Analysis
-
max time kernel
327s -
max time network
331s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
23/02/2024, 09:51
Static task
static1
Behavioral task
behavioral1
Sample
Forza-Mods-AIO.exe
Resource
win10v2004-20240221-en
Behavioral task
behavioral2
Sample
Forza-Mods-AIO.exe
Resource
win10-20240221-en
General
-
Target
Forza-Mods-AIO.exe
-
Size
13.2MB
-
MD5
170b9031c89726d445a322689ff66ff7
-
SHA1
e4d827a5ff30aca7783d872b03c2afd3c78e5d62
-
SHA256
26bde4f22eaa466847881b96b4fed699f850dafe2af43f722df1e588aacbf46f
-
SHA512
2ddb71e49e763d3067a8fd0824f8914b19e9ff1ec7e47e484c95453ec029254cc92831934a05a18803ae3ba39282a03923686f2ba9015d688fddc19d2cfbc0b5
-
SSDEEP
98304:YbhD4ny4CVdxkYNYSFxP81Sqg15upj7P1sD8JBM:yhDq0x+SfoBg1g5j1sDn
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation windowsdesktop-runtime-7.0.16-win-x64.exe Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation Forza-Mods-AIO.exe -
Executes dropped EXE 4 IoCs
pid Process 4788 windowsdesktop-runtime-7.0.16-win-x64.exe 3060 windowsdesktop-runtime-7.0.16-win-x64.exe 664 windowsdesktop-runtime-7.0.16-win-x64.exe 3228 Forza-Mods-AIO.exe -
Loads dropped DLL 64 IoCs
pid Process 3060 windowsdesktop-runtime-7.0.16-win-x64.exe 5028 MsiExec.exe 5028 MsiExec.exe 3740 MsiExec.exe 3740 MsiExec.exe 4160 MsiExec.exe 4160 MsiExec.exe 3232 MsiExec.exe 3232 MsiExec.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe 3228 Forza-Mods-AIO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ef5af41f-d68c-48f7-bfb0-5055718601fc} = "\"C:\\ProgramData\\Package Cache\\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\\windowsdesktop-runtime-7.0.16-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-7.0.16-win-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 158 camo.githubusercontent.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Transactions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\PresentationUI.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\System.Windows.Controls.Ribbon.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.VisualBasic.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Http.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.TextWriterTraceListener.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Immutable.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.Design.Editors.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Ping.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationCore.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Console.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Controls.Ribbon.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\PresentationUI.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Web.HttpUtility.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.MemoryMappedFiles.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\WindowsFormsIntegration.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\UIAutomationClient.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Collections.Concurrent.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Queryable.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.AeroLite.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.ProtectedData.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.CodeDom.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Cryptography.Xml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Primitives.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.X509Certificates.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\PresentationUI.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Data.DataSetExtensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Runtime.Loader.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\PresentationUI.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework-SystemDrawing.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.DiagnosticSource.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Linq.Parallel.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Algorithms.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Dynamic.Runtime.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.dll msiexec.exe -
