GB\UDCache" --log-file="C:\Program Files (x86)\BetOnline\logs\20221229_223850.5096\\br.log" --mojo-platform-channel-handle=3116 --field-trial-handle=1732,i,3545778450291200709,14823588726009945466,131072 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,WinUseBrowserSpellChecker /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2060
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic computersystem get Manufacturer
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:840
- - C:\Windows\SysWOW64\Wbem\wmic.exe
    wmic computersystem get Model
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://poker.betonline.ag/client-redirect?LANG=en&client=win32&faceId=bol&sid=27e0e13439c74276-a657ac45c1414f2b&to=profile
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9ac9146f8,0x7ff9ac914708,0x7ff9ac914718
      4⤵
      PID:4348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
      4⤵
      PID:544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2044 /prefetch:8
      4⤵
      PID:2300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
      4⤵
      PID:4548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4588 /prefetch:8
      4⤵
      PID:1356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
      4⤵
      PID:2688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
      4⤵
      PID:3032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
      4⤵
      PID:2836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
      4⤵
      PID:4560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:3836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
      4⤵
      PID:1560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
      4⤵
      PID:3244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
      4⤵
      PID:4644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
      4⤵
      PID:3988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6656 /prefetch:8
      4⤵
      PID:3556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
      4⤵
      PID:3836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
      4⤵
      PID:5208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
      4⤵
      PID:5228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      PID:5260
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff7f9125460,0x7ff7f9125470,0x7ff7f9125480
        5⤵
        
        PID:5384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
      4⤵
      PID:5620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
      4⤵
      PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
      4⤵
      PID:5656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
      4⤵
      PID:5936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      4⤵
      PID:6024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
      4⤵
      PID:5956
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
      4⤵
      PID:6044
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1440 /prefetch:8
      4⤵
      PID:5160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3124 /prefetch:8
      4⤵
      PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5068 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5904 /prefetch:8
      4⤵
      PID:5648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4624 /prefetch:8
      4⤵
      PID:4560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1316 /prefetch:8
      4⤵
      PID:2492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4788 /prefetch:8
      4⤵
      PID:5192
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
      4⤵
      PID:3496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
      4⤵
      PID:5752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
      4⤵
      PID:5872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
      4⤵
      PID:4640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
      4⤵
      PID:3428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
      4⤵
      PID:5928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
      4⤵
      PID:1856
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6968 /prefetch:8
      4⤵
      PID:5440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6776 /prefetch:8
      4⤵
      PID:5168
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
      4⤵
      PID:3892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
      4⤵
      PID:4764
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
      4⤵
      PID:4624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
      4⤵
      PID:3912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1440 /prefetch:1
      4⤵
      PID:3128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
      4⤵
      PID:5180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
      4⤵
      PID:5612
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
      4⤵
      PID:2516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
      4⤵
      PID:2120
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
      4⤵
      PID:1932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1400 /prefetch:1
      4⤵
      PID:4084
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
      4⤵
      PID:2628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
      4⤵
      PID:1860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
      4⤵
      PID:5272
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
      4⤵
      PID:5988
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
      4⤵
      PID:5768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
      4⤵
      PID:2268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
      4⤵
      PID:6048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
      4⤵
      PID:5776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
      4⤵
      PID:2240
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7116 /prefetch:1
      4⤵
      PID:1104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
      4⤵
      PID:3812
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
      4⤵
      PID:4900
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
      4⤵
      PID:4488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7244 /prefetch:1
      4⤵
      PID:5936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
      4⤵
      PID:5552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
      4⤵
      PID:5784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
      4⤵
      PID:868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1812 /prefetch:1
      4⤵
      PID:5132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
      4⤵
      PID:5656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
      4⤵
      PID:4364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
      4⤵
      PID:6052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
      4⤵
      PID:888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
      4⤵
      PID:3032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:1
      4⤵
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
      4⤵
      PID:5668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:1
      4⤵
      PID:5248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
      4⤵
      PID:1100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,17165078738504895030,15385849870307100365,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
      4⤵
      PID:4644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://poker.betonline.ag/client-redirect?LANG=en&client=win32&faceId=bol&sid=27e0e13439c74276-a657ac45c1414f2b&to=deposit
    3⤵
    - Adds Run key to start application
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:5708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9aa6b46f8,0x7ff9aa6b4708,0x7ff9aa6b4718
      4⤵
      PID:3348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
      4⤵
      PID:2640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
      4⤵
      PID:4072
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
      4⤵
      PID:3160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
      4⤵
      PID:5296
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
      4⤵
      PID:1004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
      4⤵
      PID:1872
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:4104
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
      4⤵
      PID:2648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
      4⤵
      PID:2228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6012 /prefetch:8
      4⤵
      PID:4320
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
      4⤵
      PID:3444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
      4⤵
      PID:3604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
      4⤵
      PID:5656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
      4⤵
      PID:2584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
      4⤵
      PID:3852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
      4⤵
      PID:4836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
      4⤵
      PID:5588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5856 /prefetch:1
      4⤵
      PID:836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
      4⤵
      PID:3880
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
      4⤵
      PID:3256
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1836 /prefetch:1
      4⤵
      PID:5584
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
      4⤵
      PID:4008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4680 /prefetch:1
      4⤵
      PID:1300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
      4⤵
      PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
      4⤵
      PID:1144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
      4⤵
      PID:5800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6708 /prefetch:8
      4⤵
      PID:1884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5936 /prefetch:8
      4⤵
      PID:3064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
      4⤵
      PID:3588
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
      4⤵
      PID:3356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
      4⤵
      PID:2252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:8
      4⤵
      PID:3868
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4136 /prefetch:8
      4⤵
      PID:1944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7512 /prefetch:8
      4⤵
      PID:3648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7616 /prefetch:8
      4⤵
      PID:5188
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7676 /prefetch:8
      4⤵
      PID:5028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7716 /prefetch:8
      4⤵
      PID:3860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:1
      4⤵
      PID:4004
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8464 /prefetch:1
      4⤵
      PID:2488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
      4⤵
      PID:2000
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
      4⤵
      PID:4500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,15074052263937459798,714734786623200341,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8188 /prefetch:1
      4⤵
      PID:620

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f8 0x3f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5044

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 1
1⤵
PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s tzautoupdate
1⤵
PID:544

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 0
1⤵
PID:4612

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 0
1⤵
PID:4560

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetNTPSync
1⤵
PID:5012

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 1
1⤵
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s tzautoupdate
1⤵
PID:3604

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 0
1⤵
PID:3340

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of SetWindowsHookEx
PID:1960

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 1
1⤵
PID:5004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s tzautoupdate
1⤵
PID:2120

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetInternetTime 1
1⤵
PID:4604

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetTimeZoneAutoUpdate 0
1⤵
PID:5032

