7a26338e608350aa09971b5f75b2806e5fa929b21813b65baa6e779cabde7ae3

Analysis

max time kernel
149s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
03/02/2024, 03:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Continue to Kiwi X Download.msi
Size

4.9MB
MD5

c13560c3b217cd406946a26ac77ed3c3
SHA1

3e8a4ccb8cdfbd2bbafa222b50615ece16d96a41
SHA256

7a26338e608350aa09971b5f75b2806e5fa929b21813b65baa6e779cabde7ae3
SHA512

74e65b38262e61caf96f974d76c341c87ddd1a262e730f9665b1dd597df4e3fd6ab042118371cbfbdd87200dd40d4594f22b7793e358f4ea15b2a389625b98ab
SSDEEP

98304:QmD+2lehL+Wai810H2ytbkKiH/q7t3E8:tlqLCi2yepH/oy

Score

10^/10

persistence

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
162.250.124.82
Port:
21
Username:
IWSerivceVersions
Password:
#eg29s76V.ahjsi)(H@H!o214

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	928	msiexec.exe
4	928	msiexec.exe
5	5036	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Modifies Installed Components in the registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF3425F-CB44-49FD-813F-4E96EB12110E}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF3425F-CB44-49FD-813F-4E96EB12110E}\ = "SMApps"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF3425F-CB44-49FD-813F-4E96EB12110E}\StubPath = "msiexec /fou {BFF3425F-CB44-49FD-813F-4E96EB12110E} /qb"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFF3425F-CB44-49FD-813F-4E96EB12110E}\Version = "1,0,0"	msiexec.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Kavaca\SmashApp\HtmlAgilityPack.pdb	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\HtmlAgilityPack.xml	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightOperator.exe	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.Core.xml	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.Wpf.dll	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.Wpf.xml	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Newtonsoft.Json.xml	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Updater.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\runtimes\win-x86\native\WebView2Loader.dll	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\InstallUtil.InstallLog	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.WinForms.dll	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.WinForms.xml	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\Updater.exe	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\runtimes\win-arm64\native\WebView2Loader.dll	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightOperator.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightOperator.pdb	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightService.exe	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightService.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightService.pdb	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\HtmlAgilityPack.dll	msiexec.exe
File created	C:\Program Files (x86)\Kavaca\SmashApp\runtimes\win-x64\native\WebView2Loader.dll	msiexec.exe

Drops file in Windows directory 26 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DF0BCE462A322AE105.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BFF3425F-CB44-49FD-813F-4E96EB12110E}	msiexec.exe
File created	C:\Windows\Installer\e57950c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9D2713661F7BAC76.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9714.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9734.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI982F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI992E.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFE8B386A6DDF3758F.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57950c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9589.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI96D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI96E3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI991D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI990D.tmp	msiexec.exe
File created	C:\Windows\Installer\e579510.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI98DD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI99AC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA065.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9703.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9840.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F2B.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF1AEF643210A1E643.TMP	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
1032	IdealWeightService.exe
3896	MSI9F2B.tmp
1560	IdealWeightOperator.exe

