1f003b549a7d0bc3aae9ad377c5779cb708c98a898a6e661b49d917fe2e50851

Analysis

max time kernel
149s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03-06-2024 08:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

.git/hooks/applypatch-msg.sample
Size

478B
MD5

ce562e08d8098926a3862fc6e7905199
SHA1

4de88eb95a5e93fd27e78b5fb3b5231a8d8917dd
SHA256

0223497a0b8b033aa58a3a521b8629869386cf7ab0e2f101963d328aa62193f7
SHA512

536cce804d84e25813993efdd240537b52d00ce9cdcecf1982f85096d56a521290104c825c00b370b2752201952a9616a3f4e28c5d27a5b4e4842101a2ff9bee

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

VisualStudioSetup.exevs_setup_bootstrapper.exesetup.exevs_installer.windows.exe

pid process

2132 VisualStudioSetup.exe
4884 vs_setup_bootstrapper.exe
644 setup.exe
4660 vs_installer.windows.exe

pid	process
2132	VisualStudioSetup.exe
4884	vs_setup_bootstrapper.exe
644	setup.exe
4660	vs_installer.windows.exe

Loads dropped DLL 23 IoCs

Processes:

vs_setup_bootstrapper.exe

pid	process
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

vs_setup_bootstrapper.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.exe	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\pt-BR\feedback.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\cs\Microsoft.VisualStudio.Setup.Download.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.VisualStudio.Setup.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ja\Microsoft.VisualStudio.Setup.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.ExtensionEngine.dll.config	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.VisualStudio.Services.Gallery.WebApi.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.TeamFoundation.Common.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pt-BR\VSInstallerElevationService.Contracts.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\runtimes\win-x64\native\msalruntime.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\Dia2Lib.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.VisualStudio.Setup.InstallerResources.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\Microsoft.TeamFoundation.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pl\Microsoft.VisualStudio.Composition.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\amd64\KernelTraceControl.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\runtimes\win-arm64\native\msalruntime_arm64.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\es\Microsoft.ServiceHub.Framework.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.VisualStudio.Setup.InstallerResources.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Setup.InstallerResources.dll.config	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\pl\feedback.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Imaging.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.Win32.Registry.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.VisualStudio.ExtensionEngine.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_layout.exe.config	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hant\Microsoft.VisualStudio.Setup.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.Bcl.AsyncInterfaces.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.ExtensionEngine.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.Xaml.Behaviors.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ru\Microsoft.VisualStudio.Imaging.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\VSInstallerElevationService.Contracts.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Resources.scale-180.pri	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ru\Microsoft.VisualStudio.Setup.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\NOTICE.txt	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\VSInstallerElevationService.Contracts.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\en\Microsoft.VisualStudio.Utilities.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ko\Microsoft.VisualStudio.Services.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\runtimes\win-x86\native\msalruntime_x86.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Setup.dll.config	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\Microsoft.VisualStudio.Setup.InstallerResources.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pl\VSInstallerElevationService.Contracts.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\zh-Hans\Microsoft.VisualStudio.Composition.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\amd64\vcruntime140.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\x86\msdia140.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\VSInstallerElevationService.Contracts.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ja\Microsoft.VisualStudio.ExtensionEngine.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.Threading.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\arm64\msdia140.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\ru\feedback.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\ja\vs_layout.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\it\Microsoft.VisualStudio.Threading.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.VisualStudio.ExtensionManager.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.VisualStudio.ExtensionEngine.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pl\Microsoft.VisualStudio.Utilities.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pt-BR\Microsoft.VisualStudio.Composition.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\Feedback\msalruntime_x86.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\de\Microsoft.TeamFoundation.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\pt-BR\Microsoft.VisualStudio.Validation.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\cs\Microsoft.VisualStudio.Imaging.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\fr\Microsoft.VisualStudio.Utilities.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\ko\Microsoft.ServiceHub.Framework.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\System.Collections.Immutable.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\Microsoft.IdentityModel.Abstractions.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\tr\Microsoft.VisualStudio.Services.Common.resources.dll	vs_setup_bootstrapper.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.imagemanifest	vs_setup_bootstrapper.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vs_setup_bootstrapper.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vs_setup_bootstrapper.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	vs_setup_bootstrapper.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 3 IoCs

Processes:

cmd.exeOpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1230210488-3096403634-4129516247-1000\{3932308A-C75A-4E49-85C9-18885A28F846}	msedge.exe

NTFS ADS 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 553784.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VisualStudioSetup.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exevs_setup_bootstrapper.exemsedge.exe

pid	process
5020	msedge.exe
5020	msedge.exe
4668	msedge.exe
4668	msedge.exe
4704	identity_helper.exe
4704	identity_helper.exe
2200	msedge.exe
2200	msedge.exe
2576	msedge.exe
2576	msedge.exe
4504	msedge.exe
4504	msedge.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
4884	vs_setup_bootstrapper.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe
3400	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

