Resubmissions
01-04-2023 05:34
230401-f9mbsahe9v 801-04-2023 05:33
230401-f83blsgb87 601-04-2023 05:30
230401-f699fahe7x 1001-04-2023 05:26
230401-f4ttnsgb52 8Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01-04-2023 05:26
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_7.1.3_x86_en-US.msi
Resource
win10-20230220-en
General
-
Target
JJSploit_7.1.3_x86_en-US.msi
-
Size
5.8MB
-
MD5
89b39aafa577686ce2890ff00a22f7d6
-
SHA1
1259bb1962d23f242ebe340f359b3825a31989d4
-
SHA256
dfdb140d98307146cbdbc726cc1f4897acc14288c95fd8bfc5ab29f91c895fa3
-
SHA512
59d7ee87354f01c9bcaf438086a730f56c671f75815be696b07107d54f886b48a7217a7c4138e690a6c0670b7c39dd564650b63e6e12743d46b3bd65824ad70d
-
SSDEEP
98304:oni7F600rU+xmX0VumSuS2eaYbC8wSKyWatyiGoMNjbLmf19+I3NlNi3bywir:Gi7F6MiVVBS2e3bC8wS+QGZNYpi2
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 12 4888 powershell.exe 14 4888 powershell.exe -
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Executes dropped EXE 13 IoCs
Processes:
MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_111.0.1661.62.exesetup.exepid process 1960 MicrosoftEdgeWebview2Setup.exe 3344 MicrosoftEdgeUpdate.exe 4360 MicrosoftEdgeUpdate.exe 4372 MicrosoftEdgeUpdate.exe 4908 MicrosoftEdgeUpdateComRegisterShell64.exe 5028 MicrosoftEdgeUpdateComRegisterShell64.exe 3248 MicrosoftEdgeUpdateComRegisterShell64.exe 2480 MicrosoftEdgeUpdate.exe 1100 MicrosoftEdgeUpdate.exe 1880 MicrosoftEdgeUpdate.exe 1760 MicrosoftEdgeUpdate.exe 4156 MicrosoftEdge_X64_111.0.1661.62.exe 4792 setup.exe -
Loads dropped DLL 10 IoCs
Processes:
MsiExec.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 4500 MsiExec.exe 3344 MicrosoftEdgeUpdate.exe 4908 MicrosoftEdgeUpdateComRegisterShell64.exe 4372 MicrosoftEdgeUpdate.exe 5028 MicrosoftEdgeUpdateComRegisterShell64.exe 4372 MicrosoftEdgeUpdate.exe 3248 MicrosoftEdgeUpdateComRegisterShell64.exe 4372 MicrosoftEdgeUpdate.exe 1880 MicrosoftEdgeUpdate.exe 1100 MicrosoftEdgeUpdate.exe -
Registers COM server for autorun 1 TTPs 31 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.173.51\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce setup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Drops file in System32 directory 13 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 MicrosoftEdgeUpdate.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
Processes:
setup.exeMicrosoftEdgeWebview2Setup.exemsiexec.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\msedge.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Trust Protection Lists\Mu\TransparentAdvertisers setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_ja.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\tr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Trust Protection Lists\Mu\Social setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\v8_context_snapshot.bin setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\msedge_pwa_launcher.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\ka.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Trust Protection Lists\Mu\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Locales\de.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_pt-PT.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\identity_proxy\beta.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\identity_proxy\beta.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Locales\te.pak setup.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\general\infinitejump.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_sk.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\tt.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\af.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\msedgewebview2.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\prefs_enclave_x64.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\VisualElements\Logo.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Extensions\external_extensions.json setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\dual_engine_adapter_x64.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\da.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\as.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\v8_context_snapshot.bin setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Trust Protection Lists\Mu\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\msedge.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Locales\ar.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_es.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_et.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\vccorlib140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\VisualElements\SmallLogoBeta.png setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_bs.