03a9b3163071ecb41e20b95eb664c3165b9fcaba89f5e5433484d65e8cfa0380

Resubmissions

25-03-2024 18:47

240325-xfajkaae3y 1

25-03-2024 18:46

240325-xezgasae2z 1

25-03-2024 18:42

240325-xcrcxaff37 7

25-03-2024 18:40

240325-xbk5haad21 1

Analysis

max time kernel
1799s
max time network
1702s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Windows11InstallationAssistant (1).exe
Size

4.0MB
MD5

9efe0c8b7f96c1a7d5bdd52bf07d009d
SHA1

dc6ff2f1c0af472cdc81b05f876c10420a6bbb78
SHA256

03a9b3163071ecb41e20b95eb664c3165b9fcaba89f5e5433484d65e8cfa0380
SHA512

b66772e1faeff8c607b6624106530945997fe2105569cbf92cf0eaa31f7bd02ed46b74bae6e9d79b6f51da76445564ed73fe9eb2a6507e3ce5d543781ba227fb
SSDEEP

98304:Fguv/rctyMh4cCE3p8fuCNCzLX/sA2uQqvAVGht5f/LyXtcH//9:SVtyMh9CVPUDk+4QjyXa

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation	Windows11InstallationAssistant (1).exe

Executes dropped EXE 1 IoCs

pid	Process
4492	Windows10UpgraderApp.exe

Loads dropped DLL 1 IoCs

pid	Process
4492	Windows10UpgraderApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hu-hu.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sk-sk.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_th-th.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\eula.css	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_da-dk.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css	Windows11InstallationAssistant (1).exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-us.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fi-fi.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sr-latn-rs.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ru-ru.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_cs-cz.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-fr.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pl-pl.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-pt.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lv-lv.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nl-nl.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_eu-es.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ko-kr.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\ESDHelper.dll	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_zh-cn.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_he-il.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_tr-tr.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktop.css	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_el-gr.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-ca.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_it-it.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_uk-ua.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-mx.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\base.js	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-br.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ro-ro.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ar-sa.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-es.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nb-no.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_bg-bg.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_de-de.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_germany_region.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_gl-es.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sl-si.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_zh-tw.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hr-hr.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ja-jp.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lt-lt.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-gb.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_et-ee.htm	Windows11InstallationAssistant (1).exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10UpgraderApp.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sv-se.htm	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\ui-dark.css	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentOOBE.dll	Windows11InstallationAssistant (1).exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE	Windows11InstallationAssistant (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2476	4492	WerFault.exe	93

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133558658041813664"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
740	chrome.exe
740	chrome.exe
5568	msedge.exe
5568	msedge.exe
5568	msedge.exe
5584	msedge.exe
5584	msedge.exe
7160	identity_helper.exe
7160	identity_helper.exe
4196	chrome.exe
4196	chrome.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe
6256	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	3484	Windows11InstallationAssistant (1).exe
Token: SeRestorePrivilege	3484	Windows11InstallationAssistant (1).exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe
Token: SeShutdownPrivilege	740	chrome.exe
Token: SeCreatePagefilePrivilege	740	chrome.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
4040	firefox.exe
4040	firefox.exe
4040	firefox.exe
4040	firefox.exe
4040	firefox.exe
4040	firefox.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe

Suspicious use of SendNotifyMessage 53 IoCs

pid	Process
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
740	chrome.exe
4040	firefox.exe
4040	firefox.exe
4040	firefox.exe
4040	firefox.exe
4040	firefox.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe
5584	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4492	Windows10UpgraderApp.exe
4492	Windows10UpgraderApp.exe
4492	Windows10UpgraderApp.exe
4492	Windows10UpgraderApp.exe
4492	Windows10UpgraderApp.exe
4040	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4492	3484	Windows11InstallationAssistant (1).exe	93
PID 3484 wrote to memory of 4492	3484	Windows11InstallationAssistant (1).exe	93
PID 3484 wrote to memory of 4492	3484	Windows11InstallationAssistant (1).exe	93
PID 740 wrote to memory of 900	740	chrome.exe	107
PID 740 wrote to memory of 900	740	chrome.exe	107
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 2936	740	chrome.exe	108
PID 740 wrote to memory of 436	740	chrome.exe	109
PID 740 wrote to memory of 436	740	chrome.exe	109
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110
PID 740 wrote to memory of 3148	740	chrome.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant (1).exe
"C:\Users\Admin\AppData\Local\Temp\Windows11InstallationAssistant (1).exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe" /SkipSelfUpdate /SunValley
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4492
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4492 -s 1856
    3⤵
    - Program crash
    PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4492 -ip 4492
1⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbd8649758,0x7ffbd8649768,0x7ffbd8649778
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:2
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:8
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2172 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4528 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5128 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5116 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2808 --field-trial-handle=1856,i,11676736798177952300,13418713111889311246,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4196