4772 OpenWith.exe

pid	process
4772	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

msedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

vs_setup_bootstrapper.exesetup.exeAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	4884	vs_setup_bootstrapper.exe
Token: SeDebugPrivilege	644	setup.exe
Token: 33	2864	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2864	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 51 IoCs

Processes:

msedge.exesetup.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
644	setup.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
644	setup.exe

Suspicious use of SendNotifyMessage 16 IoCs

Processes:

msedge.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4772 OpenWith.exe

pid	process
4772	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4668 wrote to memory of 1084	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1084	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 2916	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 5020	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 5020	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe
PID 4668 wrote to memory of 1208	4668	msedge.exe	msedge.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\.git\hooks\applypatch-msg.sample
1⤵
- Modifies registry class
PID:3552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcc4623cb8,0x7ffcc4623cc8,0x7ffcc4623cd8
2⤵
PID:1084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
2⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:1064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
2⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4616 /prefetch:1
2⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5276 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
2⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
2⤵
PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5468 /prefetch:8
2⤵
PID:3964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5384 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
2⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
2⤵
PID:576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
2⤵
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
2⤵
PID:4328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
2⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6736 /prefetch:8
2⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
2⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
2⤵
PID:2012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
2⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4504

C:\Users\Admin\Downloads\VisualStudioSetup.exe
"C:\Users\Admin\Downloads\VisualStudioSetup.exe"
2⤵
- Executes dropped EXE
PID:2132

C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\vs_setup_bootstrapper.exe" --env "_SFX_CAB_EXE_PACKAGE:C:\Users\Admin\Downloads\VisualStudioSetup.exe _SFX_CAB_EXE_ORIGINALWORKINGDIR:C:\Users\Admin\Downloads"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\SysWOW64\getmac.exe
"getmac"
4⤵
PID:1156

C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe
"C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe" /finalizeInstall install --in "C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406030840146515.json" --locale en-US --activityId "43ab171f-6c04-478c-b8a6-a8bf69048b57" --campaign "2030:d32c6b2afe084cb0a0bf3b6b3769d8a5" --pipe "1430023a-133c-4d34-a795-89072a6f123a"
4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:644

C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe
"C:\Program Files (x86)\Microsoft Visual Studio\Installer\vs_installer.windows.exe" /finalizeinstall 6F320B93-EE3C-4826-85E0-ADF79F8D4C61 "Visual Studio Installer" "Microsoft Visual Studio Installer" 3.10.2154.60269 0 "C:\Program Files (x86)\Microsoft Visual Studio\Installer\setup.exe"
5⤵
- Executes dropped EXE
PID:4660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4452 /prefetch:1
2⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
2⤵
PID:720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
2⤵
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,383311822268312434,7749236599582346189,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6912 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1008

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004EC 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft Visual Studio\Installer\resources\app\ServiceHub\Services\Microsoft.VisualStudio.Setup.Service\runtimes\win-x86\native\msalruntime_x86.dll
Filesize
1.9MB

MD5
94ab867ef06d046b6f65adbcb0994638

SHA1
30768967ad3b95aaeb8ec671f96e176a6d5dd1fa

SHA256
e9501bd3899c05167ab3d6cde455e7c81bc4bd138314207f3cdfe910b21358ae

SHA512
81e20e97829bd2102e552bf78f1da4a6986ceca475c6514c7de9a40adeafdd7b15c15dd10af293df5b4c21e4b1c431c92591d19559c9c71ba5916d14d750c090

Download Submit
C:\ProgramData\Microsoft\VisualStudio\Packages\_bootstrapper\vs_setup_bootstrapper_202406030840146515.json
Filesize
162B

MD5
ad891c3b02a02419dc60db8c273a8315

SHA1
141a08ca0e25d56bdb35fc71e1c767667079114a

SHA256
186c4b16ee009564819730b358dbdbb0792fc27e602698c5f0a16e20104647c7

SHA512
64cdaf1d6d1b4072e24f3926f91103abf946ff044cda34a9070586c2d2927bcdfc53381c955e447a38965ee426373259759025f97b715158afc429080956196f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
25e386b541b865e0cab09d5daba73085

SHA1
7c04999636bd76e3eea7f5ffc4adaa31805ee1ac

SHA256
f51fbe8679fa291106f6fe1ed2bb7702ead50a94d4425647cb4108a757bfd21d

SHA512
c1de31d86e92fc3f13fec1c6c33903cad11154467e1b478e199134107fbc5dd12da9882971b123c0942ad0aaab7ce9361c44fbe26d7b17983aea47882c3f9ac5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
92ab586680079216f1284c3fe56d9539