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\identity_proxy\stable.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\fil.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\concrt140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\identity_proxy\win11\identity_helper.Sparse.Canary.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\BHO\ie_to_edge_stub.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Locales\km.pak setup.exe File created C:\Program Files (x86)\JJSploit\resources\luascripts\animations\dab.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\MicrosoftEdgeUpdateOnDemand.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\pt-BR.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Installer\setup.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\lv.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_mk.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\mt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Locales\gu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Locales\tr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\ca-Es-VALENCIA.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\msedge.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\it.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\Locales\ms.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\telclient.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\111.0.1661.62\EBWebView\x64\EmbeddedBrowserWebView.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Locales\or.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\identity_proxy\resources.pri setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\MicrosoftEdgeUpdateCore.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\msedgeupdateres_ro.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\111.0.1661.62\Trust Protection Lists\Mu\Advertising setup.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56f755.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF939.tmp msiexec.exe File opened for modification C:\Windows\Installer\{7FF8E9C7-261E-4AB2-A1D2-72D10618FD82}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\e56f755.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{7FF8E9C7-261E-4AB2-A1D2-72D10618FD82} msiexec.exe File created C:\Windows\Installer\{7FF8E9C7-261E-4AB2-A1D2-72D10618FD82}\ProductIcon msiexec.exe File created C:\Windows\Installer\e56f757.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe -
Modifies data under HKEY_USERS 55 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exemsiexec.exeMicrosoftEdgeUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\ = "Microsoft Edge Update CredentialDialog" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ = "Microsoft Edge Update Process Launcher Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{B896F458-C5BF-43D0-8982-B94F7A11B9C7}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7C9E8FF7E1622BA41A2D271D6081DF28\Language = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D47E8230-0C1F-4F8E-B50B-6F25865F4803} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\ = "Microsoft Edge Update Core Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B896F458-C5BF-43D0-8982-B94F7A11B9C7}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\ = "Microsoft Edge Update Process Launcher Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdateComRegisterShell64.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
msiexec.exepowershell.exeMicrosoftEdgeUpdate.exepid process 4036 msiexec.exe 4036 msiexec.exe 4888 powershell.exe 4888 powershell.exe 4888 powershell.exe 3344 MicrosoftEdgeUpdate.exe 3344 MicrosoftEdgeUpdate.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3628 msiexec.exe Token: SeIncreaseQuotaPrivilege 3628 msiexec.exe Token: SeSecurityPrivilege 4036 msiexec.exe Token: SeCreateTokenPrivilege 3628 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3628 msiexec.exe Token: SeLockMemoryPrivilege 3628 msiexec.exe Token: SeIncreaseQuotaPrivilege 3628 msiexec.exe Token: SeMachineAccountPrivilege 3628 msiexec.exe Token: SeTcbPrivilege 3628 msiexec.exe Token: SeSecurityPrivilege 3628 msiexec.exe Token: SeTakeOwnershipPrivilege 3628 msiexec.exe Token: SeLoadDriverPrivilege 3628 msiexec.exe Token: SeSystemProfilePrivilege 3628 msiexec.exe Token: SeSystemtimePrivilege 3628 msiexec.exe Token: SeProfSingleProcessPrivilege 3628 msiexec.exe Token: SeIncBasePriorityPrivilege 3628 msiexec.exe Token: SeCreatePagefilePrivilege 3628 msiexec.exe Token: SeCreatePermanentPrivilege 3628 msiexec.exe Token: SeBackupPrivilege 3628 msiexec.exe Token: SeRestorePrivilege 3628 msiexec.exe Token: SeShutdownPrivilege 3628 msiexec.exe Token: SeDebugPrivilege 3628 msiexec.exe Token: SeAuditPrivilege 3628 msiexec.exe Token: SeSystemEnvironmentPrivilege 3628 msiexec.exe Token: SeChangeNotifyPrivilege 3628 msiexec.exe Token: SeRemoteShutdownPrivilege 3628 msiexec.exe Token: SeUndockPrivilege 3628 msiexec.exe Token: SeSyncAgentPrivilege 3628 msiexec.exe Token: SeEnableDelegationPrivilege 3628 msiexec.exe Token: SeManageVolumePrivilege 3628 msiexec.exe Token: SeImpersonatePrivilege 3628 msiexec.exe Token: SeCreateGlobalPrivilege 3628 msiexec.exe Token: SeCreateTokenPrivilege 3628 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3628 msiexec.exe Token: SeLockMemoryPrivilege 3628 msiexec.exe Token: SeIncreaseQuotaPrivilege 3628 msiexec.exe Token: SeMachineAccountPrivilege 3628 msiexec.exe Token: SeTcbPrivilege 3628 msiexec.exe Token: SeSecurityPrivilege 3628 msiexec.exe Token: SeTakeOwnershipPrivilege 3628 msiexec.exe Token: SeLoadDriverPrivilege 3628 msiexec.exe Token: SeSystemProfilePrivilege 3628 msiexec.exe Token: SeSystemtimePrivilege 3628 msiexec.exe Token: SeProfSingleProcessPrivilege 3628 msiexec.exe Token: SeIncBasePriorityPrivilege 3628 msiexec.exe Token: SeCreatePagefilePrivilege 3628 msiexec.exe Token: SeCreatePermanentPrivilege 3628 msiexec.exe Token: SeBackupPrivilege 3628 msiexec.exe Token: SeRestorePrivilege 3628 msiexec.exe Token: SeShutdownPrivilege 3628 msiexec.exe Token: SeDebugPrivilege 3628 msiexec.exe Token: SeAuditPrivilege 3628 msiexec.exe Token: SeSystemEnvironmentPrivilege 3628 msiexec.exe Token: SeChangeNotifyPrivilege 3628 msiexec.exe Token: SeRemoteShutdownPrivilege 3628 msiexec.exe Token: SeUndockPrivilege 3628 msiexec.exe Token: SeSyncAgentPrivilege 3628 msiexec.exe Token: SeEnableDelegationPrivilege 3628 msiexec.exe Token: SeManageVolumePrivilege 3628 msiexec.exe Token: SeImpersonatePrivilege 3628 msiexec.exe Token: SeCreateGlobalPrivilege 3628 msiexec.exe Token: SeCreateTokenPrivilege 3628 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3628 msiexec.exe Token: SeLockMemoryPrivilege 3628 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 3628 msiexec.exe -
Suspicious use of WriteProcessMemory 38 IoCs
Processes:
msiexec.exepowershell.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_111.0.1661.62.exedescription pid process target process PID 4036 wrote to memory of 4500 4036 msiexec.exe MsiExec.exe PID 4036 wrote to memory of 4500 4036 msiexec.exe MsiExec.exe PID 4036 wrote to memory of 4500 4036 msiexec.exe MsiExec.exe PID 4036 wrote to memory of 4504 4036 msiexec.exe srtasks.exe PID 4036 wrote to memory of 4504 4036 msiexec.exe srtasks.exe PID 4036 wrote to memory of 4888 4036 msiexec.exe powershell.exe PID 4036 wrote to memory of 4888 4036 msiexec.exe powershell.exe PID 4888 wrote to memory of 1960 4888 powershell.exe MicrosoftEdgeWebview2Setup.exe PID 4888 wrote to memory of 1960 4888 powershell.exe MicrosoftEdgeWebview2Setup.exe PID 4888 wrote to memory of 1960 4888 powershell.exe MicrosoftEdgeWebview2Setup.exe PID 1960 wrote to memory of 3344 1960 MicrosoftEdgeWebview2Setup.exe MicrosoftEdgeUpdate.exe PID 1960 wrote to memory of 3344 1960 MicrosoftEdgeWebview2Setup.exe MicrosoftEdgeUpdate.exe PID 1960 wrote to memory of 3344 1960 MicrosoftEdgeWebview2Setup.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 4360 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 4360 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 4360 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 4372 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 4372 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 4372 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 4372 wrote to memory of 4908 4372 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4372 wrote to memory of 4908 4372 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4372 wrote to memory of 5028 4372 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4372 wrote to memory of 5028 4372 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4372 wrote to memory of 3248 4372 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4372 wrote to memory of 3248 4372 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 3344 wrote to memory of 2480 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 2480 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 2480 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 1100 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 1100 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 3344 wrote to memory of 1100 3344 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1880 wrote to memory of 1760 1880 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1880 wrote to memory of 1760 1880 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1880 wrote to memory of 1760 1880 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1880 wrote to memory of 4156 1880 MicrosoftEdgeUpdate.exe MicrosoftEdge_X64_111.0.1661.62.exe PID 1880 wrote to memory of 4156 1880 MicrosoftEdgeUpdate.exe MicrosoftEdge_X64_111.0.1661.62.exe PID 4156 wrote to memory of 4792 4156 MicrosoftEdge_X64_111.0.1661.62.exe setup.exe PID 4156 wrote to memory of 4792 4156 MicrosoftEdge_X64_111.0.1661.62.exe setup.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_7.1.3_x86_en-US.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3628