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3792

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6084
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.0.806790498\914617012" -parentBuildID 20221007134813 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e42242c-6fa8-4153-a559-ce0e42b75a38} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 1944 1f4a1fd7c58 gpu
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.1.630233294\1200310134" -parentBuildID 20221007134813 -prefsHandle 2316 -prefMapHandle 2312 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3e6db60-7642-4230-a6f1-c8b605b850f9} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 2344 1f4a1efc058 socket
    3⤵
    PID:1216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.2.1486361522\2014155836" -childID 1 -isForBrowser -prefsHandle 2892 -prefMapHandle 3252 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0df4f2-c964-4a38-82ed-65a5b85035a8} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3264 1f4a1f5b758 tab
    3⤵
    PID:5316
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.3.318111319\1686559952" -childID 2 -isForBrowser -prefsHandle 1100 -prefMapHandle 1096 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77d6e275-e811-4324-9bb1-bd0fef47bdc7} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 3580 1f4a62e2058 tab
    3⤵
    PID:2708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.4.1366741968\1566727476" -childID 3 -isForBrowser -prefsHandle 4348 -prefMapHandle 4360 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa99ab86-5fb1-46a4-91ae-e3514eeb9b22} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 4440 1f4a7bc9e58 tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.5.612185920\491200614" -childID 4 -isForBrowser -prefsHandle 5148 -prefMapHandle 4676 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a39c2c9-91b1-46c7-83d7-d116ecdb1e94} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5136 1f4a82e7e58 tab
    3⤵
    PID:5980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.6.1121567629\74781293" -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5316 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4a7ee74-7b46-40dd-8702-cc234b708a58} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5304 1f4a82e4e58 tab
    3⤵
    PID:6048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.7.1067300136\1564820813" -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fcbe27e-d582-4602-9ddf-cca53804bf4c} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5272 1f4a82e5458 tab
    3⤵
    PID:6044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4040.8.975392169\1352218778" -childID 7 -isForBrowser -prefsHandle 2760 -prefMapHandle 4952 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1348 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddd3449b-415a-432b-aa8f-0288158ff158} 4040 "\\.\pipe\gecko-crash-server-pipe.4040" 5916 1f4a62e7158 tab
    3⤵
    PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbda3746f8,0x7ffbda374708,0x7ffbda374718
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:6300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:6312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4216 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:6820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  PID:7144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:6364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:6344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:6520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,5241757730803251914,6327538175683586105,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsInstallationAssistant\Downloader.dll

Filesize
197KB

MD5
9e1b5963ac0c44bad9f119097ee0bfc8

SHA1
dd1a8692a64ddc5464c5b9737708e945668dabe1

SHA256
1b5cf5d28e4b20ed7d12e0f0acf3de6c19cd5694bb228266854d8981e528e4a8

SHA512
8ff0cbecb23373f1ce49122264fc037802916a821edccf27da879fdd67da2a38768f19a5dc4f17c9fcfa36082ea7b87506ea04314d58f2a646c8deb76f2be7ec

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
a0e338a33da0fdb1bd4810aaec246e13

SHA1
6a8ece04dc43bcc91826765538b71c12c276bd41

SHA256
e4b69eb58da23e8a9006097eba6097f5c593a4a3583b7869c192b91a7f14081c

SHA512
250add3d86b0e1383339e26fd784b67a0aa3b965be0e0118821967b584466d011e9dca5db7b939cf615a192c18a77b14d5b8e0abb015b8f81b54b771994e55a0

