Analysis
-
max time kernel
381s -
max time network
383s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22/02/2024, 18:06
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://loot-link.com/s?o8TT
Resource
win10v2004-20240221-en
General
-
Target
https://loot-link.com/s?o8TT
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 124 1208 powershell.exe 126 1208 powershell.exe -
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Executes dropped EXE 11 IoCs
pid Process 524 MicrosoftEdgeWebview2Setup.exe 2004 MicrosoftEdgeUpdate.exe 4544 MicrosoftEdgeUpdate.exe 4680 MicrosoftEdgeUpdate.exe 1696 MicrosoftEdgeUpdate.exe 4004 MicrosoftEdgeUpdate.exe 1704 MicrosoftEdgeUpdate.exe 4496 MicrosoftEdge_X64_121.0.2277.128.exe 3948 setup.exe 2164 setup.exe 4372 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 2 IoCs
pid Process 4112 MsiExec.exe 4112 MsiExec.exe -
Registers COM server for autorun 1 TTPs 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.181.5\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\EdgeWebView.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Trust Protection Lists\Sigma\Staging setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\121.0.2277.128.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\identity_proxy\win11\identity_helper.Sparse.Stable.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\onnxruntime.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\dxil.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\es-419.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\20240222181225368_3948.pma setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\augloop_client.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\identity_proxy\win11\identity_helper.Sparse.Canary.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msvcp140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\show_third_party_software_licenses.bat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Trust Protection Lists\Sigma\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\edge_feedback\camera_mf_trace.wprp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Trust Protection Lists\Sigma\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\tt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Trust Protection Lists\Mu\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedge_pwa_launcher.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\ug.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\el.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\nn.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedge_100_percent.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\show_third_party_software_licenses.bat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\fi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\identity_proxy\dev.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\ar.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\fa.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\gl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\VisualElements\SmallLogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\da.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\pt-PT.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\en-GB.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\eu.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\BHO\ie_to_edge_bho_64.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\gu.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\MEIPreload\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\et.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Trust Protection Lists\Mu\Social setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\mip_core.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedge_proxy.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\onramp.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\am.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\az.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\ru.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\wns_push_client.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\gd.