Loads dropped DLL 18 IoCs

pid	Process
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
5036	MsiExec.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005c94be275aca18b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005c94be20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090005c94be2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d05c94be2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005c94be200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	IdealWeightService.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1155165157-2721788668-771323609-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F5243FFB44BCDF9418F3E469BE2111E0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DA8D864DBEB669C40843F17612002A92\F5243FFB44BCDF9418F3E469BE2111E0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\ProductName = "SmashApp"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList\PackageName = "Continue to Kiwi X Download.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F5243FFB44BCDF9418F3E469BE2111E0\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\PackageCode = "0262CF8CC7FF23B41A4E611C7B37161F"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F5243FFB44BCDF9418F3E469BE2111E0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DA8D864DBEB669C40843F17612002A92	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5036	MsiExec.exe
5036	MsiExec.exe
860	msiexec.exe
860	msiexec.exe
4800	msedge.exe
4800	msedge.exe
3620	msedge.exe
3620	msedge.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
2520	msedge.exe
2520	msedge.exe
5184	msedgewebview2.exe
5184	msedgewebview2.exe
5196	msedgewebview2.exe
5196	msedgewebview2.exe
5796	identity_helper.exe
5796	identity_helper.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
228	msedgewebview2.exe
228	msedgewebview2.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
2192	msedgewebview2.exe
2192	msedgewebview2.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe
1032	IdealWeightService.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
4620	msedgewebview2.exe
4212	msedgewebview2.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	928	msiexec.exe
Token: SeSecurityPrivilege	860	msiexec.exe
Token: SeCreateTokenPrivilege	928	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	928	msiexec.exe
Token: SeLockMemoryPrivilege	928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	928	msiexec.exe
Token: SeMachineAccountPrivilege	928	msiexec.exe
Token: SeTcbPrivilege	928	msiexec.exe
Token: SeSecurityPrivilege	928	msiexec.exe
Token: SeTakeOwnershipPrivilege	928	msiexec.exe
Token: SeLoadDriverPrivilege	928	msiexec.exe
Token: SeSystemProfilePrivilege	928	msiexec.exe
Token: SeSystemtimePrivilege	928	msiexec.exe
Token: SeProfSingleProcessPrivilege	928	msiexec.exe
Token: SeIncBasePriorityPrivilege	928	msiexec.exe
Token: SeCreatePagefilePrivilege	928	msiexec.exe
Token: SeCreatePermanentPrivilege	928	msiexec.exe
Token: SeBackupPrivilege	928	msiexec.exe
Token: SeRestorePrivilege	928	msiexec.exe
Token: SeShutdownPrivilege	928	msiexec.exe
Token: SeDebugPrivilege	928	msiexec.exe
Token: SeAuditPrivilege	928	msiexec.exe
Token: SeSystemEnvironmentPrivilege	928	msiexec.exe
Token: SeChangeNotifyPrivilege	928	msiexec.exe
Token: SeRemoteShutdownPrivilege	928	msiexec.exe
Token: SeUndockPrivilege	928	msiexec.exe
Token: SeSyncAgentPrivilege	928	msiexec.exe
Token: SeEnableDelegationPrivilege	928	msiexec.exe
Token: SeManageVolumePrivilege	928	msiexec.exe
Token: SeImpersonatePrivilege	928	msiexec.exe
Token: SeCreateGlobalPrivilege	928	msiexec.exe
Token: SeBackupPrivilege	2848	vssvc.exe
Token: SeRestorePrivilege	2848	vssvc.exe
Token: SeAuditPrivilege	2848	vssvc.exe
Token: SeBackupPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
928	msiexec.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
4212	msedgewebview2.exe
4620	msedgewebview2.exe
928	msiexec.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4304	MiniSearchHost.exe
3620	msedge.exe
3620	msedge.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
4620	msedgewebview2.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
1560	IdealWeightOperator.exe
4620	msedgewebview2.exe
4620	msedgewebview2.exe
4212	msedgewebview2.exe
1560	IdealWeightOperator.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
928	msiexec.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe
3620	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 5044	860	msiexec.exe	84
PID 860 wrote to memory of 5044	860	msiexec.exe	84
PID 860 wrote to memory of 5036	860	msiexec.exe	86
PID 860 wrote to memory of 5036	860	msiexec.exe	86
PID 860 wrote to memory of 5036	860	msiexec.exe	86
PID 860 wrote to memory of 3896	860	msiexec.exe	89
PID 860 wrote to memory of 3896	860	msiexec.exe	89
PID 860 wrote to memory of 3896	860	msiexec.exe	89
PID 3896 wrote to memory of 3620	3896	MSI9F2B.tmp	90
PID 3896 wrote to memory of 3620	3896	MSI9F2B.tmp	90
PID 3620 wrote to memory of 2804	3620	msedge.exe	91
PID 3620 wrote to memory of 2804	3620	msedge.exe	91
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 2348	3620	msedge.exe	95
PID 3620 wrote to memory of 4800	3620	msedge.exe	92
PID 3620 wrote to memory of 4800	3620	msedge.exe	92
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93
PID 3620 wrote to memory of 4492	3620	msedge.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Continue to Kiwi X Download.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Modifies Installed Components in the registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5044
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0F1AF9F445258991CFA6A3A26C35E65E
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:5036
- C:\Windows\Installer\MSI9F2B.tmp
  "C:\Windows\Installer\MSI9F2B.tmp" https://typagesee.io/ty
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://typagesee.io/ty
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3e633cb8,0x7ffc3e633cc8,0x7ffc3e633cd8
      4⤵
      PID:2804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
      4⤵
      PID:4492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
      4⤵
      PID:2348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
      4⤵
      PID:1616
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
      4⤵
      PID:2840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
      4⤵
      PID:4804
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
      4⤵
      PID:1632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
      4⤵
      PID:5760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
      4⤵
      PID:5732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13838795902694664884,12111432858814754879,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4804 /prefetch:2
      4⤵
      PID:5736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2848

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightService.exe
"C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightService.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1032
- C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightOperator.exe
  "C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightOperator.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1560
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=1560.1028.1966550569743220984
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4212
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2180 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5184
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
      4⤵
      PID:1012
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2608 /prefetch:8
      4⤵
      PID:5360
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
      4⤵
      PID:5912
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2096 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2192
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2848 /prefetch:8
      4⤵
      PID:748
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2944 /prefetch:8
      4⤵
      PID:5556
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1880,18311086195308780222,8076331620038256607,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5052 /prefetch:2
      4⤵
      PID:3656
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=0 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --mojo-named-platform-channel-pipe=1560.1028.4908097348749493614
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4620
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
      4⤵
      PID:5144
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2304 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5196
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=2648 /prefetch:8
      4⤵
      PID:5376
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      PID:5896
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=4404 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:228
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=4700 /prefetch:8
      4⤵
      PID:3976
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --mojo-platform-channel-handle=5056 /prefetch:8
      4⤵
      PID:2564
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1884,18129588214670715130,13751538571621586702,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView" --webview-exe-name=IdealWeightOperator.exe --webview-exe-version=2.1.20.10 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4552 /prefetch:2
      4⤵
      PID:6104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffc3e633cb8,0x7ffc3e633cc8,0x7ffc3e633cd8
  2⤵
  PID:4176

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1a8,0x7ffc3e633cb8,0x7ffc3e633cc8,0x7ffc3e633cd8
1⤵
PID:1808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57950f.rbs

Filesize
14KB

MD5
1a1b7f646c95422dd06388811c88e411

SHA1
38e0844e578d65a86befd3533771f455bfe1cba9

SHA256
f63ec1fd36ad3697f49caf416e56aad57637b11a08215a6d1950725ee5a39b01

SHA512
eb65fa7b3c2f275fc59317533478aebd8870072ab033bc3f1422e9aac1af053da0531af2573bf371e78588532bfdd8e534f389bb527ea35c2d0798bde3f1f846

Download Submit
C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightOperator.exe

Filesize
157KB

MD5
2f3c856bb260d9d71ea5dd9be8bb416d

SHA1
6aacf202af80aef596cef2f761088fd0101b1605

SHA256
836b3035a5bc1c420d042d9342fe51527727cafcb9c50b3b04806119b827b514

SHA512
43389ff670597b94507a9df1ed9e5a2f5656d8d9f7335a8642f796fcaca0d866a982f74563e4792c15aa3050970f0ee181330a5819ed7e1ff52a5562bb5bb979

Download Submit
C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightOperator.exe.config

