Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
96s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/03/2024, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
liquidlauncher_0.2.1_x64_en-US.msi
Resource
win11-20240221-en
General
-
Target
liquidlauncher_0.2.1_x64_en-US.msi
-
Size
6.9MB
-
MD5
637a2322c7a1af4b7fc112d968100d26
-
SHA1
de22b924d8c233c5ac629886fd7fc1b4a20ea184
-
SHA256
c2490fb4d68cd53dbd760de0624578449e2e85813bc0bc96a478237eeb16e625
-
SHA512
0651234514888dd128b1f38f2bf5d72b26fef6a330dc23247fa5a0e3976b5ceddca20cdcb1d5dbfcfa81248dc24b818de8ade2f7771a572d092df0e3e87462f5
-
SSDEEP
196608:XcQlpq6HQ4IXRBPT68xVq9YRG9UYvkJYco:M6XqRZG8vq9YE8o
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\liquidlauncher\liquidlauncher.exe msiexec.exe File created C:\Program Files\liquidlauncher\Uninstall liquidlauncher.lnk msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF68A930C102B64C25.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{56CD17D2-94F2-4B09-80AD-8939F9CC840D} msiexec.exe File opened for modification C:\Windows\Installer\{56CD17D2-94F2-4B09-80AD-8939F9CC840D}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\MSI9328.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF95F5BE2C0C738DFC.TMP msiexec.exe File created C:\Windows\Installer\e5784df.msi msiexec.exe File opened for modification C:\Windows\Installer\e5784df.msi msiexec.exe File created C:\Windows\SystemTemp\~DFF4C704FF64709D1A.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF8E687BB49D1B9452.TMP msiexec.exe File created C:\Windows\Installer\{56CD17D2-94F2-4B09-80AD-8939F9CC840D}\ProductIcon msiexec.exe File created C:\Windows\Installer\e5784e1.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4632 liquidlauncher.exe 1080 liquidlauncher.exe -
Loads dropped DLL 2 IoCs
pid Process 3788 MsiExec.exe 3788 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fb1a9eb37f5a4fba0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fb1a9eb30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fb1a9eb3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfb1a9eb3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fb1a9eb300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2693D3A556A2F4757975715DD16BC1A4\2D71DC652F4990B408DA98939FCC48D0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D71DC652F4990B408DA98939FCC48D0\External msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D71DC652F4990B408DA98939FCC48D0\Environment = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D71DC652F4990B408DA98939FCC48D0\MainProgram msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\Version = "131073" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\Language = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\ProductName = "liquidlauncher" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2693D3A556A2F4757975715DD16BC1A4 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\SourceList\PackageName = "liquidlauncher_0.2.1_x64_en-US.