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\kk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\identity_helper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\ml.pak setup.exe File created C:\Program Files\EZFN Launcher\_up_\public\FiraCode-VariableFont_wght.ttf msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\oneds.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\es.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\Locales\bg.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\msedge.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\el.pak setup.exe File created C:\Program Files\EZFN Launcher\_up_\public\vercel.svg msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\EBWebView\x64\EmbeddedBrowserWebView.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\af.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\121.0.2277.128\Locales\hi.pak setup.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e5b9bee.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9EBD.tmp msiexec.exe File opened for modification C:\Windows\Installer\{BB810243-77BA-4FA3-BD35-C1FA04A2F94A}\ProductIcon msiexec.exe File created C:\Windows\Installer\e5b9bee.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{BB810243-77BA-4FA3-BD35-C1FA04A2F94A} msiexec.exe File created C:\Windows\Installer\{BB810243-77BA-4FA3-BD35-C1FA04A2F94A}\ProductIcon msiexec.exe File created C:\Windows\Installer\e5b9bf0.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b4c1f0d3c6b3fc990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b4c1f0d30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b4c1f0d3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db4c1f0d3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b4c1f0d300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\342018BBAB773AF4DB531CAF402A9FA4\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\342018BBAB773AF4DB531CAF402A9FA4\PackageCode = "F813A7337A6E0A249833370B4D1A48A3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods\ = "27" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ProgID\ = "MicrosoftEdgeUpdate.ProcessLauncher.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C} MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298\342018BBAB773AF4DB531CAF402A9FA4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED} MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\LocalService = "edgeupdate" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{2B473453-BCFD-454A-AB98-B0DE7FDF2A6E}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver" MicrosoftEdgeUpdateComRegisterShell64.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 985694.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 4884 msedge.exe 4884 msedge.exe 2160 msedge.exe 2160 msedge.exe 2572 identity_helper.exe 2572 identity_helper.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 5080 msedge.exe 4412 msedge.exe 4412 msedge.exe 1824 msiexec.exe 1824 msiexec.exe 1208 powershell.exe 1208 powershell.exe 1208 powershell.exe 4968 MicrosoftEdgeUpdate.exe 4968 MicrosoftEdgeUpdate.exe 4968 MicrosoftEdgeUpdate.exe 4968 MicrosoftEdgeUpdate.exe 4968 MicrosoftEdgeUpdate.exe 4968 MicrosoftEdgeUpdate.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2400 msiexec.exe Token: SeIncreaseQuotaPrivilege 2400 msiexec.exe Token: SeSecurityPrivilege 1824 msiexec.exe Token: SeCreateTokenPrivilege 2400 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2400 msiexec.exe Token: SeLockMemoryPrivilege 2400 msiexec.exe Token: SeIncreaseQuotaPrivilege 2400 msiexec.exe Token: SeMachineAccountPrivilege 2400 msiexec.exe Token: SeTcbPrivilege 2400 msiexec.exe Token: SeSecurityPrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeLoadDriverPrivilege 2400 msiexec.exe Token: SeSystemProfilePrivilege 2400 msiexec.exe Token: SeSystemtimePrivilege 2400 msiexec.exe Token: SeProfSingleProcessPrivilege 2400 msiexec.exe Token: SeIncBasePriorityPrivilege 2400 msiexec.exe Token: SeCreatePagefilePrivilege 2400 msiexec.exe Token: SeCreatePermanentPrivilege 2400 msiexec.exe Token: SeBackupPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeShutdownPrivilege 2400 msiexec.exe Token: SeDebugPrivilege 2400 msiexec.exe Token: SeAuditPrivilege 2400 msiexec.exe Token: SeSystemEnvironmentPrivilege 