Filesize
1KB

MD5
a59d33e4751c9f03c5ef25ea66a75298

SHA1
8cde969880845c0c6ff027b8d801f2a32f423667

SHA256
14e43b775215c3211a43bc8addb208dad7b8ddf6f09d91e3ed659a5cdc85ab42

SHA512
141d0a9fe618298d4b4d4cbbdfac7c5bf3bcc5ea84a3d4badada114d33a18eced856e05ce496587d0672d475af927162e2c17ff731ffe24b7cf0096e425011bd

Download Submit
C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightService.exe

Filesize
140KB

MD5
b0dcdffa78ab07d5eb99a75676acd9e0

SHA1
1412dd8097712e6a60ed2ef1ac219e79b627b7a1

SHA256
d0b98ebd7105b7f752fd9a7594a969a4097ac680a3eedab05b1bf50a7a2f151a

SHA512
2c1ed594e75d3800f83b96fe8fa19d049993926612e71e2095778426b859d317ca94776f820d047fae72d5360ed742c51768c8782cade209c62e0833d1ab2df0

Download Submit
C:\Program Files (x86)\Kavaca\SmashApp\IdealWeightService.exe.config

Filesize
189B

MD5
9dbad5517b46f41dbb0d8780b20ab87e

SHA1
ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

SHA256
47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

SHA512
43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

Download Submit
C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.Core.dll

Filesize
523KB

MD5
9f9feedb05b87e1be1c7ab710655d0e8

SHA1
2886a398d065e13f667b974180589baff890d2b3

SHA256
5e172b4f558723b7dbb7f568f301077c84d6571436fbe5a5f45bfa621c020403

SHA512
397be2264710120f1f6c419fc7e6a95915eabd0b0586461fadf7335d3b3e0bc35ebca96acf5cb4002a46f6aef90c0238564519c47c7c62c995b1d7469158b287

Download Submit
C:\Program Files (x86)\Kavaca\SmashApp\Microsoft.Web.WebView2.WinForms.dll

Filesize
39KB

MD5
d15bfc4c7cccc1e99466a1866ffc473d

SHA1
a4a6ce5968d346ca1da16bf9195eef8cdb07f570

SHA256
bef507a4ce7b6a848993bc504af7e2273cec22e77469787cb1d47d3f362164ed

SHA512
28461110891a9ba7af40df3de46d0937a52bdfcc4dbd88448672d7d34e2a4b4f68a5ba464051a5523ad172862d62caa8bccc2e780615722ce37ef1982a028f3b

Download Submit
C:\Program Files (x86)\Kavaca\SmashApp\runtimes\win-x86\native\WebView2Loader.dll

Filesize
114KB

MD5
9a9df483ed55bd568cccdd7485804931

SHA1
1c0d0363af131aab8cd81108c16354947007856f

SHA256
ad5cfe82f102739d4cc15c3eb38a411525762520c9c4229c902f67dbab23c5fb

SHA512
0c989ea9e3c3ccfb7f8990098b1f5b0c7bfa311f83438aeb5047fdf3abcda872905927ddbd17245a9de2e73defd69dfee5271be2db254154c2f8e5478096de8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_D2FED7667885036CFA51478CED551D86

Filesize
1KB

MD5
5d4a7d4e13b82c632c6449c6f46f60cb

SHA1
3506617212247834b30317ebd9daf0fde77fdc4b

SHA256
b8cac568bc2fb0d2995969496ea83946d27d6deae99458439f6c3b0cddf64a97

SHA512
f9220af7726b9073e60baba23935e3aec0c6f17345368d9b0316c40f4283413336904ed655932312097865575f6000164b89bbf649b5ed0b7a2d8ca8597367fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
a571a57b15f81fe35c3e335ef4c16a9c

SHA1
792dae7eed4289e1cc76fcecb2948232158496ec

SHA256
afdfe4b542f816bb2752b803f48ab1f5958da7599fc4b1accbc05e10dab5ad67

SHA512
d80a2ab6444c52c850e3372f9c13a0b640c3d7e27a21882dbbe307125d81267e48601966fa2a738b1a3f80347e0c452f6d99767f7655204387bb0770e217f95a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
36f94235bdc8a52782b12f115a20f5ee

SHA1
5efec88bc075c7216ab0e874717ee389ddf61d88

SHA256
ef90d4e7f2d7e2cf780978c4aaa780648474238719fe9384e612906c7db8bf0d

SHA512
1d1925b2a5f91898488da1704f7e1e1bc759392d647f82f87b8157aa7a1655a547117ecbdc138e07b8582f7bafef5714c273899473d4e081241532f3a5aa838b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_D2FED7667885036CFA51478CED551D86

Filesize
540B

MD5
0726095cc0f2ea1a1c86e05f3025fe7c

SHA1
a77abc5f8e6bf7217592443efebad94f908f7b98

SHA256
65581521586358e3e1002d4c0a91309903effb1dc96632ea8ab91a3a6407e25d

SHA512
c55d0bfd77591a54c976a9ee822ec4e77cd3f7ebd02d25215ba2afa0142e9a15df4dd5d3245b23df6f1a0991b741298dbe6f1423c98472d9375bb4c607e063ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
68c0965a47cca575d8c536a847624bb1

SHA1
7caa597e88cb2bb4c8bd390cf07e91a6ec64c281

SHA256
d97a2ad5671aa16004953713dd664f0d55df1008275179328740ad397a1d1576

SHA512
954ba33ac2a9f209235f3af260d6e76b9450458850714db86ab44f9a8b2b06be6adb2fab89deef025d8eac28d69ae3504715489b887838ea8abfa58ab485ac4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
0fa75af8d8d6daa488a2bf849d45d0ae

SHA1
19f4b92c14bda99f2e8238806d7a7d18d7f9a6d7

SHA256
514ea066bc2ef1212b4dddd3856db530bbf246a471c8e48ae53c58b51a1164a5

SHA512
4b5be1b47f8e2db71190015f02684425ec88626fc0d8643400b36559d37aeeba35fe6d9663d7625913be014d9bd524182b63175ada68c7968276e98f4eb26b85

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\65b2e2115bc9fc7472607c90\1.0.0\tracking.ini