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm

Filesize
54KB

MD5
66b63e270cc9186f7186b316606f541f

SHA1
35468eeefc8d878f843bbf0bb0b4b1d43b843cdf

SHA256
00f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f

SHA512
b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
198KB

MD5
cda68ffa26095220a82ae0a7eaea5f57

SHA1
e892d887688790ddd8f0594607b539fc6baa9e40

SHA256
f9db7dd5930be2a5c8b4f545a361d51ed9c38e56bd3957650a3f8dbdf9c547fb

SHA512
84c8b0a4f78d8f3797dedf13e833280e6b968b7aeb2c5479211f1ff0b0ba8d3c12e8ab71a89ed128387818e05e335e8b9280a49f1dc775bd090a6114644aaf62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
26554fa4b987e8e8723b7a46866e09ca

SHA1
8788188cb3e2ee45a5c19ea4d303a6c8e2aff139

SHA256
b2c98753ccc138678e810fc70d3e96fd998a4a37df27bb4b4ac1836fc5e2481a

SHA512
b4730aa4fa6c2139faef4ab8c3c7b01dab4379197ea8650da266c904e32d121d7e97d64ea9d86696a76bf0fd689f9a676c6243de9a6fee2d8a034363197b384f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
4b4e98175e61aeb33b4533b8029a53f8

SHA1
392afac827586bea40e69072784719dfd4f54a51

SHA256
0d7ea1b58997bf803cd52c07117a98f56e81245867e58c5f0634ce1c35ce2696

SHA512
92443d82551f41ebf6648f829260dea5b7cdf35211cb993b1f6a47bc6a8994fd86d63724083b3c0465f4528577530e6c181ed3229c2b32d94535303689220e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
62fbd46a50772318a023bcdea7de9967

SHA1
f0097f72b1bcfbe28cd0a9caa8e6a2b8df93a6da

SHA256
3dbefda5e1ef0e4fa7c04dbffd56e1eb9335a21e447be89ab60f4e90a5ceff50

SHA512
53df0bbbe1410744c6b6b8d312ba004510998bf2d07fa8e4616952556e804a12c7416920af0e073d359beb7c0de9c7a4577b12204fd33b7d4d3a6d5550855740

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e2c09160ac9f741f869a2ea365ab78bd

SHA1
2b8826535fefa7cb3a3a0f543b487382e6ee4319

SHA256
052616098344f20ce749de9f769220361c8408ed99a7fb50b5637d51e7b0ae34

SHA512
fc367dcf353d7e1ca083b844668fbafe24cb5aa7e89e5583651718056d913741e84e8c6ae6e866a02927e3be458f0294e66b11b4933666b96d03542abafa03dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8335dba31acdb84146493b2d58e0ee6f

SHA1
97682d0f751d0277b26b8fb73c01c5bc230df644

SHA256
36b521340037ac584c195e71f41cde4153b285b71e0d6ef2baa8769a816d6ed0

SHA512
cd13717951a6c026a2d62206ba7653f8bce3af9364d2b4bee70f09230b7a512743ce3fddaf4949d8eb241f00f35cd24f82112f6389319b2730f60701369346a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
1330325c456c311e51bda1fa89d423a3

SHA1
446be72bf96b0db7dfff2c91a0d3eb27f68b7b09

SHA256
fceb2c77c9ea681a1b6ae7f235f7912dbddb7fdfffd551ca28cfae485fbebd96

SHA512
69b146253e283b04e7b83db08ce26057bf142644e68935e41c9d35680b0382a6be43b24b31e33548b1a1b595d207ea1a2a78f98db6271484b3f6aca5fa524323

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
3904495d2fb5a777f614f9524158bbc9

SHA1
26249c7891bc1c791edca7c506ba83a59adddfdb

SHA256
8630deb55c166a115179739ea1584546c9d1e911a120bd5d80b5fea5bd151e69

SHA512
edb32d39b792bca268ff36672916595ffff9b91301caffcca621067adc92634f1180ad5ece3c7f8dc26c70fe0940b78f82a8c48c1de5165649b6ec0e03890563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ccc4b9767a14330237537ba65c507f41

SHA1
410dbd31ac91f73319c8ace7320d020e9dfc8ec9

SHA256
a1189653727d2dc34a3c49066f607b06525b0b7f43b5f8f43f476e02736e62a1

SHA512
c35e5affb32cfb6145831fec624b9bfd8233b6c9d4bf94bd12c497bf9a2e89a4bce69fc63ab01759307fa805a753bff5a1786b89f3e0fe37079811f2230d8e2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
901e5b0192cd9293bf4f5f33e04dbe96