SHA1
85e8dad0fe7f9b2900ff820630ecc4f73b6938cb

SHA256
66f13895447f897ed514e4e83a4d68e2382938f88f3b49031c79baf706ea2b82

SHA512
9c101ae3ec34e92eb0d604411d2b788a2e7a163b3d87b1b511e12824c30bde84631b72208511e84001086c45fd76c269e1add6cd59f374393af2421a5dde4a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
66ab471a607891614732dbe0ac1da2a0

SHA1
ca21bf22820441cbffa5f34453afbe202b0b8744

SHA256
b3ebb58d0e2ff891398150eb2a0d4b2d70b687578efeb066e686d4e76cec6151

SHA512
2fef521572778adc89fc49177ff1791c0860bac44261c5ee6cb8edf0e1aa4e11756df4ed9d846e5db79e658454138f1d78654dcad0876045cc4caf4edbebb2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9082b7b26a333e55d1971ac8e63164a3

SHA1
7e28c7281d8cbc606bc470b7e2079534416f18cf

SHA256
3ad2f7927eab2b4a9831d0dc74ef4aadf2079ef2f7af18d56605b149e89dea89

SHA512
4e78eff1bca169118b9406a216095b9e8873f3026950df15a85c67b9914e9331ecc5d3100d8bf5c5ed8c3f53b3e426aee3232e55d4c94a0ed6a038282a8b8e93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
7882217a42da4dd8ce8844f4eb4ac437

SHA1
813ad9db9a4ede221281e99179058fcc6197f19a

SHA256
6b06f9964f8c9aa86464d51902b0f2175696a893198580e6421c7267c3f417ca

SHA512
c817e2d9f947a74c9ba475d1d42323f5cdafba51d50fc39d884aecfabbc7caca8cafc46b2be15263f5e53174ccbbae63d1cc157e5fdce9c040925ff16251e10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
aff33288312db2572d0c0b52b24273b2

SHA1
e77a3fdf6042b07904635f1afa9810fa0a737fdd

SHA256
0d9f2e643f58d48be544d4aa035cd129ab14615b15acf6220347eb7f69cec316

SHA512
9405ea44996280f0f57e681aa91bc705bd62148de9cf0c31e1d5301fff34117b3e0527a21d0f0cacecf7c4ac9bdaa847d389f14385ae04bca1ca2b362f38ceb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
33dac08b3838ec0be0e7ad596f99676d

SHA1
efb1a845e6c7fb4356eed55e56784545fa0f992a

SHA256
d945e367b598d1d29be3a9360167297181c059804f4d0a098b1de64f9be9ecd4

SHA512
9cb06c3f36f74b580363faeaec3f5553b962a22c70edb5a040f4b95f478b0548438fa4fed74a763f864a750c8e317f4245e0a210744754d5a34e8d396c2f91db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
bb5175ee407ceb4326f4c68b53afe435

SHA1
ce22de111d55f2ad89adf48c870eeb0dfac68d5a

SHA256
6cc37df1dbf6c2840c3c311b5816afc584f963c1a917b6784a5c2ce1250042ac

SHA512
356244f27078fca5b7781dd9ed0bd8a77b34255909947805b7512f52cd09762e042565c0028817349532b2727186317a0b85f71b513608d8e89d8497ed7ed6b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
2KB

MD5
1bd7747ca1275aba8fe08bbb5c5624e2

SHA1
b578dc281c21d6e09abfc7f240264bbd554df15b

SHA256
92b79cf0a02063eac261ecf0e71db8b11a9fd699b4343b4aa8a24f520af2a142

SHA512
3a3bf413901d1069451315c4d1597592fe223b5f686894248fe98e1e73fa926715bd9a58e5e577293511b30e3a43d6875cf3c557253b8a3043d1c1e69b7ad92f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5800d6.TMP
Filesize
873B

MD5
b1f0efc8f4800baf8c8464bf6ca50964

SHA1
b962d75ebd189ed9e5f90ca1e1650aa826cf2ca0

SHA256
84074e93ee4e93681282fbbce74f0d3b1c7636b6658d712e9a0091dafa9dc021

SHA512
e493bcf6b3cbd911a8f9dbc7b88bb079bd9a734b47e7aadaf01b8a845fc94cc06de0732b3a44488e8b78008ec8b7a4cf4fea79ae2fac70af8b1cdbda7ddea98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bae255fa-566c-48d5-a054-13b4dcf36821.tmp
Filesize
5KB

MD5
6929db376c155d61d85af579bd397127

SHA1
a1d8b6452897f1b27c6cb4a31c35e0d55727bebc

SHA256
0a67d49b8613cdb529347aafbc20d31f6428af382e6f100284bca146af1d1c7f

SHA512
1bdac98d71b9bf95fd192bb7629d44f55547b9979cac10dfb98b1dda8d943701906d8888e1454a3b254a82d521bbfe95458a76eef506f0717de4bf0245309d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
5cec477361251e802e99e0f65ef9917e