Drops file in Windows directory 35 IoCs
description ioc Process File created C:\Windows\Installer\e5863f9.msi msiexec.exe File created C:\Windows\Installer\SourceHash{1B690A4C-381A-40D4-BA4A-3F8ACD5CE797} msiexec.exe File created C:\Windows\Installer\e5863fe.msi msiexec.exe File created C:\Windows\Installer\e5863ff.msi msiexec.exe File created C:\Windows\Installer\SourceHash{01B2627D-8443-41C0-97F0-9F72AC2FD6A0} msiexec.exe File opened for modification C:\Windows\Installer\e5863f5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e5863ff.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8699.tmp msiexec.exe File created C:\Windows\Installer\e5863fa.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\B61D15F98E24A4A42882574055142AEA\56.64.8781 msiexec.exe File created C:\Windows\Installer\e586404.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8512.tmp msiexec.exe File created C:\Windows\Installer\e586405.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6D1D.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B} msiexec.exe File opened for modification C:\Windows\Installer\MSI702B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7D9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8195.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI95AF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI784A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7FA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8271.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\B61D15F98E24A4A42882574055142AEA msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\B61D15F98E24A4A42882574055142AEA\56.64.8781\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\e5863fa.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7D0E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{9F51D16B-42E8-4A4A-8228-75045541A2AE} msiexec.exe File opened for modification C:\Windows\Installer\MSI89E6.tmp msiexec.exe File created C:\Windows\Installer\e5863f5.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\B61D15F98E24A4A42882574055142AEA\56.64.8781\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\e586405.msi msiexec.exe File created C:\Windows\Installer\e586409.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A096B1A1834D04ABA4F3A8DCC57E79\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}v56.64.8804\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4943F0DE11D5B484BA6E10C561374AAC\C4A096B1A1834D04ABA4F3A8DCC57E79 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B61D15F98E24A4A42882574055142AEA\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\Dependents windowsdesktop-runtime-7.0.16-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.64.8781_x64\DisplayName = "Microsoft .NET Host FX Resolver - 7.0.16 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_56.64.8781_x64\Dependents\{ef5af41f-d68c-48f7-bfb0-5055718601fc} windowsdesktop-runtime-7.0.16-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\ProductName = "Microsoft .NET Host - 7.0.16 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3316742141-2240921845-2885234760-1000\{F15D39BF-11E9-4A9D-9F0B-89A0FE942CEC} msedge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\ = "{ef5af41f-d68c-48f7-bfb0-5055718601fc}" windowsdesktop-runtime-7.0.16-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{9F51D16B-42E8-4A4A-8228-75045541A2AE}v56.64.8781\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ef5af41f-d68c-48f7-bfb0-5055718601fc}\DisplayName = "Microsoft Windows Desktop Runtime - 7.0.16 (x64)" windowsdesktop-runtime-7.0.16-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04147B1B3295B4161C8ED46FA6E46912 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.64.8804_x64\Dependents\{ef5af41f-d68c-48f7-bfb0-5055718601fc} windowsdesktop-runtime-7.0.16-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B61D15F98E24A4A42882574055142AEA msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\04147B1B3295B4161C8ED46FA6E46912\0EA7D4ECABCFF6845AF8BD3A26F6EBB4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A096B1A1834D04ABA4F3A8DCC57E79 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\ProductName = "Microsoft .NET Host FX Resolver - 7.0.16 (x64)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\PackageCode = "81EE9E981EA60964C8935F11B77FED8D" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\Dependents\{ef5af41f-d68c-48f7-bfb0-5055718601fc} windowsdesktop-runtime-7.0.16-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\Version = "943727204" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\SourceList\PackageName = "dotnet-runtime-7.0.16-win-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B61D15F98E24A4A42882574055142AEA\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_56.64.8804_x64\ = "{01B2627D-8443-41C0-97F0-9F72AC2FD6A0}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C4A096B1A1834D04ABA4F3A8DCC57E79\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4943F0DE11D5B484BA6E10C561374AAC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\DisplayName = "Microsoft .NET Host - 7.0.16 (x64)" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\170B71A1C66553D5E351152A6AFB2626\D7262B1034480C14790FF927CAF26D0A msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\PackageCode = "74EEF11D81DB3C6458F196B0238079C8" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4E3F426DBD05F2A509C6867B91443826\B61D15F98E24A4A42882574055142AEA msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B61D15F98E24A4A42882574055142AEA\SourceList\PackageName = "dotnet-host-7.0.16-win-x64.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\170B71A1C66553D5E351152A6AFB2626 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D7262B1034480C14790FF927CAF26D0A\SourceList\PackageName = "windowsdesktop-runtime-7.0.16-win-x64.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0EA7D4ECABCFF6845AF8BD3A26F6EBB4\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_56.64.8781_x64\Dependents\{ef5af41f-d68c-48f7-bfb0-5055718601fc} windowsdesktop-runtime-7.0.16-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C4A096B1A1834D04ABA4F3A8DCC57E79\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_7.0_x64\ = "{9F51D16B-42E8-4A4A-8228-75045541A2AE}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_56.64.8781_x64 msiexec.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 52719.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 943857.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 25 IoCs
pid Process 2368 msedge.exe 2368 msedge.exe 2168 msedge.exe 2168 msedge.exe 3988 identity_helper.exe 3988 identity_helper.exe 2888 msedge.exe 2888 msedge.exe 3004 msiexec.exe 3004 msiexec.exe 3004 msiexec.exe 3004 msiexec.exe 3004 msiexec.exe 3004 msiexec.exe 3004 msiexec.exe 3004 msiexec.exe 3464 msedge.exe 3464 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 5048 msedge.exe 4552 msedge.exe 4552 msedge.exe 3228 Forza-Mods-AIO.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeIncreaseQuotaPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeSecurityPrivilege 3004 msiexec.exe Token: SeCreateTokenPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeAssignPrimaryTokenPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeLockMemoryPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeIncreaseQuotaPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeMachineAccountPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeTcbPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeSecurityPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeTakeOwnershipPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeLoadDriverPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeSystemProfilePrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeSystemtimePrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeProfSingleProcessPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeIncBasePriorityPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeCreatePagefilePrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeCreatePermanentPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeBackupPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeRestorePrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeShutdownPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeDebugPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeAuditPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeSystemEnvironmentPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeChangeNotifyPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeRemoteShutdownPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeUndockPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeSyncAgentPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeEnableDelegationPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeManageVolumePrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeImpersonatePrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeCreateGlobalPrivilege 664 windowsdesktop-runtime-7.0.16-win-x64.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe Token: SeRestorePrivilege 3004 msiexec.exe Token: SeTakeOwnershipPrivilege 3004 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 3060 windowsdesktop-runtime-7.0.16-win-x64.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe 2168 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1568 wrote to memory of 2168 1568 Forza-Mods-AIO.exe 94 PID 1568 wrote to memory of 2168 1568 Forza-Mods-AIO.exe 94 PID 2168 wrote to memory of 2296 2168 msedge.exe 95 PID 2168 wrote to memory of 2296 2168 msedge.exe 95 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 940 2168 msedge.exe 97 PID 2168 wrote to memory of 2368 2168 msedge.exe 96 PID 2168 wrote to memory of 2368 2168 msedge.exe 96 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98 PID 2168 wrote to memory of 1692 2168 msedge.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\Forza-Mods-AIO.exe"C:\Users\Admin\AppData\Local\Temp\Forza-Mods-AIO.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://aka.ms/dotnet-core-applaunch?framework=Microsoft.NETCore.App&framework_version=7.0.0&arch=x64&rid=win-x64&os=win10&gui=true2⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8608446f8,0x7ff860844708,0x7ff8608447183⤵PID:2296
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:23⤵PID:940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:83⤵PID:1692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:13⤵PID:2160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:13⤵PID:4504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:13⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:13⤵PID:616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:83⤵PID:3144
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:13⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:13⤵PID:1592
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:13⤵PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:13⤵PID:1160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:13⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4624 /prefetch:83⤵PID:5108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6028 /prefetch:83⤵PID:5012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2888
-
-
C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe"C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe"3⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\Temp\{86634D24-A48B-470F-825E-F58906AA3D85}\.cr\windowsdesktop-runtime-7.0.16-win-x64.exe"C:\Windows\Temp\{86634D24-A48B-470F-825E-F58906AA3D85}\.cr\windowsdesktop-runtime-7.0.16-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-7.0.16-win-x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=5764⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3060 -
C:\Windows\Temp\{A25DC361-2E0D-4107-9CD2-4A280A805E89}\.be\windowsdesktop-runtime-7.0.16-win-x64.exe"C:\Windows\Temp\{A25DC361-2E0D-4107-9CD2-4A280A805E89}\.be\windowsdesktop-runtime-7.0.16-win-x64.exe" -q -burn.elevated BurnPipe.{B37482FE-564A-4A2E-B2F0-30CFE0A7FE2A} {99D52AAC-E202-44ED-A9CF-EE30401FCBC2} 30605⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:664