SHA1
9ffa2eca652d0a33fe9b3bf08a2bccaea440ec1e

SHA256
a792b5558785c0d810ed3e8effb7cba3756c94acc4d2f1c2c2abc1160ff3aef0

SHA512
24257281102191d646ed6da2ef636aa3b5e95d771f68bddc72d76eb393b3ff1fe741a67796e87ee8bdb5ef110e5f64569dc67291baf4312396e12f6c0d57fa5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
894d21760d20c23039a2cce46aa2f2f0

SHA1
5cc45e9f7e7ac55813b2c0086f4aa7f780f11559

SHA256
b9baf08c77d09b2ae507ab0129bfa2fa62a13e3453f8ab7274739b822593ab05

SHA512
9ce2c451c16ad2346cff50b93d8bdd5a63db60d7bba34298de18cc44587e58e8a6713ea833f1d6a952d01a175179bd728ac213723845820b1a2264836f1cfc7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0e45ba368c62db7416ed416a59d4eba9

SHA1
d99fc0fd5dc6c1a9839d0854073ba119d6e24a78

SHA256
3c61d4aba3de7518818944ba6a4a27955b46b89111cf59149c22846d86b47e41

SHA512
fea1ca88f10e9cce3306d1f46dc2e57c30c6bf1ddb67b67a60c338a62adcae89e2edaf5f5ca2528ad5bcd0056411792e65b7a327f39db7c1e95fba7a62ff319a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
c15b9859593e59ac09fc0f8ca3dc2f5a

SHA1
57428dc2336e6032aa875bd5f40903ac5ff4cc92

SHA256
02cee0c091ce086af2a9291069b7dc6b96ec6fe5a8a5258c0f1f41332c68bdd7

SHA512
309c5a7d73e37f3153e97b49e90bacb7b67d61337bcec83ac92ebc9ee1df4eeb3bccad703f37cd2c561040b18aae4d0d93372dfdb46a154048b3cc73c36a7061

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
258KB

MD5
b0a72f2cf775e37228814de5017908f8

SHA1
4df37f5082918793c4e9947ae606e95d6b7dc87e

SHA256
bc43582e63fbdc8b0478cc090abc7b3f7012834cf3c826b332f0f0f5f49feee1

SHA512
d6815d3623a6f9f8d198d8255c030a9cbdbf839014a7ded3909f6667b843c9a212d6ed41403f2feb4ed4ff832e13a7cd94a4c01a92f14e35c0845ae9316cf4d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0811105475d528ab174dfdb69f935f3

SHA1
dd9689f0f70a07b4e6fb29607e42d2d5faf1f516

SHA256
c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c

SHA512
8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47b2c6613360b818825d076d14c051f7

SHA1
7df7304568313a06540f490bf3305cb89bc03e5c

SHA256
47a22bea2e7d0154c59bf5d8790ec68274eb05e9fa6cf0eab0d648121f1a02ac

SHA512
08d2366fc1ce87dbe96b9bf997e4c59c9206fcfea47c1f17b01e79aeb0580f25cac5c7349bb453a50775b2743053446653f4129f835f81f4a8547ca392557aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3d21a093fa708e076d8f7c317c5877b

SHA1
dc360fcf901d6e5945a9f56592d128dfb9714c5b

SHA256
d0ef800a2410a69199598d1f5dd90cfdd72abbfc528a6f41895e803f09f58bd2

SHA512
be248d51f84c24c7a37c70210d02d4c20132c0f21faa94c22ee0a8c55982c57305ab6a85d014a52aa0451fa09edf39595cb6de9fa8d0ee9ec64233d3c2f404fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45dad86163ce1a88a75650b0eedd2535

SHA1
4b0ebea0cb0bb2a7f2984ead8eb65ec73a3f062a

SHA256
1e8d7845d2e9259776b60cbbd690f39769f9951de7258825927091e3cbec5424

SHA512
8725b946f0e22ab9f342eff439d808449016a89ad9697a437004499a584a5c8fab7ea055b5307a741dab3c9a264559db46b83d3cc2cd83421b47fbae703f6bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
697f8c485b4509880ee9e6eea33a5cfa