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\ProductIcon = "C:\\Windows\\Installer\\{56CD17D2-94F2-4B09-80AD-8939F9CC840D}\\ProductIcon" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D71DC652F4990B408DA98939FCC48D0\ShortcutsFeature = "MainProgram" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\PackageCode = "50E5BDD93EB8FB748999F8EF663B6DAD" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2D71DC652F4990B408DA98939FCC48D0\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2D71DC652F4990B408DA98939FCC48D0 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3240 msiexec.exe 3240 msiexec.exe 5068 msedgewebview2.exe 5068 msedgewebview2.exe 4832 msedgewebview2.exe 4832 msedgewebview2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4972 msedgewebview2.exe 4492 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1052 msiexec.exe Token: SeIncreaseQuotaPrivilege 1052 msiexec.exe Token: SeSecurityPrivilege 3240 msiexec.exe Token: SeCreateTokenPrivilege 1052 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1052 msiexec.exe Token: SeLockMemoryPrivilege 1052 msiexec.exe Token: SeIncreaseQuotaPrivilege 1052 msiexec.exe Token: SeMachineAccountPrivilege 1052 msiexec.exe Token: SeTcbPrivilege 1052 msiexec.exe Token: SeSecurityPrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeLoadDriverPrivilege 1052 msiexec.exe Token: SeSystemProfilePrivilege 1052 msiexec.exe Token: SeSystemtimePrivilege 1052 msiexec.exe Token: SeProfSingleProcessPrivilege 1052 msiexec.exe Token: SeIncBasePriorityPrivilege 1052 msiexec.exe Token: SeCreatePagefilePrivilege 1052 msiexec.exe Token: SeCreatePermanentPrivilege 1052 msiexec.exe Token: SeBackupPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeShutdownPrivilege 1052 msiexec.exe Token: SeDebugPrivilege 1052 msiexec.exe Token: SeAuditPrivilege 1052 msiexec.exe Token: SeSystemEnvironmentPrivilege 1052 msiexec.exe Token: SeChangeNotifyPrivilege 1052 msiexec.exe Token: SeRemoteShutdownPrivilege 1052 msiexec.exe Token: SeUndockPrivilege 1052 msiexec.exe Token: SeSyncAgentPrivilege 1052 msiexec.exe Token: SeEnableDelegationPrivilege 1052 msiexec.exe Token: SeManageVolumePrivilege 1052 msiexec.exe Token: SeImpersonatePrivilege 1052 msiexec.exe Token: SeCreateGlobalPrivilege 1052 msiexec.exe Token: SeCreateTokenPrivilege 1052 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1052 msiexec.exe Token: SeLockMemoryPrivilege 1052 msiexec.exe Token: SeIncreaseQuotaPrivilege 1052 msiexec.exe Token: SeMachineAccountPrivilege 1052 msiexec.exe Token: SeTcbPrivilege 1052 msiexec.exe Token: SeSecurityPrivilege 1052 msiexec.exe Token: SeTakeOwnershipPrivilege 1052 msiexec.exe Token: SeLoadDriverPrivilege 1052 msiexec.exe Token: SeSystemProfilePrivilege 1052 msiexec.exe Token: SeSystemtimePrivilege 1052 msiexec.exe Token: SeProfSingleProcessPrivilege 1052 msiexec.exe Token: SeIncBasePriorityPrivilege 1052 msiexec.exe Token: SeCreatePagefilePrivilege 1052 msiexec.exe Token: SeCreatePermanentPrivilege 1052 msiexec.exe Token: SeBackupPrivilege 1052 msiexec.exe Token: SeRestorePrivilege 1052 msiexec.exe Token: SeShutdownPrivilege 1052 msiexec.exe Token: SeDebugPrivilege 1052 msiexec.exe Token: SeAuditPrivilege 1052 msiexec.exe Token: SeSystemEnvironmentPrivilege 1052 msiexec.exe Token: SeChangeNotifyPrivilege 1052 msiexec.exe Token: SeRemoteShutdownPrivilege 1052 msiexec.exe Token: SeUndockPrivilege 1052 msiexec.exe Token: SeSyncAgentPrivilege 1052 msiexec.exe Token: SeEnableDelegationPrivilege 1052 msiexec.exe Token: SeManageVolumePrivilege 1052 msiexec.exe Token: SeImpersonatePrivilege 1052 msiexec.exe Token: SeCreateGlobalPrivilege 1052 msiexec.exe Token: SeCreateTokenPrivilege 1052 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1052 msiexec.exe Token: SeLockMemoryPrivilege 1052 msiexec.