SHA1
cbfb70121b5f1b9fa389744bff3c1eb0015dcc00

SHA256
0db337c3667ba53161cddbc2e7b5b869baa6a3838ff2f3150233d2079fe2923b

SHA512
7f24333cc6f4d46541336cbb477e31aeeec45ec6b723d430d95e33cdfd9a09d97eb6765f197db138fe668e87fcacdccc74648559aceb3850f7aa0da8287a1ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
cb0c18061a52c9fa87c546095346f6ec

SHA1
b67f49b1cdfd5ba5cf07c82cef94fea49ec7b0ce

SHA256
a6cea8e0549079108405f01138bd2a7338d761443b6c931dedbf79b5eccb3479

SHA512
7c6dafcfea6cfd59d05e1f460c4d89e62ad5c867601b5ca880a53d58d3af2dfabd6f45bd93632fbbc8d3976d229b147f2e76e430a32dc21680527bfd4ee9600a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6c5f9b92aed0bee621d3aa68782ac866

SHA1
0e63a7c0016c3bd67418b1aa7a18a5ee01227ac3

SHA256
3a58487cbd322f9e90f60b3e0ede5a8bbba678c37c46a4f721a243855daa747e

SHA512
01d1e714c57c6093d67f87c9c7db763f5d158332dedbb4e93f15fc7253f0c82a83eccfcd969ce207d5213ef70f0f6c569e336813a0c4ee739d6630be2264776d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240603084045_7f94f10c3b884531a848df0d6c2b28c9.trn
Filesize
9KB

MD5
449d134ce1a53da8a4fdefad2a3972f6

SHA1
3be7cd6dff6d1f42a655d4b37823d5ed520e8b7f

SHA256
5eadcf7a8f5bd163aa65128836a9740c8966aa29e46388441be7db3bc6d8ccc4

SHA512
ea60481c64897400450b015afd8a11b20e538f1f8ca16d299ee3c1d3c10ae3e0a151f681b47b9d3e79a238cc6aac403b1c079a6484c73f76683b60091e2c98fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240603084104_08560211b2b4442a870b1f86abea25fe.trn
Filesize
3KB

MD5
65436c13e83fb02bdcac8d053bc9b571

SHA1
279a04aef5aa68031f2bfb62db8b63c5a224d37d

SHA256
da9fb6b9ac7fa85957042e77daa464fa850a28aff6af4fc9ce167a5cc813359e

SHA512
2e452e0ececd695e6696d7994281a31869d568c6374e01a2c9a10c8907c24667e97d514fa985b5c88a90a81377dacb06348d68c65eee002f0efd2ed68c54d0e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VSApplicationInsights\vstelf3e86b4023cc43f0be495508d51f588a\20240603084115_464b6b5eb9de464386093480892425f1.trn
Filesize
9KB

MD5
3245a1302b0b6cc159ad3811f767cc67

SHA1
2ff448de62eeb5f65c3a26b41741cd4dc32027ec

SHA256
4694a57074fa8e3bb85a11304b58c884b90f07d35acb6b0fa66275812862f6bb

SHA512
672794faa00f77e01dbea039aeb795fd3f8f89696226e1b88dd6f173e375ad9c5fdb8ab5043a1538be9481ec7841aea363ddfdec3e2b8b3cf4e6ece102228b8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VisualStudio\Packages\_ChannelFeeds\F4D08EA8\channels.json
Filesize
73KB

MD5
bf210f79d1ec7bc41d4195138c43c72e

SHA1
67b16d44ccc442d9357ecfa431759605a657293e

SHA256
4c0caf2a3de7dcada5d889050f1531f96627df3d2610e7d5af8c12722eefd335

SHA512
9a226206a71dcba49f3682715eb6f287cfb1edd5deeb71a173e5b386256cf75db931f1a34d275bb844779f2a7cf12872cae05c70dcd270a8016c906b6fd13938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\VisualStudio\Packages\_Channels\f247107e\channelManifest.json
Filesize
89KB

MD5
6ca1c2370f512cbb55abcd237735c8b4

SHA1
d22a1ee3d34c0a2fd2d6439067046b895dd60374

SHA256
b3741977a7a9b79f3626f09b1f75e77419396d43037d3e96df2ca8cac25f1d63

SHA512
5cae7ba1523e324c4eeaf5759e390cd461fd477eabc3c99524c7e8250a0d778932dcbd8a51703c2cb751b8e6faa14a7a4c9bf14112910b7430e50929daeedff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Interop.dll
Filesize
18KB

MD5
c5e7c4a539ea834661fe20f994330f7e

SHA1
e2ff1096f557212dde051887bfd4a450b23e9277

SHA256
bc53c6fb22f4bce970c87122579caf785f75cbc91d49f49e54229ba32ac7d447

SHA512
7f3f32146637e7393f3f906ece45780c1082ac661fc8f6d88f469e0ca951e9a6bcbac4be8959359559e097ebeec8eb048407cb3276f0a7007c50298ee1294a07