2400 msiexec.exe Token: SeChangeNotifyPrivilege 2400 msiexec.exe Token: SeRemoteShutdownPrivilege 2400 msiexec.exe Token: SeUndockPrivilege 2400 msiexec.exe Token: SeSyncAgentPrivilege 2400 msiexec.exe Token: SeEnableDelegationPrivilege 2400 msiexec.exe Token: SeManageVolumePrivilege 2400 msiexec.exe Token: SeImpersonatePrivilege 2400 msiexec.exe Token: SeCreateGlobalPrivilege 2400 msiexec.exe Token: SeCreateTokenPrivilege 2400 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2400 msiexec.exe Token: SeLockMemoryPrivilege 2400 msiexec.exe Token: SeIncreaseQuotaPrivilege 2400 msiexec.exe Token: SeMachineAccountPrivilege 2400 msiexec.exe Token: SeTcbPrivilege 2400 msiexec.exe Token: SeSecurityPrivilege 2400 msiexec.exe Token: SeTakeOwnershipPrivilege 2400 msiexec.exe Token: SeLoadDriverPrivilege 2400 msiexec.exe Token: SeSystemProfilePrivilege 2400 msiexec.exe Token: SeSystemtimePrivilege 2400 msiexec.exe Token: SeProfSingleProcessPrivilege 2400 msiexec.exe Token: SeIncBasePriorityPrivilege 2400 msiexec.exe Token: SeCreatePagefilePrivilege 2400 msiexec.exe Token: SeCreatePermanentPrivilege 2400 msiexec.exe Token: SeBackupPrivilege 2400 msiexec.exe Token: SeRestorePrivilege 2400 msiexec.exe Token: SeShutdownPrivilege 2400 msiexec.exe Token: SeDebugPrivilege 2400 msiexec.exe Token: SeAuditPrivilege 2400 msiexec.exe Token: SeSystemEnvironmentPrivilege 2400 msiexec.exe Token: SeChangeNotifyPrivilege 2400 msiexec.exe Token: SeRemoteShutdownPrivilege 2400 msiexec.exe Token: SeUndockPrivilege 2400 msiexec.exe Token: SeSyncAgentPrivilege 2400 msiexec.exe Token: SeEnableDelegationPrivilege 2400 msiexec.exe Token: SeManageVolumePrivilege 2400 msiexec.exe Token: SeImpersonatePrivilege 2400 msiexec.exe Token: SeCreateGlobalPrivilege 2400 msiexec.exe Token: SeCreateTokenPrivilege 2400 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2400 msiexec.exe Token: SeLockMemoryPrivilege 2400 msiexec.exe -
Suspicious use of FindShellTrayWindow 45 IoCs
pid Process 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2400 msiexec.exe 2400 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 2552 2160 msedge.exe 85 PID 2160 wrote to memory of 2552 2160 msedge.exe 85 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 5052 2160 msedge.exe 86 PID 2160 wrote to memory of 4884 2160 msedge.exe 87 PID 2160 wrote to memory of 4884 2160 msedge.exe 87 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 PID 2160 wrote to memory of 5028 2160 msedge.exe 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://loot-link.com/s?o8TT1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd39246f8,0x7ffdd3924708,0x7ffdd39247182⤵PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵PID:5052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4884
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵PID:3204
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:12⤵PID:4676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:2336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:2004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:12⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:12⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5348 /prefetch:82⤵PID:2072
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,2898825851292944323,12881940389836279672,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4412
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\EZFN_Launcher_1.0.6_x64_en-US.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2400
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4832
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2104
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1824 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1D2386D6A39F6F231323BE8EFDBD5B8A C2⤵
- Loads dropped DLL
PID:4112 -
C:\Program Files\EZFN Launcher\EZFN Launcher.exe"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"3⤵PID:4980
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.0.6 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --enable-features=MojoIpcz --lang=en-US --accept-lang=en-US --mojo-named-platform-channel-pipe=4980.2764.49369997687094361724⤵PID:1836