SHA1
9bd2294b704c53bfbbbf8e9b5d1f8e7b8f9b3970

SHA256
9a735b6d52e4bafad0037929d9e17940dc94d6f9cf1cb1a520b61be8a1fd0180

SHA512
40383d458034d2d2c21789001dc195dfb55c1b11230b4dedb800325d2bfa390717ba0f68cf930ecd5092e0317e814b27d45db9aafebe1da976b4620accc0587b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\cache2\doomed\27478

Filesize
9KB

MD5
627cfce22d3ba23e9a084cf7e856b8f1

SHA1
d83f7d7fdef22d631f8a39f962388e0ef4a4820e

SHA256
e23e0b313ae7b89e5707c2aedf9dddc52f424a039c3eb5a8037b6a579de92935

SHA512
fbeb1ca85930f2b99a2613d9ec37d2ef7157d37c1aca1b80d8108121c792a58f78407f63e1dd40b928e92f12048c605dc6a5de36c37aa6eef0ecdf4bc2558391

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\cache2\entries\B15AC7BE7C42117E3F0C3C90EF79C2FB9161E432

Filesize
33KB

MD5
ca7019532afeba0a6763b6f8ddcf64b9

SHA1
14412efa7cce71656137f4a428cc2e1ba652d1ec

SHA256
3169bb50b3bce4d6a62d6ec8d4ff26ba4a44e4164939e66d19c0d8a66e7d9e75

SHA512
c1aecb6dc6667cad61a6149a809efe0180f6cc7250307364600f6605170ee1c80f6cc8f19d53a611012d71e9b04a0cd1fefa98470c30b31b9b1e57a8a84a5c94

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU3B53.tmp\appraiserxp.dll

Filesize
364KB

MD5
9ae24ddfebb001b9cf15004176e90d89

SHA1
5fbb398e25611bafc8a115d13d55a4d4b28b96c9

SHA256
82f490f1594fe9545af87a7d90f3905fbc0023a273d2df87780023218839313e

SHA512
d8a83752c270864e7be1123cae01eafa091f1faf0d274d953bb094f61f27b41f95ea47ef284759335ef84fbb2a522b63b0b2b154572775901279a50a9ef23805

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU3B53.tmp\resources\ux\EULA\EULA_en-gb.htm

Filesize
89KB

MD5
31a548cd6e0569db0d8d5a766ea2c003

SHA1
eca3cba694915df5dddd95790eacc20dda1fdacf

SHA256
74a5b919aab524487a9a6b55a2de78d133e8e16c00367a82002d6c9a55d9d34a

SHA512
1cb8910b557550b5db5cc46ac325b0924cef6915e30b4daa33975f21d02d521cb0bf8c53723e03bc875928bfb5b30d8f6013d1c5887013fa6b3db084075d7561

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU3B53.tmp\resources\ux\EULA\EULA_es-es.htm

Filesize
98KB

MD5
4bce0923de384170225f162240731eb9

SHA1
21cfe6b950885981d560002f04ad328fe3797b8e

SHA256
1bd1d819ef445a5b51929b03ce31ccdb697ba862ccbb603d5440fa89fc585238

SHA512
0f2e69e51b28507bf93523dcc8e715dfa3784913f729d242f0efad5e0ce1a3220d80ffe68f47c4de83ff71a0af29225e98ab0c83425ad52db6c41394a8802046

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU3B53.tmp\resources\ux\EULA\EULA_fr-ca.htm

Filesize
102KB

MD5
93246f9e40f56dd432768a4b525ac39f

SHA1
9bdd2cc9209ac9520d8ac78f21fdb69b045c4cbe

SHA256
921b5d35eaa56c62640a4bf37d131fbe8c73deb2d189d01ccce4a451d90759d9

SHA512
14b66b268d84e5f90523cffb8a5608c05e928a4e791e61543efcb4897528e40c936c1b54288a93494e9e88c17f1b6343bcf99612bb44bfc5cfc2926d4037f4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU3B53.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
91a19dac7927a24aa4ad534d087f0d0c

SHA1
0ffb82e3387ac0856a36ce1a1b4f6acb21a22a05

SHA256
c828ef40ceff44032d2fd85cc27290c1ca7a997e11f0b72cba5881ed2ac5ff72

SHA512
f21bdcfa589c1a9f29cb889f4d19cfa5247a7333115b9b3973e465f0ef1a2718ba8903a48482dc35fa93ce638151035e7085ec47d2a74310c581f15f3555212d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
7KB