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:13⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:13⤵PID:3664
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6324 /prefetch:83⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6372 /prefetch:83⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:13⤵PID:1764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:13⤵PID:760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:13⤵PID:1968
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6344 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:13⤵PID:1552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7036 /prefetch:13⤵PID:5048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:13⤵PID:3904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:13⤵PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:13⤵PID:2332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6324 /prefetch:83⤵PID:4008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2236,701501953974002288,9908639556533434496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4552
-
-
C:\Users\Admin\Downloads\Forza-Mods-AIO.exe"C:\Users\Admin\Downloads\Forza-Mods-AIO.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3228
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3152
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1240
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2F3CF27681DB061D7758760E549EDC822⤵
- Loads dropped DLL
PID:5028
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B4B10B0B4AD665AF21B5420855A5C0CF2⤵
- Loads dropped DLL
PID:3740
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FD5383BC2471D8D0F18A3C3E47EFE1732⤵
- Loads dropped DLL
PID:4160
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F430215D5EA8C9F3F77903FAD80291F72⤵
- Loads dropped DLL
PID:3232
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2180
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5b7be03d28c6b143d71a178d5117f2dc3
SHA12dd95502014b87e8c628defe0b3f1c093dcce0ec
SHA256e5dfd3b9584f1c72cdd6ad9421406ea28688810daba275617de09afecb5793d0
SHA512fa5a2bb39bfd618d1077ef14d2ec7d81bc4dff824ab68c9a78108572145693420b1987a62e84c5747763038e21d732bfb56c3a681a2cc59ea8872a3ecf2cb323
-
Filesize
9KB
MD5cb89b6f7d6a06d533eef65774d411269
SHA1eb9d84533110b7e76f78dc3fcf845a237e0fde66
SHA2568ae28c8fe9603231c25c34a60460172f61361a1c9bb9e11a08fb93214fe8eb50
SHA51219f1ca2f2a48a1a8c04618f5887e36256f0852412f9bde1468293c38c09eaea7e4ea7df71f714bec3987219b5c5a1ec564a23c42c871d3d08d82847a04a6b249
-
Filesize
10KB
MD51c094934a0a736db78a65a702561b5a4
SHA19ae1ba5791c6a3f3e99303bdb92c6919efc5fd87
SHA256b8f9b2751a1af488be1d73e5089c6f1ca60a1584d05d6245fcde100eda276c25
SHA51242293fb8776bf118abd17e26c9729883fdaf2496223d6942dc9cb7db3920189733c7cec8707b166d0c6462b0a0849412fdca38b7963977d947bcb24ebf383b35
-
Filesize
88KB
MD53b2eda88076be1eda8af0552d9499035
SHA10cd9aa7785ad6098d6cb065f8840c6d77649bef5
SHA256b68adae39ddf1130e7b76021c69195ddb8f5f8780beb8dd21767c3fd981d856e
SHA512276508ef1b17b867e4edda727d4aea0b3e971aa7eeb30e43ac5da0a66880216c56b826a8c8f2e231c7e3dec1eae9f782cff17a155259c234dd09150d638f8d2e
-
Filesize
85KB
MD55c13a5ea8c8cc3474240981d0ffa88ff
SHA11d8d3ce27d9dc3d9fb4fa4b06c20137d25879d80
SHA2564f9bb3901879bafae3a17c6c4009ee5c15384a06fc234bed78937969079c77da
SHA51232ea79ff5194d8a18e75f277aed5610b4955db15b0abbcc2664cf07f372bebfc57eb665ad078dc3da3ce5ee0d8856140c2a1bc7032b578dd103d43998d682d88
-
C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\Microsoft.NETCore.App.runtimeconfig.json
Filesize159B
MD501da0d56ab33c0ed0e7ac85e5244190f
SHA19e1e4b59e590038f769e5fa01fb326109a7f38e5
SHA2567133274dc5efab688a6efe2f43ca33e78a2498ef39efcad231b0e07ad2c26d17
SHA512e11967ba33c719da1681a7f98056d40f450788d9b7c8b2f580d8bc7998fc35a78c53fc970301b097c527fab79fd477adad4eafcd75b4bb376d33c3fece9e8926
-
Filesize
152B
MD51af9fbc1d4655baf2df9e8948103d616
SHA1c58d5c208d0d5aab5b6979b64102b0086799b0bf