Filesize
84B

MD5
0e810b4f7ed302d474634fd2be6248a8

SHA1
7e2bf3d081baf345bb533cc317162b97520564da

SHA256
799656e586f404dc635a8c6f5acb5b03a4bd60fac4352db48791370b9f995f02

SHA512
1cce73e57189df8f019f26043012d64fcc83ceba15901127139695ca01c452729faa7abb15eb7cd9bdb4c2051682499f93510c55fd65680fbaaa47d5f5939494

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\65b2e2115bc9fc7472607c90\1.0.0\{7ABE1747-983D-4E54-B2E8-6DB3FAD2BB54}.session

Filesize
5KB

MD5
bd122f555cdcf1afe1184fcd806c365d

SHA1
0647cd6cbd7438bfbe4879d4f28ef457c4fabfe4

SHA256
154f74b09cfaec054f7bf782c6d543e360d3e86eeb3d18342c9fdbdc3a554053

SHA512
bd2fefddb074f41829b368a14667c9e1e85cae0e2b89ef55c2bf299f18b75710794edf23af78d75f824611e65fd511a1ecb8618c176d4a9714f58119bb37beaa

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
a7a0dad7e4615ae7b04ed44b37d504d1

SHA1
8ef3a80873994c4bfe152405798bb46e6e318393

SHA256
c3e19ca67443317fe6f9aed1f6a80f3a9064a2ce91c4f9e0c5ba98df04c776c2

SHA512
e6928f1be1543fc530b100e705285c2cd67f186db85f5ccada86438b8365dc51e327d162ed156987c196318fb53ec554068faa99c7841ee83b1d7a5588ba42f5

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
d8956177c44886df2be8317368d61e17

SHA1
97d488c71abf7528b94b95bc7340acfca27e381e

SHA256
2684ff17786cf438983bac20d923316555e43a65903e4caa31c5a875eb288feb

SHA512
887d893b2b4505723642133cb984e519287c26f17aea6362fff69b08c3d1310bff9b52f8cb077f8d3d172586aecf19004ec79fa4a73deb7cffe370bf41f5787d

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
1b4f954d24b722bc847f5844b9382e66

SHA1
1d70e42b5586036a68550997279060ba5a623627

SHA256
7d0c847b6fd58bfe88ce7b57532456199793448a602a0f62f11c201a2c909e4a

SHA512
4234a7733bfeec5b46e64448b3a1b6f645a9ccbd3867906f31b508bde0b46a15b6a07156ebb3dbab700fd7ee1548c0a1e744b4aae457ebadc0cd164029576027

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\Network Persistent State

Filesize
299B

MD5
89bb6eacd840831dc47b9c17bca816e7

SHA1
48021acb5622d9b9886c5b2d59932853141893fd

SHA256
5ff0954c8ab91b305e4f2bcce185525582a7953487bbc9f8b7dc13d9ec3e39b0

SHA512
2d7f1ad1e751e659a178637861d16815d4517ed8b398bcc7ae42b1339d89325722d79fb38d08e0c3e6567a58001dc08758e9389d48fe19e2f4769a4e2cfafbf2

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\Preferences

Filesize
3KB

MD5
db1459cb2d84ecbece05ca481e00d2dc

SHA1
10e30d7cb7bceed5159cc84e9f88a653abba27f5

SHA256
561a653647913772c6b3e892b3c9e8392bdc01bb1a8dfcbac2fd609c764fe661

SHA512
a1d5f9dfd0f591305a1dd109b32537c7ef6406570a2add4bcbf665b2d35847bbec74e47961897acc44cedee82fcbfdc6ee456292ce707a3e526d40fe545f9efe

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\Preferences~RFe58c80e.TMP

Filesize
3KB

MD5
bd156e6e84ef0bbef26a1c1e38ea48f5

SHA1
9ec7073079a125e7ca18b30adb80c6aa6f48920a

SHA256
31393f74e1d0251617d551f50ff936c78ebbd2c0d8d74a2e9830192cc626721e

SHA512
dd54677b8530dbc8c344eaea119318535f4a0ec62d3a8fa86295216d9bdbe83f100d22329b83202ccfdbb3d3724b5eee813cf568698743da76c07c69e4eef409

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\Site Characteristics Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt2\EBWebView\Local State~RFe58022e.TMP

Filesize
8KB

MD5
3075db9ca63956d852f0df8754882eb9

SHA1
f8781666adedbfce6f128f080b4aa91eace08636

SHA256
68b0c657279cf8df4021bae164d6931a8d4ffee8dcec1a2648e7d310b479d4cf

SHA512
4148e6e9105e5cd91311b89e1dbdbf53b56be76c070177cbb5f337512fc6a66182f31ca11fcac5269185a217b966bde100a22a1672c2959d763c564676cb4e8d

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
7dc6ffa83f579c83880eb5c5f4189a10

SHA1
a8d87fb16cbc6cbd1752bdd75354f586f9d88798

SHA256
a6e677e1fee9e051a6c65251a2f996fdb5b16834c2d862ae009f555deb73c318

SHA512
892dd4a0989dc8388e560ae3cf8375c967953bd5b84d861b2905976bb3cdb227ceaff4de3adf5db24b1d2d592a65497865803a80e1744d2f3f0cc4d1a3e0b6bc

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Default\8014a8b1-c283-405f-a067-a7df46b57ab8.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Default\Network Persistent State

Filesize
299B

MD5
7c8dff8661c5c2f835dc79488896a169

SHA1
b6096a62c2cdceb050c42a80e9c403f1c32eb39f

SHA256
4d9e5e83dc0e1abe43f8cc61a76a0a2d75183a2a3fdd594b48ce2f218d301797

SHA512
9caed8382827f6cf7c874ff60130d0f1b458dd5ed548b69517a8be995c0abc250bd99bafebbde545b242fab347bea3a8981e690cd60a4bdc65c5e1cf85d0b63f