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.C2RSignatureReader.Native.dll
Filesize
115KB

MD5
aabfd8a438ae79b4f236ec3b45544dd2

SHA1
32b026ab6dd4ce60c16fa48690f32632f7f4ac17

SHA256
95cb344b58ed754e25f60c44f32303de9e65da603db06a9321d137580b3657ca

SHA512
6eb438b1fa9bc62c1356d8f21b0706799d94024cf0c013fb435caaba82e0c6bbe3570edc91c71d36e906be0a28e1da854a47a377fa487aefcd5662eea85a1993

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.IdentityModel.Abstractions.dll
Filesize
18KB

MD5
dc6d5f059a711616234b383d8a3cd5f2

SHA1
b53df8e875bedf924a32eebea2abb2018f06e5e1

SHA256
d461864929e446edbc6513421f4db8c6465899d9067ea3c33e2131227799b525

SHA512
54cafa9ce950c0b4a2cfe6f115717cf113b45f6ef21c701207e37151fb8b01e0d370c56d950ab2c0bdd0d813d65462ed19eab4c9de320f8434cfb0b30589deca

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.VisualStudio.RemoteControl.dll
Filesize
46KB

MD5
355c1a112bc0f859b374a4b1c811c1e7

SHA1
b9a58bb26f334d517ab777b6226fef86a67eb4dd

SHA256
cc52e19735d6152702672feb5911c8ba77f60fdc73df5ed0d601b37415f3a7ed

SHA512
f1e858f97dabeb8e9648d1eb753d6fcd9e2bab378259c02b3e031652e87c29fbabfc48d209983f7074dfc256afd42fa1d8184805534037771a71db517fe16c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Common.dll
Filesize
579KB

MD5
08645c50cb281af1371e8f0ded10ab67

SHA1
ae06060913c4be03af0e1736650d64e8cda7ad55

SHA256
7bfa4386a603b98af49099d67f5c5d1e7a50b15107f9780e7f7f50f39234bed9

SHA512
bfb8a02db556bd1e7808fcaed00bcb938758eefd21f04bd47c6c5a04293b781189ec88a31210efd6972be364334fd5e25ba6a83c972c5ec4cf0b8726cb4a77f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.Download.dll
Filesize
306KB

MD5
8a9cbbe63d730d60ef5159bed516bc78

SHA1
130c25908dd4201db8e6a2f2319eafc86114b7c3

SHA256
4e94690f548ef43a279a1f55807713eb970fa7a0fc9e64602779595778766064

SHA512
102ed30752a61712b024c5460e895e161ba22f4583f1148f6c0704edaebf703eeb7b65bd393ffd056df837d5b57220b7b87bc635884b5aa1d6516afb36370c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.VisualStudio.Setup.dll
Filesize
1.4MB

MD5
da8106a5723b5d66cd6b1713ece8b91b

SHA1
73bfd5942bdacc4c87b003c6c5555fea4ba6251f

SHA256
7c481dc4e4c2ed5df782a794f571808aec82a71c4fdb1054939a42c4b9f368aa

SHA512
eec20eb53e88e6a96ecaa8496256235176ce586563d8c29d1c3537b5e34213209bd225235ae253b60a7266aaac56e655af229ba6b89b87ad24f4ce4349f0cbb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.VisualStudio.Telemetry.dll
Filesize
995KB

MD5
bbcc8244db84ad2031ac010633abf798

SHA1
de0cb65ee877663da272b4162a55a64ab8669f74

SHA256
8fe17ff9da7932dc01a39ed27559d5cdfa9b97ba14cbaa9f719087a241c8b82d

SHA512
d5682ea1aa9d50e9a491f8dc25c82907cde24ead2842ea392242e8cdedf49f68f3035042442738e147b5aa29d6328ced68007732298f62466c78fd10b276b06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Microsoft.VisualStudio.Utilities.Internal.dll
Filesize
62KB

MD5
2dc1dc66b267a3470add7fab88b78069

SHA1
dbe80047475b503791038ed7e47389c062c15c72

SHA256
b044863f98af8d28f4f2f5e2dccb945c57439e1575afb37110e1eec306a6c89c

SHA512
44ef73aab50dcc13ccd94c0353c366818afb27ce73772d722755b04add0c4f294c7814c84da6069d9aa6136f2a48683c25062dcddd1664e8d32fed1b38ceca21

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\Newtonsoft.Json.dll
Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\System.Memory.dll
Filesize
138KB

MD5
f09441a1ee47fb3e6571a3a448e05baf

SHA1
3c5c5df5f8f8db3f0a35c5ed8d357313a54e3cde

SHA256
bf3fb84664f4097f1a8a9bc71a51dcf8cf1a905d4080a4d290da1730866e856f

SHA512
0199ae0633bccfeaefbb5aed20832a4379c7ad73461d41a9da3d6dc044093cc319670e67c4efbf830308cbd9a48fb40d4a6c7e472dcc42eb745c6ba813e8e7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\System.Runtime.CompilerServices.Unsafe.dll
Filesize
17KB