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=121.0.2277.128 --initial-client-data=0x15c,0x160,0x164,0x138,0x194,0x7ffdc09bbf98,0x7ffdc09bbfa4,0x7ffdc09bbfb05⤵PID:1352
-
-
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Executes dropped EXE
PID:524 -
C:\Program Files (x86)\Microsoft\Temp\EUCAFD.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUCAFD.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Sets file execution options in registry
- Suspicious behavior: EnumeratesProcesses
PID:4968 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Modifies registry class
PID:2004
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Modifies registry class
PID:4544 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Registers COM server for autorun
- Modifies registry class
PID:3580
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Registers COM server for autorun
- Modifies registry class
PID:2984
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.181.5\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Registers COM server for autorun
- Modifies registry class
PID:4572
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezI5RDFCRjhELTJDOTQtNDJFNy1CNkZFLTQ5NUEwRjkzOTRBNH0iIHVzZXJpZD0iezk2QjYyREM5LUQ2QTktNDdBMy1CRjRGLThBN0YxRDcwOTJBQX0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7NzdDMTlEN0ItMTFBRi00Qjc2LTlFMEItRTAyRUUyQjQ1Mzk5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4My4yOSIgbmV4dHZlcnNpb249IjEuMy4xODEuNSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzU2MjI5MTk1OCIgaW5zdGFsbF90aW1lX21zPSIxMzQ0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Checks system information in the registry
PID:4680
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{29D1BF8D-2C94-42E7-B6FE-495A0F9394A4}" /silent5⤵
- Executes dropped EXE
PID:1696
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:4220
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:4004 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezI5RDFCRjhELTJDOTQtNDJFNy1CNkZFLTQ5NUEwRjkzOTRBNH0iIHVzZXJpZD0iezk2QjYyREM5LUQ2QTktNDdBMy1CRjRGLThBN0YxRDcwOTJBQX0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7QTM3RDc0REYtRDZFRC00RTAzLUEzRjQtRUIwRjQ3QjkxNzYwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc2MDEwNDE0NTUiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Checks system information in the registry
PID:1704
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\MicrosoftEdge_X64_121.0.2277.128.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4496 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\MicrosoftEdge_X64_121.0.2277.128.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3948 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=121.0.6167.184 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=121.0.2277.128 --initial-client-data=0x22c,0x230,0x234,0x204,0x238,0x7ff6f91c1d88,0x7ff6f91c1d94,0x7ff6f91c1da04⤵
- Executes dropped EXE
PID:2164
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODEuNSIgc2hlbGxfdmVyc2lvbj0iMS4zLjE4MS41IiBpc21hY2hpbmU9IjEiIHNlc3Npb25pZD0iezI5RDFCRjhELTJDOTQtNDJFNy1CNkZFLTQ5NUEwRjkzOTRBNH0iIHVzZXJpZD0iezk2QjYyREM5LUQ2QTktNDdBMy1CRjRGLThBN0YxRDcwOTJBQX0iIGluc3RhbGxzb3VyY2U9Im90aGVyaW5zdGFsbGNtZCIgcmVxdWVzdGlkPSJ7NzE5N0Q5Q0YtNTc4MS00MDQ2LTlFRTEtQUM0OEJBMjlCRENBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIG9zX3JlZ2lvbl9uYW1lPSJVUyIgb3NfcmVnaW9uX25hdGlvbj0iMjQ0IiBvc19yZWdpb25fZG1hPSIwIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSJEQURZIiBwcm9kdWN0X25hbWU9IlN0YW5kYXJkIFBDIChRMzUgKyBJQ0g5LCAyMDA5KSIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTIxLjAuMjI3Ny4xMjgiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc2MTU3MjkyMDYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3NjE1ODg1Njg3IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzk1MTk3OTgxNSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvZDQ1YTUyZTktNTZkMS00Y2M2LTliZDAtMjhkMjQ2ODM5MDk1P1AxPTE3MDkyMzAyNjgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9V2x4SFBkbndTc0Y3dzlreW9sZDBGRzlhMHQ4d3ZLemxvWEVyTmd1a0xtMGRVZTFKcGhoYVNRNTZOMHRXWXAlMmIzY3FWM0ZPelluJTJmVGZvYlNtMmZTeVlRJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc0OTYwNjk2IiB0b3RhbD0iMTc0OTYwNjk2IiBkb3dubG9hZF90aW1lX21zPSIyMDIzNSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijc5NTIxMzU3MjQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3OTc1MTAzOTYxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NzM0OTk3NzA0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTA2IiBkb3dubG9hZF90aW1lX21zPSIzMzQwNyIgZG93bmxvYWRlZD0iMTc0OTYwNjk2IiB0b3RhbD0iMTc0OTYwNjk2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI3NTk5MCIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