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 1052 msiexec.exe 1052 msiexec.exe 4632 liquidlauncher.exe 4972 msedgewebview2.exe 4972 msedgewebview2.exe 1080 liquidlauncher.exe 4492 msedgewebview2.exe 4492 msedgewebview2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3240 wrote to memory of 3788 3240 msiexec.exe 84 PID 3240 wrote to memory of 3788 3240 msiexec.exe 84 PID 3240 wrote to memory of 3788 3240 msiexec.exe 84 PID 3240 wrote to memory of 1444 3240 msiexec.exe 88 PID 3240 wrote to memory of 1444 3240 msiexec.exe 88 PID 3788 wrote to memory of 4632 3788 MsiExec.exe 95 PID 3788 wrote to memory of 4632 3788 MsiExec.exe 95 PID 4632 wrote to memory of 4972 4632 liquidlauncher.exe 96 PID 4632 wrote to memory of 4972 4632 liquidlauncher.exe 96 PID 4972 wrote to memory of 3296 4972 msedgewebview2.exe 97 PID 4972 wrote to memory of 3296 4972 msedgewebview2.exe 97 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 3576 4972 msedgewebview2.exe 101 PID 4972 wrote to memory of 5068 4972 msedgewebview2.exe 102 PID 4972 wrote to memory of 5068 4972 msedgewebview2.exe 102 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 PID 4972 wrote to memory of 3028 4972 msedgewebview2.exe 103 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\liquidlauncher_0.2.1_x64_en-US.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1052
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 18E56C454DC8EA29D47F346645AD1738 C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Program Files\liquidlauncher\liquidlauncher.exe"C:\Program Files\liquidlauncher\liquidlauncher.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=4632.2408.168605784825723032424⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x114,0x7ffa2ae93cb8,0x7ffa2ae93cc8,0x7ffa2ae93cd85⤵PID:3296
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1756,10010384975496028478,2097353634844699086,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1796 /prefetch:25⤵PID:3576
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1756,10010384975496028478,2097353634844699086,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2012 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1756,10010384975496028478,2097353634844699086,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2368 /prefetch:85⤵PID:3028
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1756,10010384975496028478,2097353634844699086,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:15⤵PID:1188
-
-
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1444
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3388
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4740
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4720
-
C:\Program Files\liquidlauncher\liquidlauncher.exe"C:\Program Files\liquidlauncher\liquidlauncher.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1080 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1080.3884.160133707065124747982⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4492 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1d0,0x7ffa2ae93cb8,0x7ffa2ae93cc8,0x7ffa2ae93cd83⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1860,9955962997047017209,17572696081301780923,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1872 /prefetch:23⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,9955962997047017209,17572696081301780923,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1920 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,9955962997047017209,17572696081301780923,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2592 /prefetch:83⤵PID:2568