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" SetDateTime
1⤵
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
PID:1060
- C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1060_822993701\msedgerecovery.exe
  "C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1060_822993701\msedgerecovery.exe" --appguid={56EB18F8-B008-4CBD-B6D2-8C97FE7E9062} --browser-version=92.0.902.67 --sessionid={25906445-e3a6-414e-af5e-7532c76583d2} --system
  2⤵
  - Executes dropped EXE
  PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1060_822993701\MicrosoftEdgeUpdateSetup.exe
    "C:\Program Files (x86)\Microsoft\Edge\MSEdgeRecovery\scoped_dir1060_822993701\MicrosoftEdgeUpdateSetup.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:2868
  - - C:\Program Files (x86)\Microsoft\Temp\EU18CC.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EU18CC.tmp\MicrosoftEdgeUpdate.exe" /install "runtime=true&needsadmin=true" /installsource chromerecovery /silent
      4⤵
      Executes dropped EXE
      Sets file execution options in registry
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5640
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4900
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3752
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:5420
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:1836
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.169.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:3064
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzFCQzc4NzYtNjY5MS00RDVFLUIwQkYtOUYzMDNBMDFCNjJBfSIgdXNlcmlkPSJ7MkMwODc2M0EtQjI1Mi00MDI0LUI0RTUtMUU5Mzc5MURFREEyfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezhFQTU1OTIxLTJBMzYtNERCNS04QTE5LUMzMjQ0RjE3Qjg1M30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7bTQ2SzVLNXoxdnZrTkxIcjRjMXgvaENqZTdaUUxkcUt5WjVOd2d6VjNBOD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE2OS4zMSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTAzNDgyNTE1MzEiIGluc3RhbGxfdGltZV9tcz0iNjU3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3892
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /machine /installsource chromerecovery
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5328

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4836
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEU2MEFCNzQtNTRENC00RTMxLTk0ODYtOEVFQjExNDEzMThBfSIgdXNlcmlkPSJ7MkMwODc2M0EtQjI1Mi00MDI0LUI0RTUtMUU5Mzc5MURFREEyfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezJBRjFDMjc3LUZGMDgtNDI4Ny05QzNCLTBEMUM2MTFEN0UxRX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cVdKU3pXd1BmZGNMUitYR0l2NnhyWmZpWU94aFBVMnMxTldtaldjYUZQZz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iODkuMC40Mzg5LjExNCIgbmV4dHZlcnNpb249Ijg5LjAuNDM4OS4xMTQiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSI1IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDkyNzg1MzQzNiIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3444
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{269E1AFF-92F2-4B1D-B101-ADDA44D5BC1A}\MicrosoftEdgeUpdateSetup_X86_1.3.171.37.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{269E1AFF-92F2-4B1D-B101-ADDA44D5BC1A}\MicrosoftEdgeUpdateSetup_X86_1.3.171.37.exe" /update /sessionid "{4E60AB74-54D4-4E31-9486-8EEB1141318A}"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3152
- - C:\Program Files (x86)\Microsoft\Temp\EU271F.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU271F.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{4E60AB74-54D4-4E31-9486-8EEB1141318A}"
    3⤵
    - Executes dropped EXE
    - Sets file execution options in registry
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:5780
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:5652
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:476
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.37\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.37\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:4292
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.37\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.37\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Loads dropped DLL
        Modifies registry class
        
        PID:5412
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.37\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.37\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Registers COM server for autorun
        Modifies registry class
        
        PID:4596
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzciIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEU2MEFCNzQtNTRENC00RTMxLTk0ODYtOEVFQjExNDEzMThBfSIgdXNlcmlkPSJ7MkMwODc2M0EtQjI1Mi00MDI0LUI0RTUtMUU5Mzc5MURFREEyfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7NTUzNEJBREItOERGMC00QzU2LUI3NUYtNTU2RDQ4MjlCOTIzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IkRBRFkiIHByb2R1Y3RfbmFtZT0iU3RhbmRhcmQgUEMgKFEzNSArIElDSDksIDIwMDkpIi8-PGV4cCBldGFnPSImcXVvdDtxV0pTeld3UGZkY0xSK1hHSXY2eHJaZmlZT3hoUFUyczFOV21qV2NhRlBnPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTY5LjMxIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zNyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjaHJvbWVyZWMzPTIwMjI1MlIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRldGltZT0iMTY3MjM1MDUwMyI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTEwNTkwODA3ODEiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      PID:2052
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNjkuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEU2MEFCNzQtNTRENC00RTMxLTk0ODYtOEVFQjExNDEzMThBfSIgdXNlcmlkPSJ7MkMwODc2M0EtQjI1Mi00MDI0LUI0RTUtMUU5Mzc5MURFREEyfSIgaW5zdGFsbHNvdXJjZT0iY2hyb21lcmVjb3ZlcnkiIHJlcXVlc3RpZD0iezdGNDYwNUE2LTA5RUEtNDlFMy04MkU0LUE5M0JGODFEMUMyOX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSIyIiBwaHlzbWVtb3J5PSI0IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE2OS4zMSIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzciIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iUHJvZHVjdHNUb1JlZ2lzdGVyPSU3QkYzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNSU3RDtjaHJvbWVyZWMzPTIwMjI1MlIiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwOTM1MjYzNDA4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEwOTM1MzEzMzg4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTAxOTg0MzM3OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzU3YmQ0YjNiLWZkMDItNGUyNy04NWRkLTVhOGU2YzQwN2I2Nj9QMT0xNjcyOTU1Mzk3JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVRFNzJrSzZoclklMmZKSExvdHpXWkY5bnJmbDElMmY2c1pKd1RKY2JZN3V0OEozUURxJTJiZ2dkRCUyYlkwbENBNmNxbFNTenoyUmo0eXlaalNMdm40d0F5WTlMNXclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIwIiB0b3RhbD0iMCIgZG93bmxvYWRfdGltZV9tcz0iMyIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMTAxOTg2MzM5NyIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNTdiZDRiM2ItZmQwMi00ZTI3LTg1ZGQtNWE4ZTZjNDA3YjY2P1AxPTE2NzI5NTUzOTcmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VEU3MmtLNmhyWSUyZkpITG90eldaRjlucmZsMSUyZjZzWkp3VEpjYlk3dXQ4SjNRRHElMmJnZ2REJTJiWTBsQ0E2Y3FsU1N6ejJSajR5eVpqU0x2bjR3QXlZOUw1dyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE2MDYxMDQiIHRvdGFsPSIxNjA2MTA0IiBkb3dubG9hZF90aW1lX21zPSI4MzI1Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMDE5OTAzNDY3IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjExMDI1MTEzNDkwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PHBpbmcgcj0iMTM4IiByZD0iNTcwMyIgcGluZ19mcmVzaG5lc3M9InswMEUxMzZDRS1DQjNBLTQyQzQtOTk1Ny05MTEzQTQ2QkFCM0Z9Ii8-PC9hcHA-PGFwcCBhcHBpZD0iezU2RUIxOEY4LUIwMDgtNENCRC1CNkQyLThDOTdGRTdFOTA2Mn0iIHZlcnNpb249IjkyLjAuOTAyLjY3IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzE2ODIzODA3NTI3NDU1MCI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjEiIGE9Ii0xIiByPSIxMzgiIGFkPSItMSIgcmQ9IjU3MDMiIHBpbmdfZnJlc2huZXNzPSJ7N0MzOUQ1MEMtOTdEQi00NTI1LUJBMTItM0UxMkE2MzU4NUIxfSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4212