PID:4372
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD5dfa4b896f803d4022c0daf6ef70ceabe
SHA1ba896ba83c2a4e30917ed9a0ff6cad475a04a619
SHA25678d054bff6ce91b95a28d272aa2da9dd1d62ec05ff47279d5772219f21554067
SHA512a9fb020e75ab4696d08f4b2ad7b341e060969c4d8246634f840daacf2bc9686310f64e6d2cb772dbfe64c67860e46dc6ad83b189813912c605fae4ac7ff28a5b
-
Filesize
1.4MB
MD50e76af330b87534af9d6946a40c307f3
SHA17ddade37e0bbb03c9224520d8c29eda4be418448
SHA256d7b76a198e245a4d1395eb9546856eeb72eac58d8fcbefece6144c53b6b84851
SHA512ed8e5fe55eb54c111ec99d1b0d2ec1448452f6fbcfcacf1192ad0788c26e0e9e910086bcb7a0bfc013ea63d9e92f315c126f74c18f804ecfec95ac31816f2d37
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\121.0.2277.128\MicrosoftEdge_X64_121.0.2277.128.exe
Filesize9.5MB
MD561f9bb08b4fa0b7e1eeefeb4bdd1c44c
SHA1fea6ee082cad7a4918def22fba8a9bc7618a6d94
SHA25683dc335a8327c8ae42c46c7caeb6c765c575ad561d6a0d0a397913618038c14f
SHA512d0e25b5e8341bcb295a9b65eaddbaa574130ab53dbc209f5360b131fe9d68a22e541bd7f17fe361b754ff7635449121c996498015a793e52417174f127f170ea
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe
Filesize2.9MB
MD56f14e29d8fd3408fe7928c72724476ed
SHA1cd5f207f40d81a2af2f833e76e65db810b8079b2
SHA256b74d0d522a158879860b97757e28c02e3af372cb21487e03f46e51d9b4fe8df5
SHA51289e80ba45c0c1562a62fd553086779ec46727db9774df5891e5f7cf54032bc4ccff41739961c13aba3ea0ef67a3b401a52ae3d180d35d2f8d27dc6a0aed68ae8
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe
Filesize2.7MB
MD5bfb25e519e347449cded735f89da245b
SHA154383ba6248b5a2e4cc951b40809c254e42f76cf
SHA256165247e8585800e8488e5e7a66500c5a42c530cce5ced452cf981a4a20f480d3
SHA5126f3b63d80b49d2641d380303ec40287e8dec89690d70087ca641a8bda4b0003b22f3f6724ddd8e0980af52c00a8bb658323a6721e556233b7a5efe5a2bf852fd
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\EDGEMITMP_B9E42.tmp\setup.exe
Filesize1.3MB
MD540096ca6db8e7976625ece134605f9ef
SHA141d79f8e4ec363639da98f065097d114fdaa5a96
SHA256588ad1f284a538bab035c28d05e943478e84778d36119065625697216beca063
SHA5122ae983cf247245ecb57e5912706712062c5455ee8871eed5e807872179fe5f696a09f496c88dfefdffa767822cd6d98abc28bd6fbf2087ff84d1c74bc83a47dd
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\MicrosoftEdge_X64_121.0.2277.128.exe
Filesize8.3MB
MD54ab5cd29973d8e71dbeb3c0f30ea3eab
SHA1fe35735874ba7d0a90c726d40a3e927114e07b06
SHA2561b0da309c37509eb6275eed0c55ca055bf2424c6c7fb0e5a6abe93ca2c5d9309
SHA512058adbb6d1d51483fbe7402f7b9920574df117bc3d3bc8a917cfaaf12adfd2a5fa53ccdae1c0d38f6d6f950f3988596ad1f52606a30dea6d41f04bb6996f7d11
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3866ED66-0F88-4692-BA22-03A7953A9694}\MicrosoftEdge_X64_121.0.2277.128.exe
Filesize3.1MB
MD55be0a5e150802a822f4e0e2acc1df85b
SHA134e84c352d456f8785f7cd215e1410b1a9d44ed3
SHA25667d01580f7b937e094156cfa925d18366366bce52beef41f16bf81247b416ed9
SHA512de1eb71465683857fdec2bad79e69184ef7f1f2ebdcab132b0223fd075e7915fbc31dbd6cf83c3f0c13869cdc36f1f29b57fc3dfa988da9a1f6f90fc48995b36
-
Filesize
201KB
MD511fe091ace9d03b9ada6d5a22d12c0d0
SHA15379ebe84500d425586904e7f9ac0393ab2a9d24
SHA25650f4ed60a507ce9dd1f3f4e7d53053d923cb71594374a25251746a9b2271e4ee
SHA5120f39af99697332c697ca62e2708e0a9200552a55f2d3057b64e9b18df2fe2828be750b14b5336ac9518b4c1282e82cd170b64587cf56b45b840ca231108b7fdf
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\121.0.2277.128\EBWebView\x64\EmbeddedBrowserWebView.dll
Filesize2.5MB
MD53af54f9f39074e11bca49b3ba7d8aa6f
SHA1979f30b6e94a71ad61bc3d69e33d3a65573e69bb
SHA2569d96c36ad8dd69bd49e00a1fdda357d95ed289c55cdeaa73b41a2ba552c6ab00
SHA512b6f627455a77f3bca5c4180d4a9ad07c281309834523def3f100402c817c9390fa0c2b15d14b09293009ac4b7d14281650742e0dba77e62f8ab74978eeb23eab
-
Filesize
2.6MB
MD5a9fa45a4b956424a0892bb3cb5cf5239
SHA138c27ae01bb9d858e2d1d5a1f57b224685675728