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Default\Preferences

Filesize
3KB

MD5
0c45ac8aea022817c5cbe63fd895d449

SHA1
64a3557bcc2bba28709c0e74f3fafeea6fb381c0

SHA256
4606442b154f54f503c442c69968da3535dc81a8937f237423f7d3e5523df5a4

SHA512
f0a52eedc4162bf210a9d8f0a86ec6ab6b8d2bee6f30dac797fba7b7cf3969b1bf617da017c017309fee371b1ed29f245b5ecc8de422d7ecaecd7d498814c88f

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Default\Preferences~RFe58c80e.TMP

Filesize
3KB

MD5
e6e53bd22cf9708f5701ad9f1cb44723

SHA1
0c3c27f0ccc2bb82bc13e98be50e5896a306b8f6

SHA256
ecd36fce618b80634934c0ea87e2735748904924ff408ad3c5401ea977748f02

SHA512
f584e9fc75ea88dc019961dc5604f323cfce7baf93a375265d85e9df969c8defc71b2ffe47a0e7e7d540d4365f00a58ab173a68060216b0be3caa3cfe376fd42

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\Local State~RFe58022e.TMP

Filesize
8KB

MD5
6389fdb3f6c7a599fbd95eb3c1470081

SHA1
010c39a137eedb3b2c4e3a36d1cb4853d5b9f191

SHA256
9754fc626974a25d0408537eef1447046d00fea49b0491434184de9a1666073f

SHA512
51cadc177a7f4d36e51c86e947c4ecb9146e7cbfb9cf11a9d1df4f94e8698f7cf98a61efa205497e60bc4714f1837613b46acedb82bd75ff97b2afd25131e7e3

Download Submit
C:\Users\Admin\AppData\Local\EdgWebOpt\EBWebView\a10b0068-cf85-43cc-bcd6-f6fdeba9dd20.tmp

Filesize
8KB

MD5
f1cf7fbb5fe821d01cf39e84369ec115

SHA1
35c5499df8496552162db902f0ffcb13ed8ef76c

SHA256
a0f2268a71779baaf0509c2f32753f27ae71986bacf547349b691202182b535a

SHA512
68fa11b8f29e9881f6e52e6d1e26dc1cceb1116ce4677a013e6e27ba707c1dc3e7076e9d10359d81986ced9a7b55b1b4b3fa866c250fe11ac848f3ca4c603272

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4527a9b2-7d75-4165-8edc-8396e1b55063.tmp

Filesize
10KB

MD5
8870e80d92b949940f8aeee208966530

SHA1
c42e3cbcd9848275036bfc32740f4079301562b4

SHA256
fac198d82909e53abfaeedb37a4ddd55461e977b241c2c7c4445604e096d1b55

SHA512
7edab270f27d0ec9197d5fb99f020e6ff8777af159404ed2bd030d866c25a8daf6c511c61becf9d599823e58f11f997de65fb2a43cf6b72097118ca1375871cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5cabc17286e25c0ade7a7f050b6e92a6

SHA1
c25ab09177ad0da9ee6caf78310236bdc2cba319

SHA256
0e75f9140c154297d8f741aea07b90fc1be1b8deb79c3f204148471800e322b6

SHA512
0cc35eda0168f51e5e719ba0bfb226c9f5293a6056d47190a23377deb98244f42c62b8416696cdd13b2db6228c1c8a2513cdf6dbb1d4b59f0c1c889d1acee6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
290f005b091f180dc7ddb50626b0ae1b

SHA1
765a298f1f5009d9176f6f93497f1089506d3d80

SHA256
293a5a5cbf7e396cb47cdc540d0a9264b68874b8f5b51e6072cb85e896e5ce05

SHA512
f494438af8be70d1c3e223ac8052d8dcd1ca244026c37cabf753e22f0140a66bd3ec3e9560a7b190955056e9c245ef19ac40e1a12f921592766dd66134f3cdc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
43db18eb952c386db591ff1d18833128

SHA1
dc9662d11fafbed903ecf1fb64777685aea73f5a

SHA256
58cc69611bafa94a3256adaf5f7e6fd0e81fb77111c112407e644a34b62372e8

SHA512
bf6e76808dadba33eb5e0c82f80b17f8f4a03d094b0ea66d20f66f7fc0e0a97b852eaf46adcf09386cc9074b7660e62241e0dfc7676d61568ef6a377751efe9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
fac94ce1029307508c6f8faaa25fca11

SHA1
edaf71ef9be3cd39df6bb81cdf5b44b9854f2157

SHA256
f0da84b38f612517b5a5142fd6e47712d2ecc551599a2e0a983359276b7a95c1

SHA512
15a4b9854676fc32f8c0df0a938608b56cb5f4aa5daaac41dd78c39edeb8af8ad8d5995b8f801b7200dd898ad33b3dec37614a73872a3da40229084286bc9aee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8e75d25076c581d948ab73bcf3b3f8b7

SHA1
53e727e24fd1fcb33d616b398100fe7aa0a70d13

SHA256
9bf40865a816c780f35a966366d061e7b67221917736b204daf60b98b0597aa0

SHA512
1efc4a398c7d71b9dacdd9b764db348a7204b7e7b70053d35f71f92ff8fe93908686ae87de87f7a310a97e9b676a136a8ad3ab08de2a6dbc84696f22add0373d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e38d513eced4c98667fd048f182b892f

SHA1
6943c6bff76ff82958e1528173dc501ab82256fc

SHA256
83332744490f534f7d9dfd9e3958f6d53912d1b9179a0db373df9b54b19d0b3c

SHA512
23409f35f0c55bc7fe0a69bba2d21103a240ae48e2ae3ef9092f7736a2b3dd3fe11a16e5691869f7bc6f0cf6eda1a0472b7a542fa363a0fbf62bf9c3338b5169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
25KB