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5860

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:6124
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{999009CF-3DAE-475D-904B-97E86159EB73}\MicrosoftEdge_X64_108.0.1462.54.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{999009CF-3DAE-475D-904B-97E86159EB73}\MicrosoftEdge_X64_108.0.1462.54.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:4496
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{999009CF-3DAE-475D-904B-97E86159EB73}\EDGEMITMP_E3A22.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{999009CF-3DAE-475D-904B-97E86159EB73}\EDGEMITMP_E3A22.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{999009CF-3DAE-475D-904B-97E86159EB73}\MicrosoftEdge_X64_108.0.1462.54.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    PID:5620
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzciIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUQxNjI4NzAtQ0Y2QS00NkZFLUEzMTUtRkM1RkI1NDFBNkZDfSIgdXNlcmlkPSJ7MkMwODc2M0EtQjI1Mi00MDI0LUI0RTUtMUU5Mzc5MURFREEyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InswRDNENkNBMy1DMkFFLTQ5MzctQjM0QS0zRUMxOEM3RDExNTB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEwOC4wLjE0NjIuNTQiIGxhbmc9IiIgYnJhbmQ9IkVVRkkiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDA2MTMzNzg4MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0MDYxNDQ4MDc3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NzI1MTg3MTM4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMTQ2ZDM1NDAtNzE0Yi00NDEzLTkwZTEtMTQyMGQwMTg4NGU0P1AxPTE2NzI5NTU3MDkmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9amlURGRXdWNFJTJmVFF2VmIxdnRhNGo5VmF0ajY2RjV6Zm5DTlE3U1ZZU2RBJTJmcFdCa3B2RWlpNkl5cThHTWZ5NkVFem5YSlJsNTg2b0dHOTVpS2YyMWRnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjE0Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQ3MjUyMTcyNTgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzE0NmQzNTQwLTcxNGItNDQxMy05MGUxLTE0MjBkMDE4ODRlND9QMT0xNjcyOTU1NzA5JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWppVERkV3VjRSUyZlRRdlZiMXZ0YTRqOVZhdGo2NkY1emZuQ05RN1NWWVNkQSUyZnBXQmtwdkVpaTZJeXE4R01meTZFRXpuWEpSbDU4Nm9HRzk1aUtmMjFkZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjEzODQwNjM2MCIgdG90YWw9IjEzODQwNjM2MCIgZG93bmxvYWRfdGltZV9tcz0iNTkyNDgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNDcyNTMxNzE2MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NzQwMjcxMzg4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NjA4IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTMzOTg5NzEzNCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjExMzUiIGRvd25sb2FkX3RpbWVfbXM9IjY2MzYyIiBkb3dubG9hZGVkPSIxMzg0MDYzNjAiIHRvdGFsPSIxMzg0MDYzNjAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjU5OTU5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  PID:3128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4848
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1743A76A-D486-4F64-9F70-B2810E115D16}\MicrosoftEdge_X64_108.0.1462.54.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1743A76A-D486-4F64-9F70-B2810E115D16}\MicrosoftEdge_X64_108.0.1462.54.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Executes dropped EXE
  PID:5896
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1743A76A-D486-4F64-9F70-B2810E115D16}\EDGEMITMP_934D1.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1743A76A-D486-4F64-9F70-B2810E115D16}\EDGEMITMP_934D1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1743A76A-D486-4F64-9F70-B2810E115D16}\MicrosoftEdge_X64_108.0.1462.54.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
    3⤵
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Registers COM server for autorun
    - Adds Run key to start application
    - Installs/modifies Browser Helper Object
    - Drops file in Program Files directory
    - Modifies Internet Explorer settings
    - Modifies registry class
    - System policy modification
    PID:5752
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1743A76A-D486-4F64-9F70-B2810E115D16}\EDGEMITMP_934D1.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1743A76A-D486-4F64-9F70-B2810E115D16}\EDGEMITMP_934D1.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1440
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzciIHNoZWxsX3ZlcnNpb249IjEuMy4xNjkuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTg5RUI1RDUtQzVDRi00NTA5LUFCREEtOERFM0Q5MUI5NjYzfSIgdXNlcmlkPSJ7MkMwODc2M0EtQjI1Mi00MDI0LUI0RTUtMUU5Mzc5MURFREEyfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntEQTE3RTI2My0yODk1LTQ0MkMtOUJEQi0xNDRFQ0MzQzg3OTV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iMiIgcGh5c21lbW9yeT0iNCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iUHJvZHVjdHNUb1JlZ2lzdGVyPSU3QkYzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNSU3RDtjaHJvbWVyZWMzPTIwMjI1MlIiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuNjIiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjU4NDEiIHBpbmdfZnJlc2huZXNzPSJ7QTUxREE2OTItMDVDNy00MERFLUIwNDctMzM1OUU3NUE3QTg5fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEwOC4wLjE0NjIuNTQiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzMTY4MjQ0OTE2MjQ0NTQwIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjEyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTk0MTkxMzkwNSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTk0MjgxNDAwNSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE0IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTk3ODU0OTU0NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNTk5MzQ0ODM1MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTYzMDY3MzI0MzgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSIxNjU0IiBkb3dubG9hZGVkPSIxMzg0MDYzNjAiIHRvdGFsPSIxMzg0MDYzNjAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIyIiBpbnN0YWxsX3RpbWVfbXM9IjMxMzI1Ii8-PHBpbmcgYWN0aXZlPSIxIiBhZD0iNTg0MSIgcmQ9IjU4NDEiIHBpbmdfZnJlc2huZXNzPSJ7OTUwNEQwQkEtQzAxNi00QjJELUJCQUEtNTAzNUVBNEMzQjI3fSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMDguMC4xNDYyLjU0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJFVUZJIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjU4MzgiIGNvaG9ydD0icnJmQDAuODAiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9Ins0ODBBQjYwNy1BNzEwLTRFODItOUZCQS1EOEZCM0Q3Mjk4Q0N9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  PID:5908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Browser Extensions

T1176

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\BetOnline\BOL\data\fonts\font.cs.dso

Filesize
353B

MD5
08a56dbd6a9689f71b79b99bb8b82d19

SHA1
9bf8c63ed1670ca3a4a8a80a679bc933dabed0b2

SHA256
eba28428cbc4629df99b0b083b7fafa6b5d3e8d47b5bcad4fbabfe3ac19ae48f

SHA512
3eb81ab691f5a961ef592e9e7df5c49ab456c9abfaf1ca60cf31aade7a4478337c4e575889f2b1fe2422b6a40c3d4ed072b259d8c5bdf0e5770a9ac5e4bb3a0c

Download Submit
C:\Program Files (x86)\BetOnline\BOL\preferences\defaultPrefs.cs.dso

Filesize
3KB

MD5
5855e9267fb2133bfd5ae5a2c6f8d0d4

SHA1
49497f440c3577e1c6ee8fc587ed53c81f651176

SHA256
72af2f9f7d64ed6ef153d60afba1b871c447d6d871cf6d23785154b183b4b073

SHA512
4087f4b153d2336ce79536255caebf6fc9f433d14df96f29a26a901664d477e6f629c8943d23b358795e1489b37bc172c2e4e54e7c5a41c4c4aec8cfe2dab60b