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E46C1B7A0A011093608E98FB4FB30AF3 C2⤵
- Loads dropped DLL
PID:4500 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4504
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU2858.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:4908 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5028 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.173.51\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3248 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MThBOUJDRTUtRTA0Qy00QzhBLTg3NjctMkQwNUEzRDYwOUM2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntDMjhDNjc1NS1CMTQ2LTRBQTMtQTVEOC05REZDM0U3OEVEMTF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxLjMuMTczLjUxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NTQ3NTg2NTY4IiBpbnN0YWxsX3RpbWVfbXM9IjExNzMiLz48L2FwcD48L3JlcXVlc3Q-5⤵
- Executes dropped EXE
- Checks system information in the registry
PID:2480 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{18A9BCE5-E04C-4C8A-8767-2D05A3D609C6}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3956
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3700
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzMuNTEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzMuNTEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MThBOUJDRTUtRTA0Qy00QzhBLTg3NjctMkQwNUEzRDYwOUM2fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyRUNBRUMyMC0yNDExLTQyNEEtOTNCRi1FQjFGNUNGQUNCRjd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iNCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE1MDYzLjAiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbmV4dHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDU1NDMwMzgyMSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Checks system information in the registry
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1760 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52E67ABB-DCFC-49EE-98EB-D014FDEEEFCF}\MicrosoftEdge_X64_111.0.1661.62.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52E67ABB-DCFC-49EE-98EB-D014FDEEEFCF}\MicrosoftEdge_X64_111.0.1661.62.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52E67ABB-DCFC-49EE-98EB-D014FDEEEFCF}\EDGEMITMP_76A62.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52E67ABB-DCFC-49EE-98EB-D014FDEEEFCF}\EDGEMITMP_76A62.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52E67ABB-DCFC-49EE-98EB-D014FDEEEFCF}\MicrosoftEdge_X64_111.0.1661.62.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
PID:4792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.9MB
MD57b0cd24f6573f45f707381896445dc20
SHA1bd49edd9bf4536324f71effa53c0ecac53e074e0
SHA2565caab958fde69fbae9bd0f3dbee8398ef616c0dc1245cd2c0f17ac9e15c8c777
SHA5129f76f91edece4c67a956971b803d53a437ea4c4ee8cdb46d21ca6d45ea8e1fec71d77446c864cbdb2310fda1b7ea73d0720d238a3647288a737debc588d7b513
-
Filesize
3.8MB
MD537de1607570cdecf6643accde9060746
SHA14269893478cacc3fcfb78ed4b14300e4b05a9abf
SHA2562e536b55c7577ce58aaae7ef0e9ffc3b25d022b8753f3c1352c4c2c494b60256
SHA5124ab672f5074d1ff544c1a480b8f8f96346fcee96290b0fabbd4a8e1db2347ce3eaf2c45032e97687be82b6ab04a982651269d0ea60292eac443a49d9e4426e0d
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\111.0.1661.62\MicrosoftEdge_X64_111.0.1661.62.exe
Filesize135.1MB
MD59e53a4b678f4ecacf77c1f359ae4a065
SHA195fd5dc9d9dc82b0b703ac5a769a0458c5974b99
SHA256813a086504ed035a14ece1fd994f8a07f6d132a10c95b9d90129266c3971ec3f
SHA5125e3530e588715e3369627af264c4394104aea1a9e56a9c075394baadeb5a1886d79fbbf56d346f2eeda8bf32fe685e59aa73ddb68ec392d4f7a7ade0e475e66f
-
Filesize
201KB
MD541680b5d08d0f18ec731b58a73de4781
SHA130eb01cd07f55adaca44edcdcfbc152148078669
SHA256f8f3ace5c3c404342251e16381132f0453514e03e9c65cf387a21cd288552200
SHA512f936c26a26c5268a142f56c7ca0277efea42404a405679ac23060085ffe96702871ec8d2e0db5534878a03948e99f9464cb8a9da20784f9b0308be9ad30891ce
-
Filesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
Filesize
179KB
MD5eeab009b340608e02f41c5aa1bbe67a7
SHA1fc5c98a0ea110e8c4ecad3be8d8af6b1a50f9559
SHA25622387c13beca9bf5f126511a0e86e1d90ae1ea70cdbdfd6c63a14aa532e53144
SHA5126c438f035f222fec751a0839009adf24a5a1dcee4214146ee1d2ffef49dd900b38f1a70f532bca480b2aace3d4467fa86b429e8186e1cc13b5436286949b29fb
-
Filesize
201KB
MD541680b5d08d0f18ec731b58a73de4781