MD5
68fe6f34e7d6603a3d2f4c95919f8408

SHA1
c7be30582f94d46f05338cc39726f72c9e2fa4cf

SHA256
8cba909149b2d3fc45315cf63cdb8fbe42a4b7c614347171ba00aaf859639c1a

SHA512
48eac2f55675b01ebeb28680ed9af6dcb9c558f76fd647cf05f8a7e1fa04ee57f7a8c70bc0ea882bdbca48b29d62ea7af74b76a03b09c19762e4c93118929be1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
733ace9560295827a9153769ab04c8e6

SHA1
2a06a119dbf4bad7d81b5a072465f5df564bb048

SHA256
031d7a7284990a652ffddf1c28fcd26dec81dca96334174068f7d677798f1efd

SHA512
21e3e6f966345bf7be456f0abe7ba331d675ee97e6ab83733c1562fd80b66c999e1701ccde53de47f12f0cd3457db99bc83da544704a646d53408ff554c42112

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
11KB

MD5
9525ed790aaa25e346ee37d85fd2607c

SHA1
02db19a5bd9119cb90329f438c287cda89b2d032

SHA256
f48431cb6a0247a5019286176ed5fc3db474a95b119b96ea4c5b1295747e3e75

SHA512
6bb92cbc68468f106f542485aadfcceb6bdbe6bc8b12782fdb83bdca290bc72e0c1c3b0cc657893365e5b02494884002c858e1f8114208e6b317f623172be7e9

Download Submit
C:\Windows\Installer\MSI9589.tmp

Filesize
1.1MB

MD5
8d2689a40fdd336df94ec8ea8ee2b65a

SHA1
5ea18c6f088e4752e6e613d20142d6622cb8b9b9

SHA256
fe1656c2eb5156f898fe2c15e5589a5ef6fa91cb0a52778b683a74e27cdc7e1e

SHA512
fdf9064d4d93c2a421b71be365122bfaed11ac0b670b074fbaad340c5fe0714cb25e56dacb437673e5b445d14fe8901775b2b83b056e33af785f131271457e1c

Download Submit
C:\Windows\Installer\MSI96D2.tmp

Filesize
738KB

MD5
36cd2870d577ff917ba93c9f50f86374

SHA1
e51baf257f5a3c3cd7b68690e36945fa3284e710

SHA256
8d3e94c47af3da706a9fe9e4428b2fefd5e9e6c7145e96927fffdf3dd5e472b8

SHA512
426fe493a25e99ca9630ad4706ca5ac062445391ab2087793637339f3742a5e1af2cedb4682babc0c4e7f9e06fed0b4ed543ddeb6f4e6f75c50349c0354aceda

Download Submit
C:\Windows\Installer\MSI96D2.tmp

Filesize
718KB

MD5
6e3121bd57ab5188b83fc01ccc58ef89

SHA1
0a997952569b99d8f4b29c7c6de92ecce184c570

SHA256
b5e195f25dcd636ca743e309ef09f3155b48f5ec5d780a98a63acc48970a5439

SHA512
9b43878362dd6a33f0a54fd7ff303def803ba28c65e33b0c3f3b18d0c8b69255d7f89de79a5a7ea87ba15a6a50d566f10ff9b47e4e3f29d872c8890e0fe209be

Download Submit
C:\Windows\Installer\MSI9703.tmp

Filesize
719KB

MD5
4dea35ba538e15a4e81c97df18ff4f3d

SHA1
b718abd78bf9615f0240afc9dc54b312af252717

SHA256
0cb9afba38c67bdffdec693882f180f45760537e1355b1c21cec1d3681087669

SHA512
e7deee5dcd511323fa8f95488d89d44a0b9d72e22fe4c1a3b515f70b513a0e0b574891a6a312f9597dae3e21fb4b27aa9150e43dc3e88d4cba564e47fc6e7e6c

Download Submit
C:\Windows\Installer\MSI9714.tmp

Filesize
702KB

MD5
bcfdca3592d1f0461661f2b4e0c715e0

SHA1
570ac8390252d840129e571b3d27d6c06a3188ff

SHA256
26ce4dd583b84e0b7fc12c5fefc4742fad99b23c530776e9924dade721998188

SHA512
d96dfaaedb49aea74562ab8a1bbddb953ee6881d7e85d10a131716c7f7439ad03c4338136fc0ed1b68e807c8ffb4c0f638a05df7b804c644aea297279b0135e1

Download Submit
C:\Windows\Installer\MSI9734.tmp

Filesize
1.1MB

MD5
856e64257f22cc40c5d19c4cffdcfeb4

SHA1
f36df965f8b3842e4e7b8e741dc68c87d8b1fbf6

SHA256
7aee80d44f9df06b951262066fc467a49e0e4b6ddb0535e6ae883ab2d25a8c6c

SHA512
5d6e667d20fe33686dfb03c06e638356a637a3fe19839c02362c3460dd38504408de916204582528e7bb9d05a0f0da6d02d7f83c1ecd55ecde14a94bc2f9094c

Download Submit
C:\Windows\Installer\MSI9734.tmp

Filesize
851KB

MD5
ccd5ddc04d92118324cbf7f6dd59b63e

SHA1
c0c6ebfd281e2e2709109b30e2653f3706fa85dd

SHA256
4ddf59c874a0e36254390467c4b99ccd24ac5d03cb003b7eb2174147ee24a794

SHA512
3a8c894e53c2549820ead01ad770ad9b5de0abe22cd0180938b7ab9dcd9c559391613a2e5f4e9bd79c5f010caa0f1f7ed1df3d6cd3b9777d9585b39f936f5e78

Download Submit
C:\Windows\Installer\MSI982F.tmp

Filesize
430KB

MD5
a1f81cc1eec9697cd8a33dd9f74f201a

SHA1
f92c4188a696b3e725e172ff017ec9b77cdc290a

SHA256
d312f53f3159c5fe3c19a82ddb5fbd4c4bf9de646c60373f2cb2c473503c708a

SHA512
88b78770fb3d66efc343834eaadaf3151aabcf626a252668038e386573718551240e0482dbacf5a0dddc231e5391fad98f397b59ba772a0cbcf1d0926526c00d