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1860,9955962997047017209,17572696081301780923,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView" --webview-exe-name=liquidlauncher.exe --webview-exe-version=0.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:13⤵PID:2536
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD599b527f0c5264831661cebcdcd32fdcd
SHA15573eaf041fe2bdd513c95554652e5b3dffb0788
SHA2569f52ae7082f24837f989ae5389e39db5d9d18266610eb5b4e26c20d146a006d9
SHA51274686e080578e4af90708d187db878039f2aaf6737dfa6a639b200608b8495381ae4fa11a96c5a74a96448ce5c3ab5478deeb5f0079b38e177cc33851ab73eba
-
Filesize
14.4MB
MD53bd0d36771637bbd433548d1c8ec7b97
SHA16ca968c46d02bba22c535185423640c22c3ff1a5
SHA256c1b19ff57942bba151f99b450e6a9756db716638ed1a4fa81387f04c096e97ba
SHA5122b2ebdcc121d3c71673307971c76f308bbabcb4ad859d712417c52178c1a8b465789abc5d7903ca547672132eb5bad02ae846339b73d21ade0535e1170a36803
-
Filesize
1.9MB
MD51966d0252d5e0279925cfb1f7692ad97
SHA1a99932c129117b47ee3dba8637e2b9a1736751e4
SHA256d47a1f4a445e4adcc433f8e9325a3a8cb62654b11d02f075694a78b8f89be981
SHA512c6ab474fe24d8e2b82b5af64e0f5bc73595962e60c0d554c6a07b3a8f42154a3045f9102b2cb8d3db4b3288315ab39132fcfd7512c707397d609f8dc8e3e1e54
-
Filesize
128KB
MD588a800441335982cca7464c998058e2b
SHA17798ff86cda5865617a48f6577de2c3f7d327081
SHA2568f52ed11ba36311f32e8d160dac4442ad528987411ea0535ed0935b18f881efb
SHA512d9b0c0a90faddbc2622c94ccec8d690d1dbcd3c2c95770cfaa52f7bf04827722b2f1d6fed6ec44fbea86efc58c1e4b5ee2a5920fc56702ad45a0f335bbf766f2
-
Filesize
2KB
MD53a5c3e4077ee5299844a695eb5533a5c
SHA1e26e22829d7db59b0112a8b9dad1e98b5672db59
SHA2562c0a720d65406b8e359036a6ad2bf9ce3bad672aefdbbe1a3193c28d0247a305
SHA512e561eeab24f2042bf2d17b688ca43cb5502352eb6c638dc1e319bbd49cadb08a44192a9b89e4da0ebb8cee851f68a6b4d0da13ba390e4017de113142dd9e1d4d
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\liquidlauncher\liquidlauncher.lnk~RFe579431.TMP
Filesize1KB
MD5940b80e666fea06e98beb29efacfd967
SHA17488e7c32bf8f1985e683196f3b62631ce58975e
SHA25695511ce2576fe237e58500e6407c593cc6f9130112e356c9763d9799c5c12c1a
SHA51202d0379674b17697f8c5a1d0d1e63af2dae71ee1254c01f004fb242c648c9b2473a4d0e852d8c60a03dcb4ab056e15f9d39cda902427b4aee70afda49e7b04b0
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\8dfa7e89-9e45-4014-b12a-7c1fdbbaee59.tmp
Filesize2KB
MD591b4c817ccae043250df2b2511533cac
SHA13f1337f6fa5b469e5d82bf154445456b31b82b1b
SHA2569ae13ee0db8c7fb20e01742b910f413b7daee1faefa7dcf156681e2b84c3a9d0
SHA5128f74de5344bfbf7c02b47973b38b2dbd75f5d80dc163193ba0d4a5797417ea76d156237eb7b4cfbdb8d424da63411110f4925052edee2ff36bb267c0843b568d
-
Filesize
152B
MD5f79f26404444fd3cd2972cd9b97a6152
SHA13d63c333acd266ba15774bcce15d0043f16d47d7
SHA2562feda929a73a50dfc9e75da51494bb30325f443039ac98a08255aadfa04523d7
SHA51283a69e9c63f05eea17919f7d5c654d6e5faa3ee83f9d628e45c699df23bdfd4a98af17b8800f57b3d7cef1166aa3a8a8798a6ec3a8327cdb76f418bf064ce422