MD5
84e85c80985981238853e1d2065b5b64

SHA1
55d23b405f86eb22cff3db5e336dabdfa933f75f

SHA256
21eb59aa1dad982eca05adced4345cf1e11d4c6ed0eb7981b6b94cc4f72135f6

SHA512
22f428daadd24a054a41e33a74663ffd01d3efa06fa9d0aa96d0352f91e3c98b2e852a4802a613808de3bc195c3aec4030b6d48405083aea5881e6bb5781b6a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\bookmarkbackups\bookmarks-2024-03-25_11_M35M5gXc5+vb2va6XQ+Y6A==.jsonlz4

Filesize
947B

MD5
adc2f2e406ca1cb35c5512349c6de9a5

SHA1
6a4483c4a972273c27652a0308e0a5dd003396d0

SHA256
3c18c4f4e6914f7a99f8cbe6b30f2094dee50d56ef3d7bd227da78d1cc954e43

SHA512
a1607c445821c563d4364a1532cf95c3fd561031c60f78f56c79330c679381dc3a0809b7887d0d12a1b475b1af6680e3b956763df96f51133274cefd62353624

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
2c9f7a146ba4ed3229e0160aabf4cfd9

SHA1
292ea439ec89ea2e6e8271a809a0c821a40b1806

SHA256
7be64e18bfe7649eda593b8a6a67f14324cd2dad66829496c67301bfd47c1a84

SHA512
c73b61dfff759dec380b95a634231ecc14c19209af89b481a10781f268adef0bc43a2115600058b9ff43118a0a7d532770068bcd6c21b85d9e971fb2a23d55de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\549b839a-ac4b-429d-a2b8-ea68d56708a9

Filesize
746B

MD5
0801879d25f96ad82ae428dbf4117ffd

SHA1
ff5510d0b9ef993d1ba090d2f308f62f3d704066

SHA256
348f948c70d6e3f95f07782830e82092a319c17cc45243ea5eb334abae486122

SHA512
ddba2afe262e32d914a6bde461d6998db290152c8234d0eee8e7133ff2a4a82ba609173ba1ce3484a02dc2f8680a601147225905b16d0f9d6a361a5a8c66ee14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\datareporting\glean\pending_pings\b448380b-a40e-4c1f-a08d-a1a1ef0b6b48

Filesize
12KB

MD5
ca42be3f07a5f6470b4e08da1d7447c3

SHA1
ae621eda45b44a577b50d80cf676a4e98d64a59b

SHA256
7d5e3bdf476daa065b1a3d45744f12bb0f3c74e56c0e62168b9c4b1cb8f771d3

SHA512
0332d4d1574d717f505eca94b78b0cc1f0350e1bcf1347ad8d904aea185ce65c6f99d32effaa561a60b6e57e9034614b551b4e0f5c8cdef0b9d2985363004d17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js

Filesize
7KB

MD5
e41ea78f45570a42dc4553b370edd5c8

SHA1
2d30693064ba007ba7d3a701ac8be8a155c281f1

SHA256
85f6fcd63e7e2bc747faed932767250e86476b9529bf92205cc17444356a4109

SHA512
05bf1fc77d50fe6283a78e8a634d08f39b8bdd7472a1790d4f93e7b413115174f6347f40aeb2ee0b10aaa6d73e05d4455ba1b04710ea97f413c3feed7c755a05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js

Filesize
6KB

MD5
cfa8c4805d759beee10f6d61066bc46f

SHA1
b22809195cb9636cdb257efc5cc8cee3535d6415

SHA256
61302efebc064da3be02ee40c9d270ea9b6a4e33649764807a2ebd9dc190aa70

SHA512
dfd5f678d8400b6e30fc30ce474ab07c32d396135aaec0a99aa09f4b4a3acc40d0dafae36d46c7c6071868c6c8ccf921c1e56fefad0d577dab2e40b72ae5c263

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js

Filesize
6KB

MD5
31effb5a4255a1ab4bee5a577b056a0b

SHA1
523e2950d2f7f91f1626efd9ab023e8ea10f1d40

SHA256
bf33f258edbe9817f451035a532bebdc8b26e7725985038a1d8a50d286b4fc9c

SHA512
5219f298797c166748af93462e75c237697a87fb015a884053add2e4c8893027d7688e8298b6e2d333a9b9e2c870a3505a3d13f5526782969f0c324ab97f9fcf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs-1.js