SHA130eb01cd07f55adaca44edcdcfbc152148078669
SHA256f8f3ace5c3c404342251e16381132f0453514e03e9c65cf387a21cd288552200
SHA512f936c26a26c5268a142f56c7ca0277efea42404a405679ac23060085ffe96702871ec8d2e0db5534878a03948e99f9464cb8a9da20784f9b0308be9ad30891ce
-
Filesize
201KB
MD541680b5d08d0f18ec731b58a73de4781
SHA130eb01cd07f55adaca44edcdcfbc152148078669
SHA256f8f3ace5c3c404342251e16381132f0453514e03e9c65cf387a21cd288552200
SHA512f936c26a26c5268a142f56c7ca0277efea42404a405679ac23060085ffe96702871ec8d2e0db5534878a03948e99f9464cb8a9da20784f9b0308be9ad30891ce
-
Filesize
212KB
MD543796351e9ae674e05084827d15ddd3b
SHA1f72112a34adefc9cd31c0f55074cd74e34260010
SHA25629a9283e18d979e5c0d70ee63f333e5b8d45e33d8a2fc0443dcf20496879329e
SHA512c5cf9f2c06cebaa05e95c4e1ce6ccf41060a4793bdc703c979f7941aef4ab4ca0eb3450777d9ee6f5dcea65825d6681bcad7d8c9f862e6739afa34f337e0f720
-
Filesize
257KB
MD5c37873784d654850cfb9faad29387998
SHA1d2d70e7db2c727c412c5530c24982d414d502889
SHA25657fc701c6705a1e4905a3e7b21144ab700514a1f3a36b9f353cf70d3b7e29477
SHA512cb9f1e5c0e8ad854f3b885b158bf8bf00b06a3e96a058e685223e3dc6d8d0fe032c88c25a2b66e9f10d5df9c344d1f77134c6a00d0a31ce552eec692c1d0e31a
-
Filesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
Filesize
2.1MB
MD5a1feca03b08e3d05abbfade260fc7291
SHA1c5d8d736f416ac0e3b6bdd858153c88d4a27023c
SHA25682f972e81d4a73ba84bd958cc79acea3b3610401c8773fddc955ea5f5a4cbd6e
SHA5120f2b82d19f8dd95d05ff4f90f059aa8b2782c22147bca69789cae8cbe363a5c8b6e2e78b93253567f29ec6ab874ea1650af36228e52556b3627a7a43f37f68a1
-
Filesize
28KB
MD52268e40f1efd0731849c84f228e9f2e8
SHA18409af2c0d321053c99b56d6b46fb372fad227f4
SHA256c68ee308e4b37175847d1cb0793f3850c87d997b57df0185bdf668b36cafd0da
SHA51208160550d8d1e7b770a88d7c48494b60843dd0baff314868ec799a19f942ce3c41f0d62cb7968bada0db6e1630e13584f251e518aca8ff6411253001145f6d93
-
Filesize
24KB
MD5f44e945c31e5307da9cc4d06f0dae742
SHA104c2f4c9558bad2ebd6c6f22306fc7b7bff1326c
SHA256f1f7001e5cc83824206bd9b2e895db63f4a135dee109acd672dee48b620d0ea1
SHA5129df1a2b869e3c6e808057e673dd2b543590dd4b29285057bd0a6edd979a1684cea7e27468a7cc16cf64893b058f9956030b5c4245a30cb4e6d5f43be4bbddd08
-
Filesize
26KB
MD51dfa2cefb5ce71f320f5d70ba328df17
SHA1e5ca9657111b77aba9fa46c90b40ddb5e00a5f89
SHA256281a1a97f745585498ada34f2a48ac12e2255bc2d41de4bc1106b7d6e753772d
SHA512047a2a3c1e160a8a3c673aa90adc529aecd5321095c6374cc0007450c0deb2cc193268bd3a4f6c6c285414e6cb55b581dd08c07c160e9901b94a2de2e1e842b6
-
Filesize
28KB
MD5bdc3cc27d5a9b93b94ab4701d1a17bde
SHA197689e8b90326f82bea7e3e4dc509b064462d5a8
SHA256768223b04c3fee0e4f70f789fe46b9703d8a5fa7a0790c56b4412107587b18aa
SHA512028a763d18f62f593c3b60208c37a1a3dcc6816e75f768e85b376e2fc3017bf48409add3ec357746c3dd0d1aa45bb7b98a634e83afa765f1f1de3e71e704cbc9
-
Filesize
29KB
MD52c9326086b35eb270ea18752cc8e65fe
SHA12825bfae46ff9a935b4b32124785065792cf5d6a
SHA256def8743537d062302728897ba845c3b38caac1035c75943bab55ad79e07dde26
SHA512642ee8c5a898faa2be9eb02e5a3bce923bef8e79e79f184063ff9895cacced0d0fa545993c69d394219830a3c6f1d6225066ac464ea5d785a32953950771f1ca
-
Filesize
29KB
MD5d274f64d6f292162a97c28809fbbdf42
SHA11f621feabec3a746416ed07e8a712eaf8b68c9cc
SHA25616bc725323dd5a1755e775747c392109894558cd7b7adc20cde1cdf68bd0fd8b
SHA5123fcb22e476c1bc1ea948034f98459ea2e0aff86dc0922f078ab36f5a8119332e7ced4026f8721df6cbd45301968783ee1af4d8dde4659c51112b119b63df96a7
-
Filesize
29KB
MD5429cfeece0deb285ffd70787566a1f8d
SHA10aeb24f597b6aad061dee1d39e52e4e0b5d85bca
SHA2567b8ba9164415277f1c29621335a8b1f9539a56bf40b72d7b5624f947855ed515
SHA512ae306ccc4b5b799e7e3eb4800826406f9e558db447da7c7b2a5a7b41fd10fccba56983306f291a18f9437502d734cf00a74e786cae98490343c73f0ae8b051be
-
Filesize
29KB
MD579a4cbc2e0196d80bbe9f47b21d77537
SHA150ad550962fe5c3d50511540c27fc6c25a92f783
SHA2567e70da6c44a4c6be85329868820a64089419f43a8f52bacad171c9f0ad511909
SHA51230c5cb0157b9641b9e81bd7b424f5a1faeb40a31c32e31f492c10edae80ae4c931fd12c8e4547d43b85253f6aa625c87b364366199d2e513d559fbef39502cf3
-
Filesize
28KB
MD56092cfa76ed533d8eb675d093e33f54a
SHA1bca4ead601c083c88137dbdd31ce7c75a927544a
SHA256fdc8de2e46266a1ee0945d6359cc80033e10a23de7ebfdb758c647fe8f4ce8bc
SHA512d99e2bfb44688e76097a649b5716091d640837b84f8f22131868a9dd6c243f378207925d54a4531cedc82fd84446a0c2364940996973b5653f680f0b1551a536
-
Filesize
29KB
MD5b43fe6f45c12b79a3b4e4251629e627a
SHA175b6a26a82d5101bf2f1ab9d953b5d82e89a2252
SHA256d448e6fc4472af532dec7c1b364c19bf38e389d540aa7704bbff46ae81019603
SHA512cf30c496e9849fa1062a325d81f07f796af09165baf37f1b6c033663e0dfa033c41914d2893861d64806f90ed5bc9aa45b9d76db1318bc478615984a084e309c
-
Filesize
30KB
MD5cfaaf9d0b4e779591a294969488de431
SHA18ca0eb1b8aad41d338bb61bbfa6b3b6b9e55ce38
SHA25658c0c1c3de61c4ad6ab2b99f3ce7aba82bb70640a847334881d924a9cd0e2b75