MD5
c610e828b54001574d86dd2ed730e392

SHA1
180a7baafbc820a838bbaca434032d9d33cceebe

SHA256
37768488e8ef45729bc7d9a2677633c6450042975bb96516e186da6cb9cd0dcf

SHA512
441610d2b9f841d25494d7c82222d07e1d443b0da07f0cf735c25ec82f6cce99a3f3236872aec38cc4df779e615d22469666066ccefed7fe75982eefada46396

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\runtimes\win-arm64\native\msalruntime_arm64.dll
Filesize
2.2MB

MD5
a2f41908d5dc93b30daa584ea84d2092

SHA1
858e185e27c19177d3bd8682cea53bcdc27a598e

SHA256
88a6f127eee41da978181df5de12d65d2337d4427ef66b6be1df51bc29e93f8b

SHA512
ee5934249b2540b2eb8f9ea3f344f00d6e512a8f2f86df4ea674dd9e35a91154cd77c62053882e187cf1a629c369ad3be9667f59607676bdc780280de5dfbeed

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\runtimes\win-x64\native\msalruntime.dll
Filesize
2.2MB

MD5
6d226a7b33583555fe71310e610e7fc6

SHA1
92bb8ce4cb4e215348c6e22ffc3bf57ec031883a

SHA256
613be496ad434ceef6ed29dbba64f27a2612795078977a8b07b229ebba9e9953

SHA512
5697f07f95c723de50f65b23d5ce4853e716425abccae187d00ed3ab1812fb0e04af47b5ed241370773522fa3c463c351c9dfc58b10c7962bd2e8c83710a3d46

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\vs_setup_bootstrapper.config
Filesize
622B

MD5
8cae9ab11729425800770c9c8b2ba483

SHA1
d6235bb0af785c6c4a0b5a212ff4cfd2b359d62e

SHA256
dde7635af97aec15cad909bcd2917e0bd38e2f5c46de79ba21d9b29a2f6d59eb

SHA512
e0303d828247326f662d577700dfd54eb406c5c15f7e38ec709e70b338e76efdb22feab7caf250d1c72377b478701dca745d772add8e08cd3e944332aa9e4d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\vs_setup_bootstrapper.exe
Filesize
404KB

MD5
4108506d8cdc3a03bb7e4496025ee902

SHA1
a02d206f205a1a45b5223a73bfe84e25b359d251

SHA256
f9bf0a30395e521d65fb1e39a6a76e19c061a8d3806653fc7f5b28b9fb327903

SHA512
b4a7aa0c65e3a3279d0845a02e896a85d5f5074a79ee3ab52a8aa422fab759d4fab177961c03f280ca7499e10678d29e951946283b26d2ca107d5be76c76e8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\245dc3e703085702888c3593b8\vs_bootstrapper_d15\vs_setup_bootstrapper.exe.config
Filesize
2KB

MD5
c301859aef3bf4c0914914e5807f6a5b

SHA1
908827ce12d093d2aa3d1e8baa8caf8bfe204fbd

SHA256
781ec48ae412ba18c2cea1b67f5bc4a33245fd5f96dbb0e58b218c98ee03785d

SHA512
0b9eeb0288b01ddfde11404b15378694145978bdd664b68befe5f776f65f950d35f54b7f29662a64ff91feb4dc0e9bd537864e46a1f3f252e8113ddf95f32f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pr0us2zi.sxr\w0ytdido.json
Filesize
14.5MB

MD5
a5a07b948c056eaa2c21c0be3459671b

SHA1
47d0855e65e90648150834d34c03d6125cdfbc09

SHA256
24b0c575145a9a5cab86cfde7ee35fc9535ff7bdb102b04a12382d22a9788f31

SHA512
2cdb62866507df4354d5989dd512651fc3604da8070f9c34aff5a554f571c0280fe9f63d651edc2a3e8384c33d357e3892ac7e16a8071cd58ae07d6a3985fc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\stpotb3i.yy2\r3sygueb.json
Filesize
89KB

MD5
73226f6a7c95892580d5d21e1ae4e3da

SHA1
c2b52f6ddd33be202706f943ca727249616b6b9f

SHA256
584e1b192b5f9c1713be9c01a7beb0011c6fc4e59c2e2ee916a1e1694a6c1980

SHA512
8300524faa99170d3fe3238ae04bea53ed1c35271b0ef4441013a09bc0459857d3dca4cc37c075e86602cfc234a12b7609e7ad42e2dc30f8c2e642978852482f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zudhkthy.json
Filesize
22KB