Download Submit
C:\Program Files (x86)\BetOnline\GameClient.exe

Filesize
9.5MB

MD5
41a3467812a117ec8bc4c8f4fc86bbd9

SHA1
3b7547b5db84a4494d864ab8d65dc8f39210beb1

SHA256
d7e531cfe379dd5795b7fdcc5afa52233dd6c63b84c6e262b63c5bfc37f0c7a5

SHA512
ef3a2fc355232655f3a60c3dc38e36ce358747636cdd1c105babfbf0019b881aea1edc6905b5464d2bea287cd513fb8f797b2741c0de70ec51cb263f933a0aa4

Download Submit
C:\Program Files (x86)\BetOnline\GameClient.exe

Filesize
9.5MB

MD5
41a3467812a117ec8bc4c8f4fc86bbd9

SHA1
3b7547b5db84a4494d864ab8d65dc8f39210beb1

SHA256
d7e531cfe379dd5795b7fdcc5afa52233dd6c63b84c6e262b63c5bfc37f0c7a5

SHA512
ef3a2fc355232655f3a60c3dc38e36ce358747636cdd1c105babfbf0019b881aea1edc6905b5464d2bea287cd513fb8f797b2741c0de70ec51cb263f933a0aa4

Download Submit
C:\Program Files (x86)\BetOnline\MSVCP140.dll

Filesize
436KB

MD5
addc83e063ddc88422a4fe7aade7cfcd

SHA1
3c31040526cb13adbb849e30c1a85d86cf7298f0

SHA256
557d76338488e28c7761dfe5ee4fa722f65f0c945563002e86de09c95f02b2aa

SHA512
05e379bfe23887107fd7f3ca52dbcc453624c48d35c4ce43a110ea3e360fecf284f77628ed240ceee940e7bf5e2c87c054fb8b19046c79cfe5559246e4b0e68d

Download Submit
C:\Program Files (x86)\BetOnline\OpenAL32.dll

Filesize
108KB

MD5
ce0cdc5459eaa1d574af781ddb8f2685

SHA1
709f3ea879ee83ca8b61dba5a2e497919bb8a4da

SHA256
26ba695d73fdf78ff133ab9c0e12300c26076441627a25ffba80c8b8aedb10ec

SHA512
8ccff5c8f02580116d539f63e8b849b57447d83d8b1eb7c91c4ad34761ca4c058dbbe57fd8e114f9eb7f463915b6c089c854f4d89800381f91a8f4088a6a3687

Download Submit
C:\Program Files (x86)\BetOnline\OpenAL32.dll

Filesize
108KB

MD5
ce0cdc5459eaa1d574af781ddb8f2685

SHA1
709f3ea879ee83ca8b61dba5a2e497919bb8a4da

SHA256
26ba695d73fdf78ff133ab9c0e12300c26076441627a25ffba80c8b8aedb10ec

SHA512
8ccff5c8f02580116d539f63e8b849b57447d83d8b1eb7c91c4ad34761ca4c058dbbe57fd8e114f9eb7f463915b6c089c854f4d89800381f91a8f4088a6a3687

Download Submit
C:\Program Files (x86)\BetOnline\VCRUNTIME140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Program Files (x86)\BetOnline\_mods\Game\LeftDownInfoPanel\Move\main.cs.dso

Filesize
248B

MD5
8a84d24194e7f9ec0aba9ffe5f741d13

SHA1
75bedd03306b9b9f01b8f5276ea3b7a1d0fbea52

SHA256
22483ded89d8db518633b6c0a1f4ea3d665bd712b3084edd3c0b976dfaa4422e

SHA512
70ebffdae74661e882e8c283902e78ea5a07fd0348d271faa1b8a24feadf5fa52fd199b5268a188d186f60649fd06b352e2f7628dfdcf16886487631049c52cc

Download Submit
C:\Program Files (x86)\BetOnline\_mods\Game\RaiseValueAndGameButtonsPanel\Edge\main.cs.dso

Filesize
193B

MD5
c034ca72cf344166b61f63e878b296c2

SHA1
69e3359dcb7657f201ae801e8631de8bb2227607

SHA256
466c4abb2cbd2d3dc05984bc95820c93eb5483a2a6df0546e5a12d7e63c32584

SHA512
12ec12ec4bce0f3eab0220004ba9ff9595d587af38008ec939949ca2fc1a5dd64c20eab8ac5912833a3330a26c82bb6f699f540bfb5bf7c7a177def5a92191ff

Download Submit
C:\Program Files (x86)\BetOnline\_mods\Game\Seat\Edge\main.cs.dso

Filesize
172B

MD5
849a463a9d268f3ff0a6c18074ec9bf1

SHA1
733b350514b77eb9a81c4c71dc83de566c80afcc

SHA256
e74ee4f5139d0bc72bef09c12548663433737478d2483d8b241a2b36e4d41dac

SHA512
9e5bd54bd2f8f6f94765812831d89e96274d16cf7d8bdab9f3d07c1c6d0b254461f1d41ae0f9d66e35d69ca7a190f54f4d0387dc1d781e0d3087e7fa364b7020

Download Submit
C:\Program Files (x86)\BetOnline\_mods\Game\TInfo\main.cs.dso

Filesize
280B

MD5
7a6cd83a59096a3bcb6402a684671b3a

SHA1
19a35f8c7fa1a2e88fb5a9ba89f99e7fc11cf4da

SHA256
0e7999eec9d7d4030d0412144e83e1944b070806b7d72e50c0911231753dc962

SHA512
386f048804afc5efbe497859f1376e5db7f975b41c5149ef3b484c7274d0d11ae2d33d9fe3d7c89c96df24cf480f41eb31ca485dbbe6179457a3ef3496b98586

Download Submit
C:\Program Files (x86)\BetOnline\_mods\Game\TopButtonsPanel\Move\main.cs.dso

Filesize
183B

MD5
faaa37eabe024bb85edffb663f6c5af9

SHA1
603d7d90a1457630e9e88b6fd540831bc777c991

SHA256
7ffc99617dfb29b33af9e6c9932e9fcc11b9467f0be86d0524d405e8b1c93bc0

SHA512
51123e799bfbc95647f9f5458313a3e51af39c5f1fde536379768ce2967d0ad36a1ed059a539e051781fba0599b6a63125af8786bccc812bb02667d69e16db86

Download Submit
C:\Program Files (x86)\BetOnline\_mods\Lobby\Filters\Chico\main.cs.dso

Filesize
381B

MD5
b9afcaf0be0ac2e3cc26739f7cd73bca

SHA1
c2e8310e1f25352b619f349f31b6e1f93ae5b5fe

SHA256
12582c13ee0fda8d2c638d953ded76d6e5b63dbee8e609655aaca67225dcfff6

SHA512
47e20db713c1b0c3f62344a1cf97bb141dc4c52550ac22de009c4d8a563d9614c12052f7c2ab5301ffa6649b960f1cf6d2f7ebd31d8da062ee48d2df72207f1b

Download Submit
C:\Program Files (x86)\BetOnline\_mods\Networks\Chico\main.cs.dso

Filesize
988B

MD5
1de5912f730dc4d04be888858425adea

SHA1
a0085725acfd746aec8adfe38a86be5a7b61cbf6

SHA256
caa2efb6f74db2e352ad211403b7236dc2125db2064fd62e8a25679c747b3fdb

SHA512
b8eb7b16e35b05f3eb0997bcd522ca0b210bcc60ad811010a2763eb2b2b38065f88b2e6cff94d9b5c923bd88993e341ee353b6094a7e450c74d1f49dc7233a6f