SHA5124f3b60af73ce9bddda0eebce3dca5681ca38459018e2dbccf29ed8bd17aafff35dc8cfedd2adab294583a71dd62a7c1ff25949cf02b84e050d929083e33dee38
-
Filesize
28KB
MD5162c6a9ca055e8185e3cf05c1df40797
SHA11d4a2cb4c1acd1f88e96f1f1e4825e6f8d70b3d8
SHA2564a5c7cdf85f4b38141209ea12c5dd84e3247e91f28b886427d75f42a33397abe
SHA512bdc3b1c4899b4d0e8b478ee27d8bc41f26c5f5ec3bd63b600a8ba31838c876a10a088e5058a7dcafd770f8bd854f9a2d5ec78b04363da88f6aa3743e1d76d01c
-
Filesize
28KB
MD51628d317fc595231efcc022933504ab1
SHA180ee7f5938a4f8367839f1002f0522ac8a293ca5
SHA25636abdbedc646c5baa856e6b22a6e9eaa4553ece3aa9b0bf7839104756af42195
SHA5124ea12630b6cae888e48296e8b8632086df6aa5595f8aa6d2447d98b396a7ddaa6474f0bd48f0b4d9487a37e36cf58ade1e16cbca4c7af76a565a825840e91060
-
Filesize
28KB
MD5225acac8ba7345732245d1db02ee0dc3
SHA11aaa354024a71de59709c25a3f4b04291c36e7b6
SHA2569cc284d2f64fca26c7c38d0851c7b20f62323cea48ff3972c20ba3a56a90f36a
SHA512d9e4b2f30828165e71560fc9232e753d9e20099499fd44f071e790f4c5263c3f9fc5a6e92d64e30edef1063ed273bbe63b67a90e22c1c02edfbcd6969ed52fcb
-
Filesize
30KB
MD5a5e58bb56e4887483a1e2d87a94d14a9
SHA1122e8f9a3c917ef4309f9d1b52b79549776f0f0c
SHA2563330661175a0caeae799f9e9dc3dfca17222b99bb9086450a0e381ef47ed584b
SHA512dba193e03abb7035f9f44b7ce291c819b85e597cdb3f92f7e3cc9c38c4d683ccd791b56941fa67d8a32946c9561e411f7f27136ee8d20fdf8a5ae57175b65cb8
-
Filesize
30KB
MD58c1e1926c85097d6deed3fbf335ebd30
SHA129590076ac9ca7a0a97d1ea531a7d83dc546c16d
SHA256acdab523d32be1b4e3512f7d5ddcd241e2062e0ed5db8913cc472a269f1d5afb
SHA5129d712c074c90570f7d53b79c164681ec4a81fc40d12329870a76041e398b3fcc6ec07fdde7fc7f5f4745f3969a649c95e0f4370e8256c4fefdd0801a35fa1e20
-
Filesize
27KB
MD58fcd88ca1a1a7a4729abb9a779f091f7
SHA161e05fc51f5f7165c93af8c82119f8df0dd8165e
SHA256b1ea2735cb3a7f44463c20cdb5b03ae105e320ce600f4c9c9fb557aab5b8b208
SHA512a1c7c0921aba77573590fff965e742a9a03fae0c265d62ed23528914f7730c8e8a0edb7ca185d25764ca2b7f45bcf809ad50a0477bc130a60211308252f7e5ea
-
Filesize
27KB
MD549ce49c35fe42ddccb14553421619069
SHA1486adb2db118f5d114704d5f955a1e44904f45a7
SHA256c898692f9b6f313d4d3ffed1e46f6263b198e8200af464e64eb19c2e0e38c8cd
SHA512ee3c4b43221c31f5e581db49be7e9c3964049d84e352b7d17ee0e19bda5e27555174e8a4a6a77aa9fbcee93a220f5ef0cdf24207c75ce6b2caf922e3cac3eb06
-
Filesize
29KB
MD595141d3cd46128d4d87708c0610e0344
SHA11f309c2b15f9647809f87e4a9ed7831ac0746173
SHA2565e7ff3779a8923a444d85c4feef3be6a211d03dbfb09a3b5853994db3966fdde
SHA5125cd85e5bf54514abc106dbea11d6ebe072838e8849d9c319da7aa83ac1857201d64991b5b8100ade62a059e6cdd2ac02e4685681994720cd4b6232aac4153f11
-
Filesize
28KB
MD5869aaf32630ea378477dd67d2fca47bb
SHA1134357c3095da7581ee84e80fc03a0eabe1ce075
SHA256f0e5fb8894a97379f781922f0642b1cab6739f2c9f74b79994b87ab29d19dc8f
SHA51272880779da5f72569b183659ce7ce26031596d124bb25236ed560343ff8cf1a21734dc807b13cde7c2809c56e72c68da358b2dbd60183f5517a030ace300ddd5
-
Filesize
28KB
MD524de30a546c91528560c78b225150dc2
SHA1092810d0c8f232643f6ae4b51d8ddb9bba33d6ea
SHA25626fd4f513369cd67b709261a486720456a39f3d9ca0cc6bead4a09ef289a45f2
SHA51245dd708e037ac7ae3920de7f19c4fbceade14d8db01b12d9162ad6575d1936aba99547df1d8993e74a858127f5b11c728a060d298733f8c29ead2004fc8396a5
-
Filesize
28KB
MD572ac494795f47abd34673ecd18fa0ace
SHA1df15bec0e290404fd77a2f8a34cbba8b9ecd3133
SHA256e32a92004cbc245db0e372c19c6c7ddc299c62dc0b53d01b3201bd2a55dfdae4
SHA512bb69a7bbefa205edac0820d0d71321e27682d2fc7b98c7c744a388d8d24dd7a8dccf9d8f3b85da38af6c2907d867b1fa4e41fb527629103b32840f21bed2c3c6
-
Filesize
27KB
MD55c4a4a7931c212f081f678e5f8776542
SHA1c081778746abd461a58d9688e215212e05e20b86
SHA256d70638350ecf4ce3b5c62d6f1fca06c4166e3d115bd70bf81d3f4f36769db9b5
SHA512e3a37ef0780449456640ca1446f65149742731aa53ad960a7ce3ccaba35f01dec3bb7eeb9a65941e8a5ec97778d60b9089c6dcc56ab5da4e85456fcf52ff4620
-
Filesize
28KB
MD5c231e9382b1e20e770485ce17368e808
SHA16f7ae9f23501b22838ef8d40a275515eb6b0b9b5
SHA256cc9b47f59c1f042cbf778c335db244952ecf72b35e81a2a3f1d8de94491b956f
SHA5127e694a51c90fa827b65752192179370a705e730898ef778f9f126e25793c4c16a8ef078d96caef9db2ca943e8da71cd375765f983889f12c5f7d73e90fdedc8d
-
Filesize
29KB
MD58e24339a170e96151a2da3458da6b089
SHA199e38b1c67c775f08ba01a2c38c853cb3e3168c4
SHA2560d11e5f63ec6a408bb11add5d3b31b9b8a7fa01851552941dd6c29418ec3be48
SHA512d94e3be30750ca667ebe9bf7f2064f652f27bc51efe0b1d39edc406738b38e90138e0982b6d1197623df2623fa4a204ec1fda3f13e0c243d70af1ee87be441a3
-
Filesize
30KB
MD58aea9222bf0ab5a39d72769bbd8a6c1c
SHA1f8bf248a2d4fdb7420a4c660bab505fcf1765244
SHA256a85f4b58fe92592e6e512d492aeeee6b10de342e65efc8f5845af7e862916765
SHA512fa367b3a98dcec900f02cc38e7460f81503fe3e9563d3244adfbf34f0092ebf6a72f148708fe0cfe14761288f37cbaeb6a7446f160a684e5c3ad6246a330c474
-
Filesize
30KB
MD5448cd37a199ac30950df9324f1944536
SHA13870c93433d9e1e1f7a3945268123c6d977c6027
SHA25685f2ddcde5d1a7e7d7542477c03964dc18237b8467be5d27338d83c5ddd36e94