-
Filesize
152B
MD52747838b62c15ad9b3de93f48593342b
SHA117c41daac161f9ebb3803fbc42250926d5e80306
SHA2564ac3b98789eae78be790ed9062be75357fa4d3e2e3d378c35d55d756f827d233
SHA5122fe8f6c007103ba388e7efa6505064176a3363dd708c35894b9e9be439deabca326e835d5eabed9006d8b68dfc16fc6e188d566a09ab401280b5552a770fd076
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD598d8c4ee13445efb1a5f65f6ad9cad13
SHA150f9cae62614dd739edc8a31ea5ea384304046b1
SHA256eeece9e4e82c2ffa41beef35ff193bef190de7190e72e0a4812869d24637e690
SHA5122718130b4cdbd45fba75157121af67c7c9af095faa797fa14a08102359ee5fac2f408112fe0641643278854b5f4aa2118ae210c7f85a941b1c4aaa7592c41d9c
-
Filesize
20KB
MD55688ce73407154729a65e71e4123ab21
SHA19a2bb4125d44f996af3ed51a71ee6f8ecd296bd7
SHA256be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60
SHA512eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
256KB
MD5d996fdf57f69ae09efd356776804e15d
SHA1682611334825822a859716c8b7f998d1e6b54295
SHA2560d7212ec7cc5de18bb8600786c7e7d47650e16d2a2566b73820cc6d5e1cfc6c9
SHA5123cbb5b69f998d016594dfe4267269b199b88dabc7a4c7369f835afdf2e06e88a47ed6da60fef8f5bbd0958abb5bc843ef0c62da43959f90e1eb007ea21807076
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
76KB
MD5cf7ac318453f6b64b6dc186489ff4593
SHA1b405c8e0737be8e16a08556757dc817bd02af025
SHA256634434e865f1ba1b90039bd5afd8f01bad6d278377106022ea2a9c2d8778d31a
SHA512b64e484d16222d8de31f53cd60b719b7d855bbc552a7d052e202382bc3013e0edaceb31e3a287f2ea6b7117ccfdb8a56ea9d7da78535d2c606183072ecd084e4
-
Filesize
3KB
MD5afe796a2a89e5604d118174acb1eebf6
SHA1a78433dc7c53faada2832951a83df82d3d78663e
SHA25659ac21fff1de6159d936bedba7783aad9b557d53ad27ad71864861e6c751d1ad
SHA512e80b80e8368268c3209c72df122adbbabef445cb730d41e3e1b12cbce9ae89e454efa770b2e60f9545d06149a46d853ab6343912ed114d2fa12e45c77e6707c8
-
Filesize
3KB
MD5c7dfdb1e51e4d9a063bd1effa873ac7a
SHA1f7a5bb74d92d3806b7fa082f7790b8f76622e043
SHA25654c5fec788daaf07681a4c4cbf44832428df90b9590bc05a9a89be50c4c9c48e
SHA512e5e3616ac9f55989f5381388506f248ac6d4e4c5b01326214e8fc76c82554f9eb11518a064a6ca531719b88838d3de9f8d7d50cbc3e444d42331eddedd3881c2
-
Filesize
8KB
MD55deba09cf4bfb8922771ba131dff40c5
SHA17a03eb361b8ed1af13d698e0df377ba3aa37fe1b
SHA256071a95004f7ea89970f3a0691280a5cf43315403d19b186836ef6b2e766afc5f
SHA5123d572b1f9b4c77e1bc4f7e28ce1722219effe388b8a8f759d8b0e8fa48d721c8a800ef289f82ac8e86b5dd4e66a265b4d9167a34e7f7c55d75bc6bd87c6bf226
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Default\Site Characteristics Database\000003.log
Filesize40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Default\Site Characteristics Database\LOG
Filesize333B
MD55fdbcfc2e562997c0c400cee1e6fd95a
SHA1fbafb276877c7a2ba0391e4522a06bd11880ff80
SHA256e1505fc783bf049b55b08b4a5a54db4b4449093c8f665e833ba5d550fcb1946d
SHA5128f7fb6255d0e51ba2c29478f592c86ffc21b6c30414d7056a779b66a2c074d5fd3cb7f7d5f5fac17052a5619750d061225fb7973060899531e596f761090173f
-
C:\Users\Admin\AppData\Local\net.ccbluex.liquidlauncher\EBWebView\Default\Sync Data\LevelDB\000003.log
Filesize46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
307B
MD5302ed3b8af59e44b5aba45ccc3660f9a
SHA1eadc77dc987e088d3647c9f528af090af7dc9a09
SHA25636800579f40f0bc102f380fc72c3abb28e2c9e302d024468a40aa4b94d93f5fe