Download Submit
C:\Program Files (x86)\BetOnline\_theme_Edge\main.cs.dso

Filesize
522B

MD5
a169e50146abe38f283294d133c94322

SHA1
11298f1b5a8ee247077a404eb3cc931b8cd33621

SHA256
682ad10196cc75f7f13ec3470d23a7d160efe7360e49c39cdf68dd50cd92fb87

SHA512
572e8c5d9ec4afb7f28275b801be45d97c1d0e47b540dd9ce50148f62e3c613121548ae3e2b3d6fd70013d95d9040a038771c70744bfcde6c232ed2bdcf33be7

Download Submit
C:\Program Files (x86)\BetOnline\_theme_Move\main.cs.dso

Filesize
522B

MD5
294d218ca7ad587ea84e1f0deed60d43

SHA1
3fbbc22a90cac9cb81a7d384a90acbaf053c01d7

SHA256
1835d5705389b3823638c8265f1b0ca54ff44d10fea2979514eb9d22bea31957

SHA512
ee7d42a0dbf94fa1c45877bc9846a8d1ee87ca5bbfe94a847a17ecfe4ea6925497b992788a7b62128f7416b8df25a5e342048ff2b3a5b48414792ddc2a6a189d

Download Submit
C:\Program Files (x86)\BetOnline\commonPoker\main.cs.dso

Filesize
402B

MD5
ec6c7557f75bcb53a27b9dbc9bb5f219

SHA1
b99e08272d9d195a193f52b3f188310d9b998b74

SHA256
5e1393c31aaf88d1fb78f99a748d0f1b3721ab46fd391cd7800d4a34524fdb00

SHA512
fd260c3c69a7aec05f38a10feb3fc84f1959e77b0ebbb4c54439974213028f3ca2ed5ac2259d340cc0f5ee8077830330240c6059b4c61bb389fc004fd7a63b4a

Download Submit
C:\Program Files (x86)\BetOnline\commonTG\main.cs.dso

Filesize
2KB

MD5
c45bd610356ff45642bfa87eb5f61468

SHA1
64a4e99130ef976ce490b30351e9743cef28f9b8

SHA256
53b99e8198e3557e02c0e1f97a44c1ce9a4f9693cc570545ad5f7437ff5cbd1c

SHA512
eed688334ae75f6391bf5be0081ebfd440f32939e564bf0da6b191795e7c4803942f52bfe374b24295a1d4bb3e19951eca6696a8a053d2d96294b91177337352

Download Submit
C:\Program Files (x86)\BetOnline\commonTG\preferences\defaultPrefs.cs.dso

Filesize
23KB

MD5
7ec31aad0a315f24616ef8a8eb553137

SHA1
10c0ecc40f320481f2a3b4fdf2c0cd7ee25a0f90

SHA256
1978a825d076507836fe5383caf970ccbd858c40cba1a37dfccc18ab4b67c3f0

SHA512
2bcb255350e667d8e12ebfdf81b7f918f7c00dd8a58bbd76235bd567484687b499fb211dfb50cbf27c174327e217ea65e85af9812d1ed2cd5f7e8b102435026e

Download Submit
C:\Program Files (x86)\BetOnline\common\gameScripts\audio.cs.dso

Filesize
1KB

MD5
4a13e9b63041ebb864bc858ffff0e8eb

SHA1
aa6961e181059c3934bdd89d1df0071cd70e440d

SHA256
d2724d86633386bc7260e8e31b8859a76b8f3dfebd52e1eccd74debd5bff4ed9

SHA512
a16ef553873de4b54d076576a81df4f01179d527a5427949f2495f00cd20f5edff2d38675ffbe908b16526a05c43ffaa7124eb7cf88793fb8361e9b486a24a59

Download Submit
C:\Program Files (x86)\BetOnline\common\gameScripts\canvas.cs.dso

Filesize
1KB

MD5
180fd80e6d6152fce51396f599a1a174

SHA1
7f3a5fa340e5f661f99b36f53c0b8e1e9b89721a

SHA256
77e57476592f764bf773715a5322a4901b4bae786223f028cd183eb099256e22

SHA512
5754ca25982362de36c01f17506d3c51ee87d06da3419f17bdfc7d96d618e40554555afd1dfca93b31f5d0ec45f7dc2fdae235a9b2aa73191b19c94c600e8950

Download Submit
C:\Program Files (x86)\BetOnline\common\gameScripts\common.cs.dso

Filesize
2KB

MD5
e963d2a50d5bf1b8bebbd23b1bfca373

SHA1
fadede46b33d460159ec4ae51be821ee8fa074f0

SHA256
1e8d497856e934ef71e245eb9b160e8b01907ad97feb3826c2f47af112b4907e

SHA512
bce9e41c423f19ef1bd101c42fb6111fe8c08749dbddacf178f9261174001d06c870b079d2417b1ba01b2479dc4766a778acd6d2dfaecbd56813713897b638c4

Download Submit
C:\Program Files (x86)\BetOnline\common\gameScripts\cursor.cs.dso

Filesize
1KB

MD5
1d0cf2f14b0674cde83e86d083c3a3c8

SHA1
5262bec67d30f143a74300a5edd7e2cff466d629

SHA256
a990d1cf057f7f293234856b0f4a96ce79144f6765d9694e48f34d41dc033e5f

SHA512
1be8fffd79cbf1c62eb65c89febb8f5ad97a01a65f5d4c76cb6f4891012f1a8c35283c5e332265c0f3cc1c3462446d21a72fe16883e2a15db64b70a843f7cffa

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\HelpDlg.gui.dso

Filesize
2KB

MD5
dcacd1356b31f5cc537851a9b15220aa

SHA1
1c59dd6887c24d07af0cac5ba8ea67eca7a90606

SHA256
c5e8d7b728b17f9c356307158fe3e7e5a3df48235293ceead247b68909d5ad22

SHA512
ead03465d4aab5bc7674dbb399915fbd40cb8767f4a472e9e6cb754391e0900a7c39582dcac7b0a35166747c34c1cd69eee841384cb0dabf50e6717c70eb5c6f

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\MessageBoxOKCancelDetailsDlg.gui.dso

Filesize
3KB

MD5
63384a45a4def645c89a4f0629cb2edb

SHA1
f1d6cfb7b8d60918e660113fb05f50a85af4cd1c

SHA256
e107a42d1d19f3a65c1ebfa1eaf109c65f87c49bcacbcb2e8886c2bb885045b6

SHA512
3d4244ffc95e379358b8fdeeb92bcc82b4481befb49b77cc7e8436c4bb9283413ed5423fdc0249b93b415a9e1e4beec34d43e4a828266aa0257299920d7159af

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\Profiles.cs.dso

Filesize
9KB

MD5
f3ce6fffbc4bafaa1f9f832c51dfd958

SHA1
a8d42b1210a396ff445f611d1f4c54f5250b90fa

SHA256
886cbb8a9dcb021c47eb540cbee03bef66b93137e48b55d2542ba4eb9fcbca28

SHA512
7ee9fd207891ef6a2278401d9258bf640d90867f4455bd74ff5da188e530a6724ee2153152e58db40ebb1f9ba07f43be82b9567af550771c40466e2df8828b00