SHA512af2b8f0e41eef8ae207536c0b8e4f698a794c967edd8e1878d89f9b2415a879be5c9e565702c95584ac68a4a9b61813a6a2f33fb3ca6033249ac33473e15ca41
-
Filesize
28KB
MD5e91138124da0bf9c6f598ddb2762f3eb
SHA11d5ac1cd975cc3ddc33b8033487c496608ab49ee
SHA25665590918fd669ae162abd644ae2fb8c6724b175cb3d1c6cbdda015dc33b21bca
SHA5125dc589b6b519beae95b1adf97145ceeb06aa3b91ffbfbd1ee024d0d7d7d76e25fccc824043b1d80dac3b23aae31e4862cbebc7a744f8d41e93d412f782a7de10
-
Filesize
30KB
MD5afa9377508d33e4f56ae509d7381d359
SHA1181c212d4a4f8a8cbe7bcb244cd697c5102a1a2f
SHA2565176ccc3185e015374d78c53cbc99bebeece0355dd7f90f9d3e9979ca3c57369
SHA512e24ca0cc668babd600971d4eadb45b7dfb51aec28b56560e6ec1709d972f748a0fc74ed9c71d19fc67ba9a7f22535738f01830151784ebae1d2b7a70b436a4b3
-
Filesize
28KB
MD508e4880a254fcb513b9897af2a3360f0
SHA163b0f085bf3c3b371aa16064e4fec5c2a77dca64
SHA2563613e470dbfd6d41d279972d870c1accf03ef6878fb1ff801a588aa9f3e0a0fc
SHA512c74f3a41c75730ea6b03f7d2d288bbcd2611f4b6a291005d873f02fb68e1648ccb73a2f6f4686978ea77467cb57dcdaae6a49539606117b5e8356fc948912995
-
Filesize
28KB
MD55c20ab205d5780c31eb0c6000b2e9a61
SHA1e01d6572c3e20190de0af0b302286520394bca74
SHA256f1084da872e13472a8c768c83aefeca6cbdc86fad89a3a99e46376c6bbaa42cc
SHA512b0e8485bebaf3dca68e057e114ff6112945d9df251ec634ad9bc2fe760036e4edd7da4c746f3001be2341b90f51494de989f2a085af9946c2f9c8172d8448418
-
Filesize
28KB
MD504fbcea72025fbb5aac33009a0a28f97
SHA10eddeed3aeb0841abee1f2ae4f7c70910c2da8cf
SHA256344f8972fca048ae34b4bf9fdfbf09dee5314615d7d29e908d553a1f33daedd6
SHA5126954f804dfb6a419570ece2b9994a32f1011c3c964921db48897732b59c06e4132afd514be8a2a62ce3a4228b637d16827947f50fd2d26e0f0a1316f9a650f8d
-
Filesize
29KB
MD5cdf4b247095e9fe19c52d7df2be49081
SHA1b9e3a1a5c91d4faaaa9bc5adb39cd1ed47782f6c
SHA256140a0956433c5f8330eaa2840ff1931c990be2b5c1ce9c14a42ccd9a44b87f7a
SHA5122a9b6605aeabf21f92dea57c6cf6a5373796a3b912c0acc49c7c3325fd9c8ebae4547020f243ff0ae7732fbc2de1181a9488a2d4d31fe72edb3a5c354187df25
-
Filesize
29KB
MD5321698ce486b3bab5cdd4cc744e901bf
SHA1f838fecebe102f3f4269d98e9f1dc88b46828bc6
SHA256c4fc0ccac77b19914e9584f1a8c16e44f3644a142a8feb65ee7b6c57527eb208
SHA5127f7acb0e7b20e400c7ac82fc5d752720bf24442fb66b8c32a60da16013898b817b155913b26315a3519df601a9fd89baef21be907ab508aff6881679eee18cbb
-
Filesize
27KB
MD54b4a28a9262f91fbfc1cda32d26d3578
SHA156d616fc67b51f20ae32b93a6581df1ecbb6f93e
SHA25668935af95c3cf3073e52725e447474a0710e00f399346ef3132ca8e7efb9bc8f
SHA512d27b13197e714f9e8a5a1345c2775a05be38633b2d74f74a64adda552db23282aa902ecf82e69095ebffb129c5b784f55fbd399861b8a1898ff6acc8ca81a0ae
-
Filesize
28KB
MD5677cfb20cca21f570716cb52f650ffa6
SHA1f226488ce80e855a460f5cd4df5d27e971f33445
SHA2565af739b3ef19d1eb8b39934ec92ae29da4f7ba1c9eb604a664da6c1c4ac6e062
SHA512bea112919998e69956ed49c59bb838a8128f2569e8c9fb39bc64e3ca138fa513ae427922cbe411e10fa62d121202c9478c2b7fa8a0dba6ac489bc65f858059f2
-
Filesize
30KB
MD524d8ccf90614593557e905683c199844
SHA1db275660f0cbbbe66640ffd42eca0dfeb557fe75
SHA256c3f727d5b0a7f4955b8793ac4e97502c0b13fd6ecd9aa1578a80428303c2d487
SHA5126cb2f56fc06702aa5e74fc992a0411f16e39c0a7f0f34a3db80cde7afe04a34eed8a0e35cadc6a52455e927ac460f74fc8c4307da567197f962c02b0082fe71c
-
Filesize
25KB
MD51e47e738b1b19282e0c1131b55e43dd8
SHA1898c4360422d3d4f5826e66dc1a55a6cc65f56bd
SHA256319837ea306ce59d99ba5650a9a6e2b690e809d8a7d9747e5866889a585978c4
SHA512695e064fcef5f4d05f8dcca87c907102d014354703cda8ed4ab3da05268e8d322cb790aae76aae12aa2c17c29b5f6a23e1d75e4b9540520b047afd502cabea6f
-
Filesize
24KB
MD56a16ae7cbfe779f663c3ccecb00f11e4
SHA1e1474f73c364eb832e21b5b8b70f797d1926dd93
SHA25669ea2afaa1252387c7673532263afdabbce35145f1debe971f5c48c034662120
SHA5125afea5db4cde7acdf8833fa73efd7210de8e2974462a35535bb0bca7f8e16baa94f1ced2944b7ecaf5d1593460e78b4b61a0052af963682f2f7f323c52d4762b
-
Filesize
29KB
MD5f76fc90c2fce502c396f770017b16659
SHA110921f69d33e9dd0c58b734f43e4cec4c18acbc2
SHA25640c4ee205bba51d34b3fee18b3b3b7826019f4aa18d70c9ada2b7458667ea73b
SHA512b5a0f9caf994455f2dc9c1957db5ef4c396a4badec4e13471c7e6e8038fabf53d3a6277f069a2f884b31821eca1d2e9b657bb43b605057e7d3f5b6d143a74c6f
-
Filesize
28KB
MD5073ab02d719657020b368ea5eac5c6e9
SHA1da45436e2923819de195418e6eda79d0553fb869
SHA25640eafe1a20872fdb64d109fa176b07d601b1dd57bed80e1764c18d85d1f5bfbe
SHA5123375cd543d10c60a28d4a02a5c6bca2afbfe27a62b4ae4f204e4b9d64dd71651d3152be9c41034797ef56b572f1d6e202da3e84fe68f7ef1175e056bbe24b0b5
-
Filesize
27KB
MD59f920605e2977df35df07403f817bce7
SHA1b58fb4d93158f53c676c011a0e0a4bd49c42ea47
SHA256dbdfc1f34e21a0ff43be93a731dde2bdf73df86a32bd3b89a3d16584a6a7b87f
SHA51240292a014db31af5b0093dbc9297ea87acbd856d92a58bcffcc4c78f30294e7458bfdd178696974d32334b763d22680b59a08640e39b0a54767cfae142279b75
-
Filesize
29KB
MD5753a8b65205ecba2d23232c07915d71f