SHA2562b43d505622683022172c5ecfc49217eb48295d9ea3f229993717dc2954fb049
SHA512fddf5fe0ec1c38a4b6c445d63cf534aff53d0bfac4fe5d194e71b8f0a46aad97603a19c5c3cc1f9d6d4cb60f2de0e853536e4f9232eebc078197249f170529c7
-
Filesize
6.8MB
MD570c012ed9b90522c3eff63590f86edf2
SHA1e3f6c074d03fb7567b5857bd9a467e79a7f5141a
SHA256b0e2efcb30ad5cfe7b25ed117d9f250d699e296c2f6a9d693cc49beef483527e
SHA512bdf1ecc367e76dec556f0870d94578e8f4d6d598a5c290c8fd4af230f42ae13bb532d6dbfeac009dafef8fb500f6755cdf75168ca04d55445bfc6cf292ff0c7d
-
Filesize
9.7MB
MD5b0460088e6af329987045e46165c6d11
SHA189a45996ef1e6baf64f0e91be9e2c391869ba4ef
SHA25618b15011798bac7a9be534c3b5832d80b137a8401ea093a326fccebc180f94d5
SHA51291ab85ef78fcb958606ebbab6b3ed7ac82bc0165bb0bcda7e04d9f2b2ca349fb8da5c7b31cb3ec32fd5baff5359411d173cc8d2db306dd5203815501e4ecbadc
-
Filesize
2.7MB
MD5980a71ac12756883e466ad03db3d942d
SHA1e308631a50ef52b162a3c9eb888cc446278be8cb
SHA25689e0d327878b8174094850aeaadc35b78c2831a663b8203964f712bab950505f
SHA512558ec0bdb515cf20685b077dd9b8f8b49d108998b23ed89f5169663df849e16f260f89568398fc007b38e758c3645c4b50783c1b22856dad29f71d51f67e8057
-
Filesize
280B
MD57b7312f110313f18fe8c2ad4210b23ef
SHA15ca06858669fc09ad414d42ad02fdcb046ff59d9
SHA25611b25eb93d61f8df60c081578f27ca6c17f99a5ee479e35f002f9e2575e0d269
SHA51291c6870860cb8756b7c4bf6fa276880b48d30ccd4a78b956f473caf406da618948e425d89a31c81de15ea2fe74c31066033a902e0f6edb646d9170d44a3f94b9
-
Filesize
280B
MD5fd60284965f474ea2a1eaf0281cb4b8b
SHA189c99abaa6016c005eb2ec833b18c065834d3166
SHA2560c5260f1cfec00c80524ea09470bdc7b443153f1c23f2c29070c79f8588afd24
SHA5122b5bcba50c84ec064d471a3edf948190137755df7ed67432ada19621cff79b2b0c095b8727ae105601fa10ed17e6a996639f6e295df9402022805d6d786243b2
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
118KB
MD55445169be59c08158cea58c46981c46a
SHA1a9232dde2d8d42e533fd65f3b7cb2605b2806aeb
SHA25675654df84051a3ccc838d63f3d832a2c0c182bc7ce7c05a66faa26cb0b88cddd
SHA51293a488eff5502d315bfa73238e1a0190b6b3add47422ea2e1ff8f9264b593f17a489e0b099ab70c4111fdbbaae9f354d85cfc23576a9dff85798919d54dec028
-
Filesize
120KB
MD5c2375ff5c012952e3422c1c2287321c4
SHA14496c0007c220bf8261927300507ae7d4bfb1e70
SHA2566ac8b070fb095d5609b63b12a5eb679303fd26de94f22f414ee2a837c56ecbef
SHA512ec554d799648046f0218735977cde0d60dcf744d7b4e3e1b3390d1b7eeec6c124fb2f5cf65bb95456ede68eaf07e6b0b8d0c36f747571092c0449dc777630c09
-
Filesize
122KB
MD53cc1fdb4d8e17abb1b65b57a878f24a3
SHA17b663649c2e2f7186c78ea9f9bb7c6b1d91ecd69
SHA256c88f6c9862757fbcee5758fb297c5603faed13a72de6ab95edfe3ad8a74c92a9
SHA51267f3c209ec9acc90885a82cc2ba29b3e194e883a9861b59dd31573975b87f658e3488854c229da39a41d27a686c796dcaae71487bbcf96bc58b5079ede010a07
-
Filesize
123KB
MD5c0d4e6eede3734d14085fb2fc8576616
SHA1572cd0971ba0085a20a2efc3406896e75b54696a
SHA256540f1d521313ecb3cd63aacf0103ffb9eaa440f9a90f9f0b9dccd73682fef114
SHA5123e74c4b2b556c48a64667eb40625c5cebd2fc90192275d8a642692f21dd55909be376e8f8e23516a4738841947e4da5fe3fb8860ed867885b209c320afc83d23
-
Filesize
126KB
MD5510cf853e31f677ce1b4e0e04bb7a609
SHA17e09f92c242c9e476115452d623e7c45e0174511
SHA256d609266a5031e86190e7ea87a703bf312bf7f0a83cb75eab114e812390355e00
SHA512b2632299562157e3ba6f82a8f84c20be05f3dca3ab2fd7a9ea9f50f881b5e825766e9652c3da6f75046f653237a85459a5808d1ee221ac73fec2fa4aa67ca84f
-
Filesize
127KB
MD57b189a1bff319f888dc72b5c3cc0172b
SHA1723193a7cb4b5b05dabccb89666d1a9024147aa9
SHA2563772e2b929d99a5a269060b9966c9b1d98df30c98d972b7f351568c0412d84cc
SHA5128665418239dc6e8b3810f6040fb1e90bdda9e566a2722ed6957bf7cf4ef7b24448a2ffa08df4fce74faf84639c7e3382f02341de89c7424fed6830d9f70218c9
-
Filesize
130KB
MD5f99a2fb3db5e6a963e5bb256e61e7bb9
SHA14f39c8dea5d41f36dfd9874262e67890ecc1b3fe
SHA256995f1d7a94a9b345ef6aa3847011cf15f0ba8efd7736e13faea531d20e767d69
SHA51231befdc33b2ca9899ab4bdfbf61d4408e029675feb2535a175606e083fbcb6855543dd38064bd22b85817e2f4cd128eaa439b7207c191fd85b144734f992367d
-
Filesize
130KB
MD520c475ef5a4d1693e6420d24fa7ec23a
SHA13964de0b2b569c08edb3311335aabe816a024d1e
SHA2560a6d7436abf050a18d06cd80ae83753612f3f95a7b3bdb4219c9a2ac92b9348e
SHA512be98a340d7a0f29d58ef8e09dbc23d8c3b5bb74fbb774c12faaf39a746011af3971bd5a40a8e7ff56185bfbf680fc70b1fe8532610e3fa40ce1c9e8286f9b840
-
Filesize
135KB
MD560c8fdbb97147de1542ed5741c9d1b90