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\console.gui.dso

Filesize
6KB

MD5
dbd49c79071605a78cd95e8b95beac77

SHA1
885abd58725a5281906e5f06f5ca78ee87dc1a73

SHA256
da39cd28c4a54e09fb2d1e3c521ff380c6bbfddf4d58d85eb10b71832078a690

SHA512
69ce795a8b3210256aaf715025838d563648c02f384d8a078930259a8a36b1b83362457daf70006046ec00bded9b3af742824f2e9d75dd2afbcfd73cb3dc251d

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\cursors.cs.dso

Filesize
377B

MD5
f467d8d73104b66821c4d45cd3bd86d3

SHA1
acce5cd77ff6bc0a7ea6cf4dc37fa9d87da4c705

SHA256
b9f47fe0acd017fc83c0d8200516ec33a9980a793cfc7daed988c56fad97f2ed

SHA512
5d077436109fbe5c22dcd67bc90b4967b1740bf892e7563b3c9289d01d063dae312279a2071b832a94be8cd953573d3773499ad4188347ca614105b291f6c843

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\images\checkbox.png

Filesize
1KB

MD5
4bd08337f9e2343a7c59a6dbb78e7267

SHA1
4c81ae91481decdfc0e0337b20f25a9081a9f810

SHA256
ac187ce1dda3d7184bee791317bed9c3c9931a95c2ef3e4e1ce7cb674c75dda6

SHA512
1d92c86f1ba782d6ab1779647266d8ff93d8a33c4bb918b38a01c8e3243e9a1a120b55e9cb23f792881c0715fa5c7422287a076c1f80423009379468e97aa580

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\images\numeric.png

Filesize
165B

MD5
a038b7e515dc6422c08d5baa91fc4dd9

SHA1
81743938db9f2f670c8c515d4dc7fc2cddb7dc5b

SHA256
d1f29146f2489b00646386a6c0b8bacf7cf90ede294ab5f71f0b17a0c197de11

SHA512
c38b124118d89720fbd6630382ed6a926732f9422152ec5b85c7e670a75b1d0d9478291fcf1355bc83f72b267a46517b166fa0730ad6e9ea1e170b8773873852

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\images\scrollbar.png

Filesize
6KB

MD5
e2c28f46921a535e55284ab2885df4fb

SHA1
1a9f101fbe7301f5f043ee666ce2ad61d6d03ee5

SHA256
f3610f74fb5e9c616a2b758bd6b5e6abc8755a5186280cc43d9e7910e61023cd

SHA512
7c69f7abe9a7710d372947cb5c8cbda836cb94ba87423c2b5aa6226c9a964bb0cdc1908eb5b8829f73b3fa6b60299a05eed004e44c30b81af335221772812afb

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\images\slider.png

Filesize
694B

MD5
2026d417ef4f87f4f85bc522265e076f

SHA1
9613fd1be3552e7af950037d5f7cf5efba0b0d68

SHA256
de770788149877b8037a2a5a7a432be228d2c1d4dce22c6a2bdd10b3884b81f5

SHA512
a8a4567d1ffa2d499c83a260f3689d2cb90875d4ae1665f0a10d521f9ff22e438242cc4a72b3111f665ab3f0f5f29922cdb42e288214605a53e1a0e99d9adbbd

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\messageBox.cs.dso

Filesize
4KB

MD5
fdb707bec71a4a089c9550e2d94e49b2

SHA1
4999d5d7662a9da14db168e8204801b8e38dbd55

SHA256
ea3be86b1a740e64a95671130da41f0183a2fa7b622eca5105454b507cf0d270

SHA512
3f53e528869cdac7ee8b0b41de965e1ebc6e816022bea2f5c2c6725dc1d4b1f15270797df41d7ea625d98c7317adaa799a702ad5d2f4837e6538714eba01df94

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\messageBoxOk.gui.dso

Filesize
1KB

MD5
71e42c055038097ba3d2f1f8f66dd5d2

SHA1
4ae4bd46d4b66a60a5ed92684bff08ebab3232d0

SHA256
54af06d377b1ffbbd1ed4cdb511861fe49518e556eacdbc47b431b243c703a75

SHA512
ffbcef343bd6347d3c27df1896527043c86934f3933736814ef7dd88dca8e1f1ab7b43edd8cc29a71af1c998c2cc1ad140ad96d927f0a902439c433ecfd52f63

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\messageBoxOkCancel.gui.dso

Filesize
1KB

MD5
b8305e1527381e63206ea69b35f7f700

SHA1
53f19caf6c5946757c63ef66bb630318f04954bc

SHA256
1a967481387b737dd3f31251fb8d79ab429d817df9a0f008314c488f1d157022

SHA512
a819451770306c08020ba164ac04ec269c2896569a0e45cabd65e520fce1a4ba7ebec9b188e15304d363167f147ed8fde26f84a22a86d38d7852d859a3f90b56

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\messageBoxYesNo.gui.dso

Filesize
1KB

MD5
6b8bbb3b785a19931b371c06560c5801

SHA1
e0cec4639013221b8633b7c088ba55da951d39ef

SHA256
156dfeb095801fab298342ff05c88cd3b45188a18a905d1795821cc7a5692f6d

SHA512
61af176be4e4d38f3e2a2c2d4b0702650a54fc638cabd467ed2795c2c7fe2dad049eb776dcd34119215c2a398dd0e4b10a66611fdd1a6cd63cb8163af6ca8d20

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\messageBoxYesNoCancel.gui.dso

Filesize
2KB

MD5
9a22c0ac5ce3bfd2a2e021145e11d90f

SHA1
29b4ddf0c8f3b88b44fab52d5b6822700dd7c303

SHA256
36665eb0493c9112ca593a724090c60e5551bd87a541dba353abf3b93c0cd86a

SHA512
550f51d07198a3947d3f4f0d65e660dd673c632479b6f582fca702d9b74f9832cd47bfa574c74e7c7cadb829e072f4817bc9f054eb4a3719143d9fbd7a21c457

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\messagePopup.gui.dso

Filesize
1KB

MD5
08ac9a99aa49101c1090713b82b37f90

SHA1
50b67920d8af286524381d3b12b0bfdff7d85f72

SHA256
f429be44b7092b392dd11fb3302ef271462484d42284f68ff8f2820e86fb8102

SHA512
21db0d42ed8c2f756ef603ffbef1fd89b7114da66444cd7e48c7c3f27357d56bdf1ec488954d4506b43b082ec8251fbad521851fc766d5c1f5911dbfda7a8551

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\options.gui.dso

Filesize
8KB

MD5
b2fa17dfcfe09b9d4501e45741186409

SHA1
24989d375f9ea806a37560af0fd6eb2cc8aecb25

SHA256
2ff5e0fdce9fbff06f6ee3baa9dc895846cb20394e39b8d4befcbf9b2b6134d1

SHA512
a962d4b70b856a4b5020f90dd239fc05f7f1723dd8eb958ce59f26ce2014b233c15b4233bb0b4f380453b866b42846139a625b37901ccb73d91466126989f35d