SHA1e17ebe2bfdc3136cf94b515e0e9b42d651fe7cd9
SHA256dcc541b2fb8a5e4f7c8ed9045aed3d45899bccbf114a72ce4c00b1bdd7e39026
SHA512b9f4c413417305a66a397a35509324b19a857356b76ff1faa95b9da6442bed4da031466748e824e8a03ff72a7f2b95377ad60b10c71a5ad80b1dd4cd00d6f51f
-
Filesize
23KB
MD53921501f4089f11e83af685aeae511c8
SHA153fa362b649f54439be857bdd4d62ac17bb4d63d
SHA256ed5eca28d76e2380540c0feb08ae9f21c16899dcc53587ba991a4fe49fd5782e
SHA512f65585a06cb40da68148b4315bdcaf53428f48b267a02b78e36cecbe246ea42e79acd9e1a9637650b483432e4c710035de11162dd6fcf4453dc012305b7da36d
-
Filesize
28KB
MD5930cbe71cc2211ab903bc2e0a8b177a9
SHA18bc70a7ff55bd04876f320172b5cde10a32b4ddb
SHA2564a35bdf521e406c1fcaefd9dc3e106dd7080ad86bed7633cc25ad0b268140701
SHA512808d9866a9e8dd7f05717efa71e93871217604cfe779c8ab81d9b63071228566a43f1cdf0a0134bdf6a394832070092c37846cd5353fb79a8b7d0d349e0ac7b1
-
Filesize
30KB
MD542db54d49d717acf2c7a28b4d1a45c9f
SHA19a5680e47de0c68cea9e653f2f32c815a0cd80c5
SHA256b44c2d7826ea819c8d479b3c204f6351d80f72cf607d505308cfd73d185e9e47
SHA512e3147c6bbb94b587ffa7ca75d6f46f942345d2f692cd82940665ee60b8d647a01728fd3b7c21c6602bce52d687f0e5171100669830d01218a8e9fdf2094a36af
-
Filesize
27KB
MD544880b87efd7c3bfcf5f4e280525709a
SHA19ff2bb529ef22564b97933cc8ccbc3570fac4109
SHA256e12b1a5f9e9d2684de85a56e64e5a8ea235b1797328e7ba240686f63653b6254
SHA512b8b061b2f91853b9cb4eaf7d6ba263b6795490b625aaea7499c458360f144c19c852c3a1b642c7e7c8867e7b51b829035569dfc5f25b9c2e5bfad4c165cdf5a1
-
Filesize
27KB
MD51a5a02e2e94f4b894f5e47b46051d5b8
SHA1ac7a2c2db37619a3dc90b372dfe9e772936dbb99
SHA256555819595c52fa9bb7af9b1d21fc9f97c3eedbe49260bf3ff22b395f00e287de
SHA512f8303dfde8a1e39fd8ebd9f84424d97b828aef313c7c9396c73666c02d12233c7637a14e23ca12fea013ec78db87df6cd1e9f8368455380234bef40899fd1814
-
Filesize
28KB
MD587fd0217498f329912b889ebcba889ca
SHA1c9e5c6a4009867603c0122bbdee92846190561a4
SHA256e8754807a21c46ca24bb804291e95bac57fa924f32c7476965433d8b80de91eb
SHA51246b9310f2b29830083262c8b9944db6d4f8fbac03d0e63f16df57f4ab6999d07820117fc1f2d22aa67ab91482ab1f17f022cfa67376968e91121ca53742b415d
-
Filesize
14KB
MD5360954c763729c14638237a3f9cb72c7
SHA1877302dd5522109bee21ef67b84be11fa217f471
SHA25689e41e6e60c9ff9cace015fd753dfa963d336548a84f93deb4277a9a02ecd8dd
SHA512e3c09ccd8760766d3b8ef1190b55586634dfff43d13098a85c8420ab763ef903863320fe81ebd875b0b194434957b390e2f5e49472ed0032d2465c90a14c6d44
-
Filesize
2KB
MD5c3b0068710994bcfdcd1b27fbbd0e895
SHA14abb868d15a7aa80b89ae553a7badd3fe146d619
SHA2567ffb06942bb3dc50ebe78cda0998491c99615c0afd68d7313a2250f5c0e3586d
SHA5124f32b9fa3e105ba6337d53251f6c60abe4cd49708bfea4d667723a1c11c37c7c530fdb45ac25368e0b0d9f64daf3c78866637c405b8ecbc84040404dd2e59a4d
-
Filesize
1KB
MD59625d12c242b3d43ca2ad0fcb08eace3
SHA17a2a9d1ea332834743b4ba5c3e6ce3d86772cc0b
SHA256edf2812b1391b5f6f068224ab2068ac9ccac3329804b82263f09367cc1e0661a
SHA512030bc6c83c1fac3ed26c53904ef4b9591de228ef78fa41b25fab7fb1c19c66e0cc492aea1d047fad97199d27028864f108b3a1f64a07f9c94c791b3627f1b55d
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
1.5MB
MD5da34ffb9048638664dea4c1f9179c07d
SHA13a854948eccbdb7d7b6d2829cf5ca72793afa89c
SHA256e00bd8875c84b17544f30c66ef2d55fdc847d34d888c7327078ade1a67b6441f
SHA512ec4c448dd49fba17accbab2e50b1fda1e1452e5760dea47a4041aea6940edd4a92a8bddaef847a2698da2f147bea0e8cdd6f3b6a3455af7620f6bd63a30c3077
-
Filesize
1.5MB
MD5da34ffb9048638664dea4c1f9179c07d
SHA13a854948eccbdb7d7b6d2829cf5ca72793afa89c
SHA256e00bd8875c84b17544f30c66ef2d55fdc847d34d888c7327078ade1a67b6441f
SHA512ec4c448dd49fba17accbab2e50b1fda1e1452e5760dea47a4041aea6940edd4a92a8bddaef847a2698da2f147bea0e8cdd6f3b6a3455af7620f6bd63a30c3077
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
25.0MB
MD5dbbca778d0624b44df1b281cc8d06a1e
SHA1f4c3b02268f95c3cdee9416fe022654e0a64a7e6
SHA256c14057823bfc7a7c50ac7492285b4c8ccd11a5e9a33fbd8fe732248d08a6effb
SHA51221061884a58b52d16eb42b8466b37a0ddf68763ce461d9041e9bc03c4b3ada6aeef4d594a56b0bae9c4e1d338814c6602c11605f7f9f7e1b08027104d80422d0
-
\??\Volume{fbdce6f0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a501a167-1120-492b-8a93-68cbdbbf98aa}_OnDiskSnapshotProp
Filesize5KB
MD5264d211838cd4a8c265b4837317f34fe
SHA1ac02dbc3f7420f6dad4053343849869e46599ead
SHA256bb691d01011fa400d4ff2353242a6d2d2a3809eda826b508956a8634b24e68aa
SHA512842add8fd79bfe73ae8305b491bad1ab488470ed98b6d75e0e71b4bb7599ca6d6067630de6f9419a7ef71b9fb0306d0304d5f811de1a6b4503534c850378e1f1
-
Filesize
2.1MB
MD5a1feca03b08e3d05abbfade260fc7291
SHA1c5d8d736f416ac0e3b6bdd858153c88d4a27023c
SHA25682f972e81d4a73ba84bd958cc79acea3b3610401c8773fddc955ea5f5a4cbd6e
SHA5120f2b82d19f8dd95d05ff4f90f059aa8b2782c22147bca69789cae8cbe363a5c8b6e2e78b93253567f29ec6ab874ea1650af36228e52556b3627a7a43f37f68a1
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600