MD5
9b5bc10442f86b015e3ec11b15cbe7fe

SHA1
2022bab52c25622a7ba73c2116967f0fd8462898

SHA256
1211fa72349aeb9f8578a8405937b1bade9bbd578b5fbc2d1858462abbafb300

SHA512
7b59e801f1e9367ac8adc970eec47a14b01b986001593cda60f381d4f3f6852839c1204dc228e53377de7bfebaf418a2963a31f533f5c56029e1025140caf339

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 553784.crdownload
Filesize
3.8MB

MD5
740b8589c1da19c038c9e72a136512f9

SHA1
8ca20d887d858a191e8a6b5cd9425e0248b5bf54

SHA256
632d9b87505b0934bf3cb5551a02d06eaebb76cecf16fff651a631edb48c9528

SHA512
c3ec773b92cceecc450c8a3899728949d290a89552ebb83d704d8a8dca663983e2b484b35ba8455c53b7b77de9f6837eed1fe11542371306f84aef8df2be65a0

Download Submit
C:\Users\Admin\Downloads\VisualStudioSetup.exe:Zone.Identifier
Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
\??\pipe\LOCAL\crashpad_4668_PHMFZMTWTWVQFYDY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/644-1143-0x00000137DC040000-0x00000137DC334000-memory.dmp