Filesize
7KB

MD5
f6ccb26f943e7e4bf1f160829731ca46

SHA1
cb1b039263f92ae77b5538cc2c4d0ed59c72e890

SHA256
00ad0de89ea7fdff8be36a94a0763b30948f5bb93c6b5fe5ba95e9e5e27a9cd7

SHA512
e128ab579183e9265f1de94ea98077b663df70a45cf765515f7e27e3b3a2479c868e180050eb8ecf387f953616766673939b2503360d32c9215a5eab62f337be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
87666cce67abcac11e97cb334a573b1f

SHA1
dc43b0da498752f89e2cbdcbcf8d680ffb8d6f04

SHA256
0c2345197751df34fa495ad56e468d94b0e262bfda4f93314e1314fafd828aaf

SHA512
2206601ebb6e2d40c456df8560d7b5939f1f21f35b6d1db5b427ac4bb4128669d382174037b3056e7a43fafda156bc2935122bb01526a817315dddf7b124fdda

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
ec0d180c83d4a547d942f86f506978b2

SHA1
4ff736ddeef9db11ee31a3adb43b61a5bdd3c5cb

SHA256
f3ed3a7c3309d2e2659221ff219881e1e80d15a162af8cf766b5223a76096f2c

SHA512
309589b91682221fca5cade96071dccd435692ec3c44d48e0aef01706af5742f334d4b537c2130b00792b21d22a40d8d42bf694ebfd4b14e9b9e43fd99249389

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\prefs.js

Filesize
6KB

MD5
27ae213e753138cb19107a907788e981

SHA1
393ebab0ef51dd5f0226fb87393127b8d7a9e075

SHA256
05370de5645280b9fae7fcc26d5723f2c3f98ae117fac360bb7ac374a756a6e5

SHA512
3bc01ead0b8c9937a59ced3c3b2dfcf2576b1e4463b45c1f95983eeb9a508566e05ec864d181fc0365572cdb1512213fa11f69a97a0eab31e881d175594ced9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
e075618de77edbf5a9f555b1fb69f0ef

SHA1
d194b8c6398576831c65b9aae67282fe694441d7

SHA256
e4d352ea7c77540f4b6025feb1c0bc045f532b74fd0ce9672e6498043c9440d6

SHA512
09f8e5c45704c231616551fe13363671813a357ae2c2f8a24955cb94f2d03205bdb7f7b1b69b8493194f1979be83f0cf5d32f2c7cfb57577e1bf5345cd38703c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
ffb620ddadb813c6ded09479d4cbedc3

SHA1
4b2be1404ac6ef84906f60aaa2c510a12ee50e9b

SHA256
55c7c5f264c8582924d6b357e00e93ba9dddcbc89f932b3b2ebdf4ab9fe0107f

SHA512
a2ccb6ba1bb2e782ed17520fe69c70383e22008203b146502671962d6f513273f05691462b43fbc06c31c355bfbe4f8c8590c1881cd2136ca5b055a7da51a985

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\targeting.snapshot.json

Filesize
3KB

MD5
e8fe19ad6f8968f0a07ee037d3c6167a

SHA1
8b818dbd09d6cfc46789c549528e71a8a40c47d7

SHA256
1a0f92475aaf718a19fd2fc36274a99578467a85f6f668cb1f747a04c8fa57f8

SHA512
f05dfd764535bff1a1a88fdc9f2ca8ef68d06b30a4bfe73bc547ba55ef473df9a30ae7c6f31a2c7bc20929d8107890347e0a34ef9243bda932ae40b4cad9bb5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xh4b7nwe.default-release\xulstore.json

Filesize
141B

MD5
fcc0a4014782f3927e71baeddd2dfe68

SHA1
af19885e5f719a6485066c6317361c6858d70fe4

SHA256
a4e0791db84036961904babe1a29dcf3698bdcd8b92389dda01c699f2ee52ecd

SHA512
338fbd72c9c4e657feb9ae548601e1bd1da1c4e1ec9b7e475b34fec1feace6af6161404cc91a2babe8d6aa758a460975d859d92915d6297f48e866a5653acbc8

Download Submit