SHA11aa507e93a6461812a9f8cc393a2eefd7e18f6c2
SHA256af6a441d02dcc49277c0dff699cd179884f16de4141cd99e9541ec094d9d469b
SHA5124ce9b2357004b1c42fd37a4fc5a00397f3c4fa142495c3fef42c5c42aea5e995d1941848f71ada6a04433f9d631b9206b70ac9228f2f03d0d545fff1b2da7cf0
-
Filesize
143KB
MD5a1244b434bfa2a7db4eed4339d472204
SHA1aab7c35dd99e158222da4aefaae9acab2c401931
SHA256475bdeea13010901d0e5b26bcaebdc44014a9866798e94f6eed379254d6a7f57
SHA5129c06fccbe9cc938ec198df913fe52e28617e7535d1953fdc5aee1154b3a2c12cd9313692b7fa66f4876be4bc95e149921e9a03ba4c0b002681d0423d80e5d55e
-
Filesize
146KB
MD589e62b3ed7773d97420ce6b38c711db3
SHA1f2615aee6f469f76ae06e2c6c169be546a03edad
SHA256679d2c7bea674101e4d5cb4948c5da73e5dd9088bf37d2d9f0c6b4a843facb5f
SHA512da85441072c7e6e18c3fdb1401205422fdddd51627db5bcaa471c0b8fb7c267350771a343421f526a980292d989f6482e4ee1e4db1fe3903b331edc3e10f9b10
-
Filesize
147KB
MD5af3e61722c0980c346fa27fa3effa324
SHA1b0eeaeb8669c0928fb125dec5a5e54f9e6a6b7e6
SHA25660acd97a4197a0e7b405cc710ae747d2368ec01fc0e40fa6b92d5e26fd3767e4
SHA5122d421675b52905a1eaaf56607efedeec68f930f2a60344df18c96cc266d44cb0715eebbceb2108b437e94d49dd7a023a7590df06bc4fe6805cbac56767b8676c
-
Filesize
152KB
MD587f6eb7b5bfbdbc2575ccf1ce6bd1cd0
SHA178af934a6db9b284ed38b4912fb71445e9c872c7
SHA25614fe2ece385617bf9994f98b3bde88ef1244848a9d99fc0b2900f75e7d761119
SHA512f7e259b222361672a8e001727bde9d401988ac18985523a89ce0bc20c39457c8c31374f133135bce44cfa3f266d24da0656c7e721e86d420b8d06efdd59522fb
-
Filesize
220KB
MD546e5a60911156fed96a4e33fd5ecdb29
SHA146d199648c6e2d587ccefd29ba0117175dcaf65c
SHA256330eed1898957b0aafdd0b6a0ef212d9f76bf19e70637b7f59a63a4e9c422e6b
SHA512f5c205f51e89c3022bdaab8da3a15330c76c75bde773d69a7d2ec18d49eb335a1fac9d857f5f5d5f71320e20361cc361d94f036e05fbbe6923eb230024c78864
-
Filesize
2KB
MD56bb00ebbfe3834c6c82085399d1fb208
SHA16545747dd98c4b15e83691487d7a19d93a71e982
SHA256d5859eee0d9da742216522ed5d7fac9207fb02ec04adb358b6e935ceec2a8754
SHA51247bd94d51fe75b448c9facc87f997176746733fc0cd1789d96da8e78a9f91845ca7e407353155c2bb6ae35a6c1eaf65e0e0ae18fa326e2a3db2879b6f70d3a32
-
Filesize
1KB
MD54224a3a7dd184c8004f05be09907c080
SHA17c8a6cd7dbd523efd3d9d48a2f6be8af96eb0fcf
SHA25651ef096d920f94ddcaba1a78adde67d435f4a5b0b9c234e497b64e9e34f48941
SHA512dbfebbaccc226f44d2326c5e6449d21d5207e39bec4c6ce49e9b5b160600d47a1d4f5a6dbce77cbad14fe1512cd0554aa625330db882043a9aaa840bc6edc684
-
Filesize
11KB
MD5f1521b18d04ddc4472b71539e7025c6d
SHA1c84387e7e2da24ef32af5a7506bf6d6035986dba
SHA256ace188ced8ca8e6c585f0122822f70962e93cf619dda6a195b025b4975aa335a
SHA5128dfa034d2863764f6d866bcf10cc78b710a573b2444086fe448f9a1ce9193ef55aa5ccf7eae1727159ea92ba75139e9310c536985478411668c4f5c7555c4e0e
-
Filesize
152B
MD5360dd5debf8bf7b89c4d88d29e38446c
SHA165afff8c78aeb12c577a523cb77cd58d401b0f82
SHA2563d9debe659077c04b288107244a22f1b315bcf7495bee75151a9077e71b41eef
SHA5120ee5b81f0acc82befa24a4438f2ca417ae6fac43fa8c7f264b83b4c792b1bb8d4cecb94c6cbd6facc120dc10d7e4d67e014cdb6b4db83b1a1b60144bb78f7542
-
Filesize
152B
MD56fbbaffc5a50295d007ab405b0885ab5
SHA1518e87df81db1dded184c3e4e3f129cca15baba1
SHA256b9cde79357b550b171f70630fa94754ca2dcd6228b94f311aefe2a7f1ccfc7b6
SHA512011c69bf56eb40e7ac5d201c1a0542878d9b32495e94d28c2f3b480772aa541bfd492a9959957d71e66f27b3e8b1a3c13b91f4a21756a9b8263281fd509c007b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD5b7e41277a07df3de4b55ef7f67a19e9e
SHA19f1a5c02d2b0d69d4fbbbd8604f9125ffe5add15
SHA25601c4de29f5960a3d693b772b54f9cc8a3c3a8920f4101f8f8d268e43f31c7ad8
SHA512e60959fa3538d0a1582f65c9ee0a224a637d1ba58f36622ade01472b1c609ee95e1b6d81a119afb51ce54fe97794fe67d03a4cf037cc01c49b5d8a63779bf4ae
-
Filesize
1KB
MD5fea730f88da08b8fa03297916ad5e9dd
SHA11b79848215a5b7af724f5ad6e67a01806bcbca0c
SHA256f448f35884b3bd9e70273d9d3fa2725285c6250c660c15f0dd500799e6b8b740
SHA5124292f6565f3a2a51b7443291e8bf91eb9449c37c43065dd4c3eb6ae381614639bcc61ef71d99a8e1c8a51c113b15ac32216bf8dba612dc54478ddfa0427c55f6
-
Filesize
1KB
MD55b1f6a44908691631654a6631d5a4f3c
SHA1e901535558c67acf834533809b1a9551a64dda83
SHA256fd9c8b6df6d068b2ee36842f8f0ac63f4283c687d752d981d261b525d7015a6e
SHA512f2dc4dadad44440720a6ebd08710d121cbd70c80fc629caf43b0bebfb8708813a6589b1d9812ca2a55febb77e1165ea0f39809defd7ef19b259503fe17f05382