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\profiles\Profiles.cs.dso

Filesize
180B

MD5
94bc0ef602b8630ab9f9ab93c26f9628

SHA1
68267e9fb8fa535370ba12fc74b12f8e36f2bb7f

SHA256
03861afa2c034f93b1bf139bb943d00f697460e08c8d44c5312d356529d9618b

SHA512
3bf3176a29459a4201b331d8dbe5011cbf4124acf517082e5cafcff015294d5c5322b8659905622329c8a9ac93d107c82db33c783cbc4146d196a807829d88e0

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\profiles\ProfilesBitmap.cs.dso

Filesize
521B

MD5
eff50f94cd7e69b4e4d706432cd1789a

SHA1
cff365f6c78e266588a2c632281fd9f9953ae136

SHA256
f4be5fc5c2c2a4c2f6ea59b22b6ad0a53a3eb65371c7631f8666bfc64fa64f3a

SHA512
f6dab16dff4479b3b6fe09e75755e5e319d42072453816a8de9f145e67390a15c5fc3aa46c4c55e45b9d5fbb75568f1f285339adc985044b3adebaed34bb019d

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\profiles\ProfilesControl.cs.dso

Filesize
376B

MD5
bd9eb89063c61a326ce267ceb12b50eb

SHA1
475f382a477538ceb331d599d1d5095070f71d4d

SHA256
6c9d9dde2a2366a0bea99d5bfb4a58aed3fbe78cea40b053c2dc273025c83f63

SHA512
863278e918526f05a9958ede501382296f9be00db7c6b8ce05367333e4e88be5a9f372d4001d14fbd33dc05900aecf7b49f71183a405e2bd4ace6822ae6913dc

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\profiles\ProfilesCountry.cs.dso

Filesize
421B

MD5
a65db30be5381cdcfd93e8690a09e92f

SHA1
20994a1994a0dfbc423d1c204f3f138bf47f5fbd

SHA256
f2c67895b5f48da4f852fac179d84b5d90315e89cea6d4b19d122755acb9926f

SHA512
9bd18cad53be6ee8b589a3561754e937f196f568af64559462a845e45daec4f7c94377d2fae178a42eadebe564eab814c5411a55f0ddfc76e82c170172fc69a2

Download Submit
C:\Program Files (x86)\BetOnline\common\gui\profiles\ProfilesDialog.cs.dso

Filesize
321B

MD5
e20494ecb79a5bf26989976786c6ee17

SHA1
243bddab314f5c589d9001f1bfc37e4c5d8842a7

SHA256
dbb0cba57d6cb043505cf12c97fdb355da047eb1cf4fa1f345e9ede689821cba

SHA512
643299cdad9ff66ec65988889f2ce10081999b3ed08afd8c71dee4c40315a8114568a591edef102aebd638ddc10235e65229eb88f2a2bab0ee1db6c6c8eee0c8

Download Submit
C:\Program Files (x86)\BetOnline\common\main.cs.dso

Filesize
3KB

MD5
3f78bb732ca2ce9387c1403516322be5

SHA1
69e6e1531abfad960f6b1daa4531daac3976a189

SHA256
d1513f55eab7566d6333709451f485d61ad4778666692b4e212a7a11b855b7d7

SHA512
483e4570ce140e99ff3ee21ab87f05e223a7a5aadbd510213f78ec7a33f3afa3070e9a286ee137479a2baee8706dc976210f2ba0198a648dbd285f0443baccb5

Download Submit
C:\Program Files (x86)\BetOnline\common\preferences\defaultPrefs.cs.dso

Filesize
4KB

MD5
0e5dc5deb38bb4fe3274f04727c746fd

SHA1
4e9fe4ff075ecfccc8202eb8016c2e15bbcd4e8e

SHA256
8b5e28516aa34bd27c660c605c6fcfc2357c9e3d1f5699c800f38b90c8681e00

SHA512
da60bc09645a31d1c928a2761d84d4c91b3870cf8377d46f78ee87d9921a7f4d7c2913cb5e6ccc7c4b55d378b0eb38011e7da87153cc0f80b8c717a736c4b3f0

Download Submit
C:\Program Files (x86)\BetOnline\glu2d3d8.dll

Filesize
22KB

MD5
a0ed6ea1b8d8be72d544c82eb09cca5a

SHA1
dd5b8a8a01c28f0fcb2a55be8ee2ea0f80d5c2ce

SHA256
08ca01f4e63f1d6e8ecc9f7227e5041c915c7075b381d69de52f7efe3aeb7851

SHA512
0c43445b6cc137c74ceb32604665e1cff5f5a9cbd212c98ee00dd24ef54d101f1f916301537cecd141aa5356341ea2d77c02d2fe23d5d752f1c67e1ba5d73399

Download Submit
C:\Program Files (x86)\BetOnline\glu2d3d8.dll

Filesize
22KB

MD5
a0ed6ea1b8d8be72d544c82eb09cca5a

SHA1
dd5b8a8a01c28f0fcb2a55be8ee2ea0f80d5c2ce

SHA256
08ca01f4e63f1d6e8ecc9f7227e5041c915c7075b381d69de52f7efe3aeb7851

SHA512
0c43445b6cc137c74ceb32604665e1cff5f5a9cbd212c98ee00dd24ef54d101f1f916301537cecd141aa5356341ea2d77c02d2fe23d5d752f1c67e1ba5d73399

Download Submit
C:\Program Files (x86)\BetOnline\glu2d3d8.dll

Filesize
22KB

MD5
a0ed6ea1b8d8be72d544c82eb09cca5a

SHA1
dd5b8a8a01c28f0fcb2a55be8ee2ea0f80d5c2ce

SHA256
08ca01f4e63f1d6e8ecc9f7227e5041c915c7075b381d69de52f7efe3aeb7851

SHA512
0c43445b6cc137c74ceb32604665e1cff5f5a9cbd212c98ee00dd24ef54d101f1f916301537cecd141aa5356341ea2d77c02d2fe23d5d752f1c67e1ba5d73399

Download Submit
C:\Program Files (x86)\BetOnline\main.cs.dso

Filesize
5KB

MD5
f02dc766d1ce4e813280878ebeca81ff

SHA1
bc3f66a2d5bead8bd20ebb0126b2a338ddb75a94

SHA256
f6f8e0353e7b6fe387c547d6d196498b8446de504274da5cfe3321f016976a29

SHA512
1acf0bd2d8069c8f2f4c65ab1216642bbf9647ef790c96f3c2bfaeef55012468bf1d170bc44dea954d2cd2bc94f238cd1fb1cd1698a833f9a6815633f65186db

Download Submit
C:\Program Files (x86)\BetOnline\msvcp140.dll

Filesize
436KB

MD5
addc83e063ddc88422a4fe7aade7cfcd

SHA1
3c31040526cb13adbb849e30c1a85d86cf7298f0

SHA256
557d76338488e28c7761dfe5ee4fa722f65f0c945563002e86de09c95f02b2aa

SHA512
05e379bfe23887107fd7f3ca52dbcc453624c48d35c4ce43a110ea3e360fecf284f77628ed240ceee940e7bf5e2c87c054fb8b19046c79cfe5559246e4b0e68d