SHA256e83daa7b2af963dbb884d82919710164e2337f0f9f5e5c56ee4b7129d160c135
SHA512714d0ff527a8a24ec5d32a0a2b74e402ee933ea86e42d3e2fb5615c8345e6c09aa1c2ddf2dea53d71c5a666483a3b494b894326fea0cc1d8a06d3b32ec9397d3
-
Filesize
152B
MD5aa6f46176fbc19ccf3e361dc1135ece0
SHA1cb1f8c693b88331e9513b77efe47be9e43c43b12
SHA2562f5ba493c7c4192e9310cea3a96cfec4fd14c6285af6e3659627ab177e560819
SHA5125d26fdffebeb1eb5adde9f7da19fe7069e364d3f68670013cb0cc3e2b40bf1fbcb9bdebbfe999747caf141c88ccd53bd4acf2074283e4bde46b8c28fbae296f5
-
Filesize
59KB
MD5063fe934b18300c766e7279114db4b67
SHA1d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd
SHA2568745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e
SHA5129d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f
-
Filesize
153KB
MD52f3c7b5f9221520efbdb40dc21658819
SHA1df12f010d51fe1214d9aca86b0b95fa5832af5fd
SHA2563ba36c441b5843537507d844eca311044121e3bb7a5a60492a71828c183b9e99
SHA512d9ed3dccd44e05a7fde2b48c8428057345022a3bcea32b5bdd42b1595e7d6d55f2018a2d444e82380b887726377ab68fa119027c24ac1dadc50d7918cc123d7b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize360B
MD5e3b8eb4a61500005fb91e2299da8027d
SHA1e31c3755d26b6bf79a2877a7ee5cb8b2d1034a7b
SHA256789c9f9262630d0f5be3a1c4d240a113e430c1c505681d51d2969dfd74ead146
SHA5122000a1625f8eae782189e5ee2eabdc098d0ee6408fe281899aceee2b400668574947f89afd6ad0b822b23af00faa35cc2fdf573e437510c09ee958cea3bdb49c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5e3732937e675c0f61514496a9fac3172
SHA157d55459aba6b1682ccb779b4d9c49cc745c2b1f
SHA256f9de030d3f79728934b9a0a725cf68bd26635da388261a6dd96af48fb32f5e1f
SHA5128e5cf93aa6e697ea95ffe6c74be58951ca1806d6581c7b9cc86123c666196a48189e4da86b3824032258d8d11c7f40eaaa5ec75343858def4805a6f0ae7fe629
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD50934249809c13d521ae54a6766f8d8cd
SHA1aaddd4e8a5158af4ff12dbee3737fcdbacd023f2
SHA256bf8fee09fa44b9a80ab27c8f81ff3120e97bda1ff0a4cb34ea48c8a3525c26d9
SHA512d6fb53c674b0ed8ecf1825f72b59624aea3e0a0ebe0f07a9d061c7983fe7219f338ed86278714572b1ab11c9b2c63c8a17bf7fed21e7e4ab91328a8af72cfe15
-
Filesize
2KB
MD54f6605dbe013cc136c6ef9949dce9a69
SHA170c0c00bf0a54999286ea4c633494cb090cb022f
SHA256c1613f9dc94ef0be374299aab2e8c7da3e637dfbfdae8073dd081cd855bf35c3
SHA512e4b01a5b29af4832278747583533b91f8ea21eec7b7f63e65f8cab4f9d4091f4e71af0ee215d0f7bb67e41660f5bb587aaa166202825e1d38d6d7d0fe9f64eb1
-
Filesize
1002B
MD5129696698af920dd7a56752a3f65e88c
SHA1c656160b3166ed3f104c77a9fb7db4e2b961419c
SHA2569c29d112dd9c19f61b31d421e10dbf2752e9637eebfbc3993f9e3657b58e7498
SHA51237dd56ffb55bf4712b11759860adcaf389fe8383277d246d697f36e4fc97ef7398c4a31e81e144f835c85ce5dd74cfbd3d65af405144e750ef2f646da691d0a3
-
Filesize
6KB
MD5cf5f5ae6af1d0bf5720d4c9d71d8ee9d
SHA114a5862b5313899e1f0042abb8dad6e2c4bb4fd4
SHA2562d07437f0fb14f62f11c9a5b20414935441e2299559a802bfb645cf59a514992
SHA5128737282c199890eff96a794a48785617e34c68d84eade0108aa4f1a68a0526e5e68f13a01264b39240f954611e29ba64813c1c36b34cc990fabb5814eb1c9d37
-
Filesize
6KB
MD5ec3004f08f8ac05ee896b5bdb38b1557
SHA14006c24e38519cbfb52c6b786b5d69614739d36d
SHA256e2bf93731403d5c6304ae49683de795fce07ac5b9fafa8a0fccdcb6fc83e8f66
SHA512faf7adbb9e4e936091112be3ebd1e5db74756b3ac9676d6fa52f16b8cfc7dfdd3b56dec6abed69908638c48f91311491111232667e664c1e083c3356c427dd16
-
Filesize
7KB
MD5cc325d12c8484b685360deb1907a03cc
SHA199b3ca32d785a5770eafcc1c5ec7a48a2a194375
SHA2565b2cb1a5688c9057cf8a9c55d59dd47888a5ee16e947a603348d7518a8a29b83
SHA512c2db9274a698970a466a49ce2bf69ae7a20f8fe9bcf539d2bb43d6da950bae8e89ac4308abf61d3a00a663a5a8c63615a64d3cef9a705b501f72f03ed0e2c07c
-
Filesize
6KB
MD5750e6c7df33563af53f346510337c868
SHA149b1449be75d8f2deca824bbc4d558c67b0f0dea
SHA2566bcba989e517097dfd34233296011fed1e3cfdfb79c2c6ed1e4a40b662bbb181
SHA5123c7a74702c77cf5fd197b82bdfbf9109f3721ec7ef58e84de58a40e16553c71f777fcfc71c58d7c1313b446c33dcf7357ae565ec4636eea6ab448470eea39142
-
Filesize
7KB
MD5de59eb7a8cc4be451a3dd33623e228be
SHA1cc2f64bc397e8661f4e2a27474361a348974249d
SHA256197d16fbda1412e7524884ca57509cb71c6398db2a4a23865b91032a877f3b8a