Filesize
3.0MB

Download
memory/644-1169-0x00000137F7B10000-0x00000137F7B48000-memory.dmp

Filesize
224KB

Download
memory/644-1551-0x00000137FDF90000-0x00000137FE064000-memory.dmp

Filesize
848KB

Download
memory/644-1432-0x00000137F60F0000-0x00000137F6102000-memory.dmp

Filesize
72KB

Download
memory/644-1430-0x00000137F60B0000-0x00000137F60C8000-memory.dmp

Filesize
96KB

Download
memory/644-1431-0x00000137F60A0000-0x00000137F60AE000-memory.dmp

Filesize
56KB

Download
memory/644-1428-0x00000137F6080000-0x00000137F6088000-memory.dmp

Filesize
32KB

Download
memory/644-1418-0x00000137F6120000-0x00000137F61F0000-memory.dmp

Filesize
832KB

Download
memory/644-1209-0x00000137F7B00000-0x00000137F7B08000-memory.dmp

Filesize
32KB

Download
memory/644-1192-0x00000137F78E0000-0x00000137F7A93000-memory.dmp

Filesize
1.7MB

Download
memory/644-1188-0x00000137FA0B0000-0x00000137FA0C2000-memory.dmp

Filesize
72KB

Download
memory/644-1144-0x00000137F6A00000-0x00000137F6B66000-memory.dmp

Filesize
1.4MB

Download
memory/644-1145-0x00000137F6920000-0x00000137F69B4000-memory.dmp

Filesize
592KB

Download
memory/644-1146-0x00000137F6C30000-0x00000137F6CE2000-memory.dmp

Filesize
712KB

Download
memory/644-1148-0x00000137DDFD0000-0x00000137DDFFA000-memory.dmp

Filesize
168KB

Download
memory/644-1147-0x00000137F6BB0000-0x00000137F6BEC000-memory.dmp

Filesize
240KB

Download
memory/644-1149-0x00000137F69C0000-0x00000137F69E2000-memory.dmp

Filesize
136KB

Download
memory/644-1151-0x00000137F6DB0000-0x00000137F6E66000-memory.dmp

Filesize
728KB

Download
memory/644-1156-0x00000137F6CF0000-0x00000137F6D16000-memory.dmp

Filesize
152KB

Download
memory/644-1155-0x00000137F6B90000-0x00000137F6BA2000-memory.dmp

Filesize
72KB

Download
memory/644-1158-0x00000137DE010000-0x00000137DE01A000-memory.dmp

Filesize
40KB

Download
memory/644-1157-0x00000137DDFA0000-0x00000137DDFA8000-memory.dmp

Filesize
32KB

Download
memory/644-1153-0x00000137F6B70000-0x00000137F6B8A000-memory.dmp

Filesize
104KB

Download
memory/644-1154-0x00000137F6F70000-0x00000137F706C000-memory.dmp

Filesize
1008KB

Download
memory/644-1152-0x00000137DDFB0000-0x00000137DDFBC000-memory.dmp

Filesize
48KB

Download
memory/644-1159-0x00000137F6BF0000-0x00000137F6C00000-memory.dmp

Filesize
64KB

Download
memory/644-1160-0x00000137F6C10000-0x00000137F6C18000-memory.dmp

Filesize
32KB

Download
memory/644-1161-0x00000137F6D60000-0x00000137F6D6E000-memory.dmp

Filesize
56KB

Download
memory/644-1163-0x00000137F74D0000-0x00000137F755A000-memory.dmp

Filesize
552KB

Download
memory/644-1164-0x00000137F76A0000-0x00000137F77D4000-memory.dmp

Filesize
1.2MB

Download
memory/644-1165-0x00000137F7560000-0x00000137F761A000-memory.dmp

Filesize
744KB

Download
memory/644-1166-0x00000137F7460000-0x00000137F74A2000-memory.dmp

Filesize
264KB

Download
memory/644-1167-0x00000137F7430000-0x00000137F743C000-memory.dmp

Filesize
48KB

Download
memory/644-1168-0x00000137F7420000-0x00000137F7428000-memory.dmp

Filesize
32KB

Download
memory/644-1170-0x00000137F7AC0000-0x00000137F7ACE000-memory.dmp

Filesize
56KB

Download
memory/644-1185-0x00000137FA090000-0x00000137FA0AC000-memory.dmp

Filesize
112KB

Download
memory/644-1186-0x00000137FA3F0000-0x00000137FA4EC000-memory.dmp

Filesize
1008KB

Download
memory/644-1176-0x00000137F7B50000-0x00000137F7B58000-memory.dmp

Filesize
32KB

Download
memory/644-1177-0x00000137FA0E0000-0x00000137FA130000-memory.dmp

Filesize
320KB

Download
memory/644-1180-0x00000137FA1E0000-0x00000137FA28A000-memory.dmp

Filesize
680KB

Download
memory/644-1182-0x00000137FA130000-0x00000137FA152000-memory.dmp

Filesize
136KB

Download
memory/644-1183-0x00000137FA160000-0x00000137FA1B0000-memory.dmp

Filesize
320KB

Download
memory/644-1184-0x00000137F7B60000-0x00000137F7B7E000-memory.dmp

Filesize
120KB

Download
memory/644-1181-0x00000137FA290000-0x00000137FA2EE000-memory.dmp

Filesize
376KB

Download
memory/4660-1403-0x0000019CEC730000-0x0000019CEC73C000-memory.dmp

Filesize
48KB

Download
memory/4884-593-0x0000000006EB0000-0x0000000006F16000-memory.dmp

Filesize
408KB

Download
memory/4884-608-0x000000000A080000-0x000000000A088000-memory.dmp

Filesize
32KB

Download
memory/4884-579-0x00000000053E0000-0x00000000053E8000-memory.dmp

Filesize
32KB

Download
memory/4884-609-0x000000000A0A0000-0x000000000A0A8000-memory.dmp

Filesize
32KB

Download
memory/4884-650-0x0000000006400000-0x000000000640A000-memory.dmp

Filesize
40KB

Download
memory/4884-595-0x0000000007610000-0x0000000007BB6000-memory.dmp

Filesize
5.6MB

Download
memory/4884-592-0x0000000005EC0000-0x0000000006217000-memory.dmp

Filesize
3.3MB

Download
memory/4884-591-0x0000000005D70000-0x0000000005D92000-memory.dmp

Filesize
136KB

Download
memory/4884-583-0x0000000005C90000-0x0000000005CA0000-memory.dmp

Filesize
64KB

Download
memory/4884-571-0x00000000055B0000-0x00000000055C2000-memory.dmp

Filesize
72KB

Download
memory/4884-575-0x0000000005910000-0x0000000005936000-memory.dmp

Filesize
152KB

Download
memory/4884-610-0x000000000AEE0000-0x000000000AF18000-memory.dmp

Filesize
224KB

Download
memory/4884-543-0x0000000000230000-0x0000000000298000-memory.dmp

Filesize
416KB

Download
memory/4884-598-0x0000000007F20000-0x0000000007FDA000-memory.dmp

Filesize
744KB

Download
memory/4884-594-0x0000000006FC0000-0x0000000007052000-memory.dmp

Filesize
584KB

Download
memory/4884-629-0x000000000A5C0000-0x000000000A5D2000-memory.dmp

Filesize
72KB

Download
memory/4884-628-0x000000000B830000-0x000000000B880000-memory.dmp

Filesize
320KB

Download
memory/4884-626-0x000000000AFA0000-0x000000000AFA8000-memory.dmp

Filesize
32KB

Download
memory/4884-567-0x00000000059A0000-0x0000000005A52000-memory.dmp

Filesize
712KB

Download
memory/4884-551-0x0000000005250000-0x00000000052E4000-memory.dmp

Filesize
592KB

Download
memory/4884-555-0x00000000053F0000-0x00000000054EC000-memory.dmp

Filesize
1008KB

Download
memory/4884-559-0x00000000051E0000-0x00000000051E8000-memory.dmp

Filesize
32KB

Download
memory/4884-611-0x000000000A100000-0x000000000A10E000-memory.dmp

Filesize
56KB

Download
memory/4884-563-0x00000000052F0000-0x0000000005340000-memory.dmp

Filesize
320KB

Download
memory/4884-547-0x0000000004E00000-0x0000000004F66000-memory.dmp

Filesize
1.4MB

Download
memory/4884-651-0x0000000006450000-0x0000000006472000-memory.dmp

Filesize
136KB

Download