-
Filesize
1KB
MD533ff7516b7a8497f43b41824d14e85cc
SHA11a10065a9dc9fe16dfb5dce89478e35ef7e0b7a1
SHA256c13880fef2aaea0b1f4e788c692e78e8fdd66319656d34c3e80480f3355c5f85
SHA512a73ce6c1695970ca919bddccacc66482f43c9d433c975c0d2c74467bd0e1413dd7615fc8afffd9f893ebe6a73ed2de11011c306deb91767d082150a90b0964c1
-
Filesize
6KB
MD5a9eecedaf6a2377957d7858aa208f860
SHA104f95a8ad2e1a737b39c1ec8de30877163403b5e
SHA2566a89462a97c1354df0b4739905c84912eef10581e662730d1db1981353edf5ae
SHA5126411f2d4d543b2f404bd130bf2ef8c6a05bc302e09aeea6e86a400f1c874382ac5356fbc0fa5c663c1f009c84555d61567a72376d064ad63e0bbf5ebf1b8bbbe
-
Filesize
6KB
MD50f8b4d838036e8a8552d353c9ce926b3
SHA1f36a5569e7d8dd55917fdb84e77fb964f4a1e0b2
SHA2561fca0c2d5b38777d6b2058a9727b63c498eb49313642542194018109476ba0f2
SHA512fe108e5a4f00fdfc688823b04dd7658a8cf34519015114841d3733a47cd8923d1a92d4d54c075ad4d6be9a9e9c57eca7724a62fec0375ee6bc1435e98ff5ed57
-
Filesize
7KB
MD5a50a014ead91dd5017dea515053637ee
SHA1896542b184be9da104230b6faf5341c8dac1a367
SHA2563dfd780740f061aa4cf9f03b400d1f8911dec24ebec6d1b049f22689f01cc9e9
SHA512860fe02bc270b9b044218735f8f3a5c167422e44148b2443006d56e55d52f980130f93276982e3194d944de6bcd2e06a75cc93139149a4d80daeb11d0422af12
-
Filesize
6KB
MD589d168dfc7ef0205ee7ddff18e0cfe33
SHA1b2fe67595b03aff275ebebeba1e86e441f3bcba8
SHA256115ed6f64eed0f82cf5eb637a8a972ae2caee9023573ebe675831123fd2dd15e
SHA51277ce8c2744a98d7b5cfc84561636bc9b4d342768cf9a22efded494c6f3e00a1e69c625be32c3cb5f93e129f56078bffe2896c2f9c1b6f03aa574c7b12bf62de4
-
Filesize
6KB
MD5a6047b5200435dfcb30b952f0b619fd1
SHA1962c49fe61e51819ee1d7497cc59d2256576caa5
SHA256df6f1e5651a5f1036a296bf7b80c31eb6675539d52c9905cfce1d8914392cbeb
SHA5128f3cc40f30a5fd041d16d26ab0f3082b9156edd15adf01e90e4174073e4bfbccc00d42a4f86d99ef17ff84440c264720718496f59c7fb167f8c4410d325484de
-
Filesize
7KB
MD542f5ed78da631559149facc04f42dbf7
SHA181c30001ab73e8d71ce1a07fb90cc89caf38017a
SHA256996c74551eaf2783bdda6666271c8156574f7757ccc6e1b7c89802acdc931178
SHA512479e999c2a015bda29905e81181ea8f3e8c81aaa25490564250fad8919d8500a9c335b373e564770aabb3b1269c9364792db3ad2e46bd7fea8309717a8fc6dcc
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5ca5085da699db2b9fcf8535663e219ef
SHA17c59dc0348aa0cf872aca04707d261b0afe26163
SHA256c89d9054ec7670c019c4ddaf502f622ea7942b370c108baf7f4dde7526cc1a8a
SHA512560fe244eb7da3583e9df2313d7f489f1f3e4c37348493c2fe4cb06fa9d156a47414d9eb990f1c0690744807e4d64ad2fbd4b2d86bda626af55c6d58b8c23855
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
1.5MB
MD52fbe10e4233824fbea08ddf085d7df96
SHA117068c55b3c15e1213436ba232bbd79d90985b31
SHA2565b01d964ced28c1ff850b4de05a71f386addd815a30c4a9ee210ef90619df58e
SHA5124c4d256d67b6aadea45b1677ab2f0b66bef385fa09127c4681389bdde214b35351b38121d651bf47734147afd4af063e2eb2e6ebf15436ad42f1533c42278fa4
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1.5MB
MD50e54198007059141485bd602a0c34b1b
SHA1267fbd58a24774e620772be2a319385bee64a74c
SHA2560a4775e49e4d77662e3a735d114a853aa5631dfdaf0a22675acde6c5cc7cfa87
SHA51205cfef701756272ba8fc4906afdd3f4bd539e166d034e9047b2ec3b5325179b52cb7780140961bc6c87e529e017d19eed2ce201bed8c8cde6f0cbabbd530c554
-
Filesize
6.2MB
MD59bc3af7785e3b5982a6028ebbe156cb6
SHA1e2828a9e9ce582924df04443b303da3445250f0a
SHA256679fefee2262a7bda75c2a40494f378ad4583780ae98b767cd4f550f36e34f74
SHA5127284eec7714bd92eecd0c4cb55bed00c37ea8c21b42f56246153838dc3cdc2e60c3f3a3cfc3aad7dd6a2a66b56b12ea298767826a01730befc582ff44c73d78c
-
Filesize
15.8MB
MD5d90c5982647f807f9f88341f52508d9d
SHA1e708c20839d5511d19beb3eba401e1cd97c0632d
SHA2569f599e06abb4df9b68383316ccf7a0cb8251728d26bd97524764fa59a51a7e01
SHA51222f6196520d88c89bb74f48287f82286542debf6f2bd7a16d7bdc66d491abb7ee0440cc1a920a090c571fe1ab57a6d4f40ec4e9c50963af35eeb09139b64d003
-
\??\Volume{d3f0c1b4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e142eaed-d484-4c1c-aa0b-69fe24908e90}_OnDiskSnapshotProp
Filesize6KB
MD51095da600071baf7875913277b77f94d
SHA1aad01af361baabc024a91cd6d7cb61577e2b080c
SHA256c6c8855c5f9f7bb33792addc2a93f51885e4d48f458f066744b58e51ccdecfe8
SHA5125344c45d419b9840c6e4ffeedf633b554d21f0a04cbf0ac519536bb7663864382da2f4dd0abab232b3661b4502d506ab3e52df98f3d2f300ba481d333139822f