Download Submit
C:\Windows\Installer\MSI982F.tmp

Filesize
770KB

MD5
40b8a002f54781de38e8742b36f82361

SHA1
94e5a4e35cb36f0a40012171221ef456b4af9537

SHA256
b363f9a3113175210a048be76105c11795e83ab776b1d44b8b4f41d2f5323cdc

SHA512
542184a01dbdb0dde0fd6027aff303c7391fbd3c85b48ec09fabb6600385e231519030318d2e838be2bdbb45a43a430072514407aee0cca734a00151a29b5b78

Download Submit
C:\Windows\Installer\MSI9840.tmp

Filesize
732KB

MD5
9b433980680222e14874305423a3a21f

SHA1
a15c8134dca13a4deb0d2e49b3c03859ea51bddb

SHA256
d569a1a12b4de2d841c05d18af72c0f1ac65958b76ea96540cd4e0e7f3145435

SHA512
1ef7fafabb9e58a52f941ab16f57446c2d145f0b9e4c0e8b69aa7b3e1d3c568d561b5875da8f549ee97c3323c11275aa7424cb261cacd9729bcf8a6125a0fc2a

Download Submit
C:\Windows\Installer\MSI9840.tmp

Filesize
773KB

MD5
fce10874fecfd4d3eaec9d2ed2d991c1

SHA1
bbe9e4d936e2ba39b0e2f5d70dc38416a11a4bad

SHA256
2e4ae64f0d0b664f82bab5d66391cf0419684be3cb92ae453fe6c6ae5fadc436

SHA512
39bbcd450df356ce0d8462d5829cae6e5983e6223a58b54bf0d0cd7397fc040f965b9c3c24583254cd1719a75a8e0c8eac31a9d6983eb1f2a5dd081ba2ad7766

Download Submit
C:\Windows\Installer\MSI9840.tmp

Filesize
788KB

MD5
95c8fce8da087a72fe2832d9f946511a

SHA1
ea46123ac53ebbdad2aa3e789a824b6be81a417d

SHA256
77bdf0fcb734c24301ba814cd252dfc087150c39d6c1c4720859448597b3a304

SHA512
5e5260e9cebd5807d88a72452e16eb7b29c8b692c0b249c121955d8ecbe24a321faf27bd482f1035babc96dc5cd35680b2b9bf8b986d32b7e7cc734dd1111307

Download Submit
C:\Windows\Installer\MSI990D.tmp

Filesize
899KB

MD5
84005843fd1d12512856d243a5d867a9

SHA1
104c10c12ad536ab9041d28f21b2d630c9a4a9da

SHA256
fffac1b90039306621e40f54b7e7f2ea7a7cc56a67007420fc0fe1e0556e211a

SHA512
d3a6ff409ba5a8155be9df92ce78697e98bf046f07ffb6972f922ce4edacf0c041d89c5471c93e96ed58cfccb579bbd609461b2ed2007246a8853a3298b49ea5

Download Submit
C:\Windows\Installer\MSI990D.tmp

Filesize
665KB

MD5
f72209c9e6ce1c321620184ced73bed4

SHA1
e1a6428d3ff8f139d3bc317fd19aca1fad83b343

SHA256
2bd797854fce1bee791fb907798e3a9ac009b405c8af7766eeca91c63cee95fd

SHA512
54e119d8f09add2c6eb43fa1989926050e9e87762ae48f802ef97ebf787bbca84d2b2b475ed12b4da960a809a052525e19761499b09fcc23b369eaa4356c8670

Download Submit
C:\Windows\Installer\MSI991D.tmp

Filesize
843KB

MD5
94ae7d4503787415aead2f22a267ba3d

SHA1
eb8ab185b1e24a9e2aabfa91df4b1ba2c67e9ec2

SHA256
089d6839719770d6374c4f7e37052c23a9211450f2a833f8d774b9b37a5fdb3b

SHA512
d1b73a6955ac97f8a59fd6ff4132d03d391c1349c673c50ebce37177ede496de1e0efe94a3569c9684dbc6622896dca982e36d0cb4e1536fe8a018235191bf7e

Download Submit
C:\Windows\Installer\MSI991D.tmp

Filesize
837KB

MD5
69dc52b8994509d4d5b6fc4c4cc0af30

SHA1
7fdae1b59c3db0e795e0b14ea46b1f2edfe0e502

SHA256
0c6895f61541a3308cba2704bf33b1b93e962fcf7096eb384f6713aa0f2571f3

SHA512
62b5d201ef309e2dc34d60f8b541128ac989ee62a7074b9dbe347614bea6e2292bdaa9afa5b7e99065f734976e8900d14c8c44d883cd6b2bc1a43e4ae304edff

Download Submit
C:\Windows\Installer\MSI992E.tmp

Filesize
633KB

MD5
9d58602b30a1025dbed4b02fbe7ff023

SHA1
886a268fd5ae979a696cb480228abf14bc097798

SHA256
4d3f2a3f667bf8afb3b49c4a1c7b668730d8b09c472a6dba54d58a2a12808b81

SHA512
8517e6137ed1d559917504e870043d8fefb06fb16577ed720fa2d5832aa7843386f3dae82d0bfb055181370b59d71031c94014ce5efd3cfcc87a4759d5ded319

Download Submit
C:\Windows\Installer\MSI992E.tmp

Filesize
653KB

MD5
d582b7d8010a3275b2ba224b71ca579e

SHA1
f0633f93d2e5b94d3f2d28a1c850afb8cbae9e0c

SHA256
3a377ac2e2e41ff4ec32e1ab4ddb224c22a7211ffe7750541e84bd0c99982c16

SHA512
1b869e63fb0b0b135018c99e8bf732cfae99faafe03e58624c3e1d2385ffdaee9993a749ad12d7a74f3ec83e904aca05ffa03d3440eb6e1eea45c42e78a8ce64