SHA512c86816b3bcc91d34f3bf37eeec6b0ec54095a249815c97cd587acc54dce142de9f2be35a8489bc11b107ce7f676e6b38b6efde6fd95fbb77836a43e4411cce51
-
Filesize
7KB
MD5202cdfbbf8adf105ed50a301e9426d54
SHA1bf546408c1a1483f994b4865eb2159023febd21e
SHA256efb6ece14c9f65f33e14cbe3d7c55f3b3a41adcaf464cc7088368a3ec8d77124
SHA512aa4f301483c007ce8d084e1a4e10be2686c311ceda8a4a8e9bb0ef1eb3176789399b68d8db610bee5888db6aab2978115588b4a16056b2ed658555bf90d8c7a3
-
Filesize
2KB
MD5582ab64e0213bdce094401f60b639ecb
SHA1dd4e3e1ae1614d7eb276ee700f32f6537c80ceba
SHA25638215330fa6d8c4190dd26e2eb9c88188e07cd583d69748e764f9fc114b94fa0
SHA512b89a46333433865e4a2c472c51e3c869f1828d17e0a1185ea78620245539acf67c7bc4bd76d6a62a8184269e608663992454b8d2e010dd57a7763124679212d2
-
Filesize
2KB
MD5bf173228b6cd3d6e52cec13d76788e7d
SHA12a0c0313f077463bc373617d13f530f0b8449a6f
SHA2561ea6d973347f24cd115927435e2ded14cc7d2e5ded119bba2e9a73afa955efa6
SHA512b01ee797c828a2e1992d53d97551e6f50b7bda3f59800e232947cf43369eccdffcba15e4de0313d267fa394c8eb88f879a786e06181af07999a70ec7b820c6f6
-
Filesize
707B
MD5aeecd1d98cf57a6930586cec2c186ead
SHA1127d179ec5b06b9c4c5c6d1fd8cf368cd82e3c92
SHA25661db6e6c6d47e171e11286906cf4ee0c804b092e596b520c56c2f0e8239e3384
SHA512a5b9d1a7f9b40a2652652168af1b0d333164147a667b5ec99f303da4c197692a3e05bebacf3e544cc29181552b0541f95be59d5ef11efc399fa25144dd09bda9
-
Filesize
707B
MD567c073ae599bc5ff5705006836f3fb43
SHA1b6f82744161e2d32d72c02f52b8648cd1e89b2e5
SHA2562d2999e7f644717c608353c987a30504893e2b2aab08462c4ba79f7c5285c1e0
SHA512cb54cda1f76f7c27d800463b7a723a3d7c222724b6d6f741e95c248343a9c81839198da46ad2ec6c1c882ad0332a5edfe6f908e87acca88ed5fa71b7ee1c3b76
-
Filesize
539B
MD5bc1666435bdf25c1eb6396b409646e37
SHA1b088629e8de882482db7a2046d64bd2e9113db99
SHA256c965fb83e0fd429610707b6300475ca4b3b6ea5cc4f82f81e48ab1244cd663c9
SHA512d357eb60d85013d520dce886b1d782d6f0a264d3be77130f98da793c3ab67e31b11627485b8d4b72f67c17e27caaa44ee956d5f840c23f67df17dd9a3bb574e9
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5930a8d2ac3a4ae2b0564192f8c0dd517
SHA15fa287f076089d3c554caac10f8edeceeffe26b8
SHA256b01b221651403d9731af37b507040d2b034afdc5ea2731a98133422588b6df9a
SHA5127457c2b0fc36842488fcd1c132a608d8eba779661b4fd9d41c6cad04de0a98d029543a5c414def7a1ae97997f2d4149f03fdf09a15d32ec54b74ff72938ec487
-
Filesize
11KB
MD5719646101770af906599f98557a393a8
SHA17a9fb670c9084dd685e84d3e11cbb5449bb8a6e4
SHA2569dfaf00227e90687afc1cef833213bc5511050715ededdc80791a00bab7cbf85
SHA512ee66d9a758752d9f6dc73820f03ddbdf6d0557c04f4147406427b5b6de699853df2f9d50d22cf0d156382fd6ee3d5bdbdcd9b8d1b4ed9c5a775e5a81571f7a1e
-
Filesize
12KB
MD5d77a1e8f03fd630f847d2af73ddfa204
SHA1972c8f52cfec66bc3dfaa01d751c250b77be1677
SHA25694cf71143d5195c0aff955ad5760da3d7d194ae4a18204bb2ed8a258afbc6100
SHA5120e4033ab3640f0b7ac33ef30c47383a1593309f3eb4b19985065c348cc0186c681787b8297a408ab31b3f9f8b0e96995656934495f1faf392f63acc537d606ac
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240223095238_000_dotnet_runtime_7.0.16_win_x64.msi.log
Filesize4KB
MD50bf951d55682d796eef7fcfadad3bee7
SHA1d0866fcf3da07e3e23574f867264650e7b844651
SHA256485bde487ea372745c5fd6c190e4ccfc7282c74e16074ca84a2cd2897829cfe7
SHA512b175d80bb2b4e5a931dc567a84ce143f2c0a9d143ebd7e876c58377a8d20f5d1ee86367a9946d8b64fc62fa3b7173b135486fc6c75e23545e4199ef437720228
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240223095238_001_dotnet_hostfxr_7.0.16_win_x64.msi.log
Filesize2KB
MD5feeee27088fad18c7672376c19264c94
SHA180f4f8dce645918e63ec1067455bf99b9dd439aa
SHA25666c4fd6db65790fde0a6828985c56921da82de6f2c37d523c72259668fa0102e
SHA512227c0fb587938f87a5baa9c152d708aee57382625f8cf406ec716253bfff235af28d645cffe206d66a20c74bcfbbca052a250f2c517aceab7b5cb2d8be5245e0
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240223095238_002_dotnet_host_7.0.16_win_x64.msi.log
Filesize2KB
MD586182c4680767f4768312ae63e6f35e1
SHA15802e0aa406ae7c413754010dd9c7616ac0d2bfd
SHA25644bff76e7634f68bc9b73a761bfd41d23688ba323f97344d72cbc884aaa2e8db