SHA51262527cc514d2b422b90f43f9c7a7d90748dc5167d6817e51cf66d1e6f2261f3fb6202c46c78689e9ac5d4a9edafcf6078cbc86bdf405db559e167ef897aabd70
-
Filesize
20KB
MD5325ddf165383376a8e530a8288a9fb73
SHA1f451204bb6f3de9de42f27bd887576b083026e87
SHA25653eb4fcb3cbcaacd4d94036c9379715990f86185b8ef7fd18cb27665193da6c8
SHA512edb9c49956741560f40df102b81c3b558b1ae9ce902040f89cecb2fbbf60277dcb73f68d8b7c60340a92c46915828b7a204420292d0a4906ac0e9082943ad528
-
Filesize
128KB
MD54a50dc556ced2f3106399205a316f705
SHA12a8c4afeab4df0ec2a12b178bdeffc095dca5721
SHA25688ce51f5cf32ffbbfc18b9fd77cf2fc799d0c2cc3107c835d3c0d7d69d5b5695
SHA5127842b3e1a038de3c938af62c67ad6112e48760a0ce153b03113221901ec770d594ab5574ee8defd119071b12c9e99148009f4f90941563a5a4f8d7f8899287fa
-
Filesize
110KB
MD512aff5c24b1e165da94cc9ddef6d752a
SHA1345a57b067d6c7561b149b6a7de1d0cf53e42cc9
SHA256b49ee954c97289b707fcaed55266f7c49720d1c24f4a8872038384155081aabf
SHA512fd584f3d7e3a5603ff2699e1b4930d6594b0ea09c0a194b7329f44d3d4d2e1e985a42ab512afc1b6a0f35412ef839d35f27fab1f6506e871d74c648c3adb0ae6
-
Filesize
44KB
MD5144dfaaa82df72858197f4ef7ddd34f2
SHA1e6bbbc5593c1d782e2d23c6ba6a5f5468e7548fa
SHA256fe2844d9713e3f49ff6e5c6d5e9f3b7af671fe9165cafe01ebbaf61bb1ae84b9
SHA5125a53b1dfd4729dd2cf7c5fb45b4b15e3b1729c7c7dca1a029b39964a6e0f9435bde61ba5c8e7b859254798fa135264c9814533409e5980159e52cdca2b1a5793
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
2KB
MD583d10cc338ad251f7ece57a49b463ec1
SHA16115d72bebca30f45d5e3927b4fe8a4dcecce957
SHA256221778cde0e8befb27f06ab0a87f330595fb5239bbc974ea915d3dbc00bde0cc
SHA51292ba4c560070526a61063c8239922eadbfc971589fd71018fd10dc449974a853303804be30155502ce39575a564ce91e901532d8087ceec58ff0b3cfa115a0d0
-
Filesize
256KB
MD51c4bbc53966272c446d3f51ca43ff199
SHA1f732006bbc15ffc622ff147bed4eaa5534a2a68c
SHA2565b90c9f66188967e23e1515ce1fdd3677721f84436c63866017ecf3816be9165
SHA512a36760529dd8de83a65950f5e097520718dcf3335b73256ba33743e5e2fecb6dac1780d27e749a806fc07012287d753ce19e94cccfd7e1e86ceb675fec14d2eb
-
Filesize
166B
MD5580618bb42ce9db7c55c74acf3cef3cc
SHA1f235bde80bbbd7840a46bc93fc15abc926a6f8c8
SHA256f47f7a4b4e6e5c0ca4be7c933482ac6dab2b1543472abca83e7a3199b6f01b17
SHA512bda8b0514b54abf16243264974f46128d1f1892c1cc8c6479f600a936005fcf658fff3ad57efb2c71545f6fe5b79deb12f5e2dfd573f8268ab7905a78b614d2c
-
Filesize
6.9MB
MD5637a2322c7a1af4b7fc112d968100d26
SHA1de22b924d8c233c5ac629886fd7fc1b4a20ea184
SHA256c2490fb4d68cd53dbd760de0624578449e2e85813bc0bc96a478237eeb16e625
SHA5120651234514888dd128b1f38f2bf5d72b26fef6a330dc23247fa5a0e3976b5ceddca20cdcb1d5dbfcfa81248dc24b818de8ade2f7771a572d092df0e3e87462f5
-
Filesize
12.8MB
MD574c6e6531a82a1411dd3fae319d1ff02
SHA14f7816bbc64a1466972f594edc4ae8b8102fb209
SHA256777ba19f856b2a214fc144f607f9465f844ddd670b37e57860cf37ff5318f076
SHA512a36196dc5bc76138e2952090b45b8bd2ae033ddf52bfb40cd5bce3b4f2b3a1e3569e2f61c236afc67408199882015b6a35604cd80310920015a09178cdcffe8f
-
\??\Volume{b39e1afb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{25ba1e8c-d816-44b3-9a36-4dd940ab0633}_OnDiskSnapshotProp
Filesize6KB
MD5b4de39af0cfdbc676e31972ca76f79f8
SHA119d6e946d41642d126aaaad39464aea94bbcff86
SHA25693dd4a618d7b59cc2263f7702fa82283cd41c979163e0b94a49c51aa1f06b801
SHA51213e4a4a5ba8f42847769e1eff63046f49aa7ec78d5c7c52d663ffb369a2ae60919af0da47d6d686555cb87eae3e5133e3998bdc1bc11412de3de63619173e749