Download Submit
C:\Program Files (x86)\BetOnline\opengl2d3d8.dll

Filesize
190KB

MD5
8ad71e4b6ae25836fb70b846f0763a70

SHA1
fba72d87289456ce81799349c8f773f363fb3df3

SHA256
0e737154732e9d0fb89fdc4ebb4336bcfaf6c5540719be13b1fd37f00c36dc14

SHA512
54d02b88e4a2a1c32a081cd7b17029e863f4bb43ac20cd0208a995403e6e8ef0b95fde03a60eebd05840dc093e217946680a6309bf9048d317896efe98558c22

Download Submit
C:\Program Files (x86)\BetOnline\opengl2d3d8.dll

Filesize
190KB

MD5
8ad71e4b6ae25836fb70b846f0763a70

SHA1
fba72d87289456ce81799349c8f773f363fb3df3

SHA256
0e737154732e9d0fb89fdc4ebb4336bcfaf6c5540719be13b1fd37f00c36dc14

SHA512
54d02b88e4a2a1c32a081cd7b17029e863f4bb43ac20cd0208a995403e6e8ef0b95fde03a60eebd05840dc093e217946680a6309bf9048d317896efe98558c22

Download Submit
C:\Program Files (x86)\BetOnline\opengl2d3d8.dll

Filesize
190KB

MD5
8ad71e4b6ae25836fb70b846f0763a70

SHA1
fba72d87289456ce81799349c8f773f363fb3df3

SHA256
0e737154732e9d0fb89fdc4ebb4336bcfaf6c5540719be13b1fd37f00c36dc14

SHA512
54d02b88e4a2a1c32a081cd7b17029e863f4bb43ac20cd0208a995403e6e8ef0b95fde03a60eebd05840dc093e217946680a6309bf9048d317896efe98558c22

Download Submit
C:\Program Files (x86)\BetOnline\vcruntime140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Program Files (x86)\BetOnline\vcruntime140.dll

Filesize
88KB

MD5
a0df29af5f6135b735dee359c0871ecf

SHA1
f7ebb9a9fd00e1ac95537158fae1167b06f490bd

SHA256
35afadbacc9a30341c1a5ee2117e69583e5044cea0bfab636dccbdcc281a8786

SHA512
fdc7a62d0b187829708ec544de52b4037da613e01a7591a2abc55f95c4719ee04f9c51d31f01edb7161b5edc3cd85004c3a55d375116baa76fb44553df592b3e

Download Submit
C:\Program Files (x86)\BetOnline\wrap_oal.dll

Filesize
404KB

MD5
9c24ed831ddfa8319382b2bfd9691aa9

SHA1
ab7872c0c0f48ed156d505ebad2dc4b0baff36a4

SHA256
c2ef86cbdb7fa07a9da8f56d5ffa548c57c5eaafd1ce5462ed397de7b8c823a3

SHA512
f424c7f4ab4c40a0c53756f4441e911e0d0279e221547c9c04c640d857df0ec61f5e2c4c61fdbd464fe6a3b96605ca31b24bf753dd991959c47c85299a1b0aed

Download Submit
C:\Program Files (x86)\BetOnline\wrap_oal.dll

Filesize
404KB

MD5
9c24ed831ddfa8319382b2bfd9691aa9

SHA1
ab7872c0c0f48ed156d505ebad2dc4b0baff36a4

SHA256
c2ef86cbdb7fa07a9da8f56d5ffa548c57c5eaafd1ce5462ed397de7b8c823a3

SHA512
f424c7f4ab4c40a0c53756f4441e911e0d0279e221547c9c04c640d857df0ec61f5e2c4c61fdbd464fe6a3b96605ca31b24bf753dd991959c47c85299a1b0aed

Download Submit
C:\Program Files (x86)\BetOnline\wrap_oal.dll

Filesize
404KB

MD5
9c24ed831ddfa8319382b2bfd9691aa9

SHA1
ab7872c0c0f48ed156d505ebad2dc4b0baff36a4

SHA256
c2ef86cbdb7fa07a9da8f56d5ffa548c57c5eaafd1ce5462ed397de7b8c823a3

SHA512
f424c7f4ab4c40a0c53756f4441e911e0d0279e221547c9c04c640d857df0ec61f5e2c4c61fdbd464fe6a3b96605ca31b24bf753dd991959c47c85299a1b0aed

Download Submit
C:\Program Files (x86)\BetOnline\wrap_oal.dll

Filesize
404KB

MD5
9c24ed831ddfa8319382b2bfd9691aa9

SHA1
ab7872c0c0f48ed156d505ebad2dc4b0baff36a4

SHA256
c2ef86cbdb7fa07a9da8f56d5ffa548c57c5eaafd1ce5462ed397de7b8c823a3

SHA512
f424c7f4ab4c40a0c53756f4441e911e0d0279e221547c9c04c640d857df0ec61f5e2c4c61fdbd464fe6a3b96605ca31b24bf753dd991959c47c85299a1b0aed

Download Submit
C:\Program Files (x86)\BetOnline\wrap_oal.dll

Filesize
404KB

MD5
9c24ed831ddfa8319382b2bfd9691aa9

SHA1
ab7872c0c0f48ed156d505ebad2dc4b0baff36a4

SHA256
c2ef86cbdb7fa07a9da8f56d5ffa548c57c5eaafd1ce5462ed397de7b8c823a3

SHA512
f424c7f4ab4c40a0c53756f4441e911e0d0279e221547c9c04c640d857df0ec61f5e2c4c61fdbd464fe6a3b96605ca31b24bf753dd991959c47c85299a1b0aed

Download Submit
C:\Users\Admin\AppData\Local\Temp\LauncherAssistant.exe

Filesize
239KB

MD5
239a4c37f08ee973b24544f7ddaf5873

SHA1
2de8a57495b2a0d4e3547421394b2af5fae8bf0c

SHA256
53174d20fc3354d9af80e9caa3ee2585fdd69bcbeb911e553658afb0f9157f54

SHA512
7e8d7f0492e749a684be2bbfe492b197faecd8fd1f9b50953f751ce3cf42b847c6d01a8fea2846249666a8db6d913a46994410d87e250fe3b8c3fc450d1f4063

Download Submit
C:\Users\Admin\AppData\Local\Temp\LauncherAssistant.exe

Filesize
239KB

MD5
239a4c37f08ee973b24544f7ddaf5873

SHA1
2de8a57495b2a0d4e3547421394b2af5fae8bf0c

SHA256
53174d20fc3354d9af80e9caa3ee2585fdd69bcbeb911e553658afb0f9157f54

SHA512
7e8d7f0492e749a684be2bbfe492b197faecd8fd1f9b50953f751ce3cf42b847c6d01a8fea2846249666a8db6d913a46994410d87e250fe3b8c3fc450d1f4063

Download Submit
memory/380-204-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/380-132-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/380-136-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/5044-216-0x00000231C7640000-0x00000231C7650000-memory.dmp

Filesize
64KB

Download
memory/5044-215-0x00000231C7540000-0x00000231C7550000-memory.dmp

Filesize
64KB

Download
memory/5096-177-0x000000000F4D0000-0x000000000F6F0000-memory.dmp

Filesize
2.1MB

Download