SHA51258a45b8e582ee60092678a6955888b2d7776f2f947009b226352c3050fe60a381e59d237db944e0270c4addbf9fe0c70650f60ae1388228365bd9396a1010a3b
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20240223095238_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log
Filesize2KB
MD51cfd31e3c460a96e755b77946d3dba05
SHA17397887ccd00a3a50c165e7321439fabd664a762
SHA256220cc6520304a4a766b3a1e1a9249773ea8bf2c52d856e99fbf795af7b839adf
SHA512336b0bb1077a85319eb0db8afbf7774c31ad1ecc536f26851ca753674e984e99f93cd79f21fd3773cabaf33f03bf3d14deda28dee2a5f4165266aa833216424f
-
Filesize
13.2MB
MD5170b9031c89726d445a322689ff66ff7
SHA1e4d827a5ff30aca7783d872b03c2afd3c78e5d62
SHA25626bde4f22eaa466847881b96b4fed699f850dafe2af43f722df1e588aacbf46f
SHA5122ddb71e49e763d3067a8fd0824f8914b19e9ff1ec7e47e484c95453ec029254cc92831934a05a18803ae3ba39282a03923686f2ba9015d688fddc19d2cfbc0b5
-
Filesize
10.9MB
MD57516d7b1633d6996465c251766bf04ba
SHA164ec870258070abeb6fb03a1b52192f83118ff75
SHA2565a1b2f9f3dea7bcb43b712063ade577ddb06fc7cfeb23d82a29825e871934c27
SHA512654427df8335ed54c68522ba49bd4c546fc8bd7884a65dcd865ef7ee884a0200f01d5018ef28d5e9375c170f5db955b1eaf5df82332d4c343106b3d2182d9a84
-
Filesize
11.4MB
MD5775675eaa72fe61fbaefc515e774ae2d
SHA10ab3ecd3d390e49207cc2468d523ee65e0a5708c
SHA2565a7ddd7b2c0cd1ec724934f3680e05a9e5184626f206dbf3976c8844caeac2d1
SHA51239e6eb944b45327ea2abd7f8a7604fa7ddc461d686d67536a94164b59bfb9249ffc746f153254c4592eea2bd78b9b3cd820f0c061f906d44760047e8e66b09bf
-
Filesize
9.1MB
MD5b531daf33ca3cf644798600899e6f4d5
SHA1dc3338147ca4b7acea3eadd6b0e4720d6bc51274
SHA256ecde5618d5dcddbc79edb466d532b530adc139252cb13ec6e26d2155fa59bdd7
SHA51295a8a1f951d44ed36a509d669cde8a9fe06b6e25f7e8525699c7d00abb786a01acf88dfcfded005181bc369d5e5d891c1e9b783cf1fabd27aec873edab99c49f
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
26.0MB
MD5637126f724450ee972ae64d2b716d0c1
SHA14a8930aeafda84742ce9d5464002e0a22239b54b
SHA256cc1702e97eef42cc5edf16e0ab0ce99fd6161074a9d7b4cede93a9da8b38de22
SHA512e5a1335f4a73deb9def0965b9c76e7f86b2b4fafe6337dc110de3ae07ec0d4c7b00bd2b189c37e224ebd613da639c5d13166078c5db0ac33a88e29ac93f305eb
-
Filesize
28.8MB
MD5d079a220fbf02ab89e53ac56efc42cd4
SHA18a42d27748dd07d46def2045f3ea8ca9c8388ba3
SHA2560184e4536db8bd0a57cd2f80946ed435339e1977494488ca66dcf5454fc4ed03
SHA5127aad48a392168911f131e4270c64a0eb05902434b6dce9821c216c6544e91b25d90efda366e9c376ee9c25d9fb9431f61428ee3b05b053d8eb015cd2b8ad8bea
-
C:\Windows\Temp\{86634D24-A48B-470F-825E-F58906AA3D85}\.cr\windowsdesktop-runtime-7.0.16-win-x64.exe
Filesize610KB
MD59656c3086081a41540338b94df6ae084
SHA1dc87b2d0dde3604437d13d2f89fe9ecb7c7b0373
SHA2566a7a85e1b9e899ce83ca29eca2e0b34126acf97675991b431b279278a03c41f2
SHA5127bdfc5943968403b787700f5c4e12d88f34bdca4569fbff21e178c17eba40f8db68135aaf426b990617316c10b86687a08375c611c4a9e5a8db8eb2c2be3e9cc
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
Filesize
744KB
MD5a1f68b5ec6da37ffc65f12f106d70f3d
SHA11bef05fa3f179a9ad079326a5a38b7728a81967c
SHA2567c01b2af6cd178d88dc11b2c12840beb0b08f8dc4e8958ba8d7166759e0c64b8
SHA5120dc65ee5f8a4720012e678dbeaaa44df10e12ad7941f4835c37a0d178abb7f282d0ee13e7b45fc56141489826c3c980020179ffb5973989a463f4aeacd188a93
-
Filesize
804KB
MD53db1b0ad874499a5bd80b9ad2ed2103f
SHA177f02d58918daa3cb25364960a1196ce2f711d0f
SHA2567b32cfc57dae7fe08f7ed00d54771107aeb4b80305a7269f6b9ac2cb19710c35
SHA512e2214799e8febb31e2dadeef8904e5692fb94f916500960642b780a4b68f9bd2d8d7e62d579418bcced9a7b0f7ff958e672783fc019617d17499e8c5e1b777e1
-
Filesize
10.6MB
MD5f82540c939655d2c310bc5e23ed96fb3
SHA11cd2e55d2266d1c7c113d69ea04b0d911edf1ce6
SHA25687caa17ad0e0ff816a8a257871f1177734d2bea38c90b573fcdaec2383797e45
SHA51256d95b8831fe7245bc5534d0e1ea1f727a287baa2c12b29e7a0005b126f992593d3e7620bca7e5d6f3b15699f787fc5c068cce7a0f46e73cda7a6e7a1621ca15
-
Filesize
10.0MB
MD5d07cea750bceea176072cbf65d3c6e2c
SHA18d2767fe40c69d5e0d9eb3b672d29b55a41951c8
SHA25623f28c2d15c9f6e5534310d624aad01b7715d82c2d828d2f853d3dc8be128ed2
SHA51276488dce98d079bf21b9ba50ae73e8d771bee9cd2086b69919c562e9d503e027fc178a1c5018cc956dcc1706bdc82f3523bf15a6597c78d3bdd5f779238041b9