Download Submit
C:\Windows\Installer\MSI9F2B.tmp

Filesize
149KB

MD5
21cf377d4a0dd5174dde523a978b69f9

SHA1
52bf14642cca315019b2624ccbce907acb5a965a

SHA256
d6478fc86dcccb2135e7b45a11d49e192b2272f1450158f7651952bb4714f0b3

SHA512
2863c47125ef0cb095feed382be9942a36a776f790069895446d34fc149f357cbe2608ced923d2d0c03d6a38a55a8a6bb7c5936659c8d0df51461144f80df22c

Download Submit
C:\Windows\Installer\MSIA065.tmp

Filesize
120KB

MD5
2a860546e2aa1d98d5c41dd1aac774f7

SHA1
2ab2b67194d930f586edc3f88dfce0e00cf79bbd

SHA256
c074e83e4c692eafcd5f48021187e13b35f76ab45309d91a7e93b27ad3b59b3a

SHA512
94e989da5e0c6baa26b05943cc6c5aa99bdcb65040f0e76ac6295f6d6cc298f6c872f7fd3a81d08b9c1adb7e4153e4d88b1165c35577973159c9b0edf3c52b0d

Download Submit
C:\Windows\Installer\MSIA065.tmp

Filesize
38KB

MD5
fd6d6b52242fb5a61200ef005294a780

SHA1
daf0e86ccc573b36942b64416a68d0ad93036371

SHA256
798193cf4d76c8135ef7b2d3cb11740909233b27e7ab46c3146453a5769c8a6a

SHA512
74e86c7b6d690bcf74a45c7d16af2753bca5aaff3028f4f54790b5a239b15fa304127032cad579d528045ef0506bf6c11543d231363b4a94d23f745692426b04

Download Submit
C:\Windows\Installer\e57950c.msi

Filesize
4.3MB

MD5
ce1fa9313477bd70bc18c30f464ffa0e

SHA1
4e2fec2e23ba239d50aacf57eef690c3aa4a269f

SHA256
93b891839b52fee4f266ee43068c22d0d6941a81032b8efcbb0e23c1b45b18c5

SHA512
598dfb7122817eae2bcf91e2b8a397d724a0d2fb3a33847a763ab8c496a2641e907b8e4a06152e12d35fbf3ddf4b41be8035f036f53515b8a43f0c0af9d18dbb

Download Submit
memory/748-891-0x000001E3431D0000-0x000001E34397E000-memory.dmp

Filesize
7.7MB

Download
memory/1032-228-0x00000000040B0000-0x00000000040C0000-memory.dmp

Filesize
64KB

Download
memory/1032-225-0x0000000000800000-0x0000000000826000-memory.dmp

Filesize
152KB

Download
memory/1032-226-0x0000000073160000-0x0000000073911000-memory.dmp

Filesize
7.7MB

Download
memory/1032-591-0x00000000040B0000-0x00000000040C0000-memory.dmp

Filesize
64KB

Download
memory/1032-578-0x0000000073160000-0x0000000073911000-memory.dmp

Filesize
7.7MB

Download
memory/1032-227-0x0000000001320000-0x0000000001342000-memory.dmp

Filesize
136KB

Download
memory/1560-322-0x0000000073160000-0x0000000073911000-memory.dmp

Filesize
7.7MB

Download
memory/1560-353-0x0000000007B90000-0x0000000007BCC000-memory.dmp

Filesize
240KB

Download
memory/1560-546-0x0000000009700000-0x000000000971E000-memory.dmp

Filesize
120KB

Download
memory/1560-499-0x0000000009140000-0x00000000091B6000-memory.dmp

Filesize
472KB

Download
memory/1560-500-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1560-332-0x00000000056F0000-0x00000000056FA000-memory.dmp

Filesize
40KB

Download
memory/1560-664-0x0000000073160000-0x0000000073911000-memory.dmp

Filesize
7.7MB

Download
memory/1560-501-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1560-674-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1560-390-0x0000000006160000-0x000000000617E000-memory.dmp

Filesize
120KB

Download
memory/1560-325-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1560-321-0x0000000000050000-0x000000000007A000-memory.dmp

Filesize
168KB

Download
memory/1560-352-0x0000000007B00000-0x0000000007B4C000-memory.dmp

Filesize
304KB

Download
memory/1560-706-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1560-711-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1560-336-0x0000000005700000-0x000000000570E000-memory.dmp

Filesize
56KB

Download
memory/1560-721-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/1560-354-0x0000000007B50000-0x0000000007B71000-memory.dmp

Filesize
132KB

Download
memory/1560-323-0x0000000004F10000-0x00000000054B6000-memory.dmp

Filesize
5.6MB

Download
memory/1560-324-0x0000000004A30000-0x0000000004AC2000-memory.dmp

Filesize
584KB

Download
memory/1560-349-0x0000000007680000-0x00000000079D7000-memory.dmp

Filesize
3.3MB

Download
memory/1560-329-0x0000000004C60000-0x0000000004CE6000-memory.dmp

Filesize
536KB

Download
memory/1560-339-0x0000000004A20000-0x0000000004A30000-memory.dmp

Filesize
64KB

Download
memory/2564-960-0x0000022881D50000-0x00000228824FE000-memory.dmp

Filesize
7.7MB

Download
memory/3976-880-0x000001C48A950000-0x000001C48B0FE000-memory.dmp

Filesize
7.7MB

Download
memory/5144-387-0x00007FFC5F010000-0x00007FFC5F011000-memory.dmp

Filesize
4KB

Download
memory/5360-662-0x0000023101D50000-0x00000231024FE000-memory.dmp

Filesize
7.7MB

Download
memory/5376-663-0x00000250BA800000-0x00000250BAFAE000-memory.dmp

Filesize
7.7MB

Download
memory/5556-948-0x0000026167280000-0x0000026167A2E000-memory.dmp

Filesize
7.7MB

Download