Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
05/06/2024, 17:38
Static task
static1
Behavioral task
behavioral1
Sample
nightlight_desktop_setup-1.2.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/webview2bootstrapper/MicrosoftEdgeWebview2Setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
NightLight Desktop.exe
Resource
win10v2004-20240426-en
General
-
Target
NightLight Desktop.exe
-
Size
12.1MB
-
MD5
7cb0c686be62a6a5118d3441b4792609
-
SHA1
f51fcce8020f5b0cb0d6d3e8ce7aad259f2365a1
-
SHA256
8254514e476344d58f9f2aad6b6ba5b5f7853e82efdde08124910b4fc139e356
-
SHA512
2af1228786b90fc5287c1bbd56f05a7a8ce72d5162d75718e429c3a90e1812459ba4a7e9e24a903137428ec51ce82eb7946d96fd6de98a1611cced8bcad9818f
-
SSDEEP
98304:Gs37s+saQ5zLeSTdYfOU7baBzjYz0ILiVUEp2rbvfMWXtEN:qfaQ5zLiflatpknAN
Malware Config
Signatures
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NightLight Desktop.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NightLight Desktop.exe -
Downloads MZ/PE file
-
Sets file execution options in registry 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation msedgewebview2.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 14 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\125.0.2535.85.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\identity_proxy\win11\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Trust Protection Lists\Mu\Social setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\msedgeupdateres_fi.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\BHO\ie_to_edge_bho_64.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\lb.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Trust Protection Lists\Sigma\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\mi.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\msedgeupdateres_fr-CA.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\resources.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Trust Protection Lists\Mu\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\da.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\zh-TW.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\mk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\VisualElements\LogoCanary.png setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\msedgeupdateres_sl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\msedgeupdateres_pa.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\identity_proxy\internal.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\sk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\VisualElements\LogoCanary.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\it.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\identity_proxy\win10\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Trust Protection Lists\Sigma\Entities setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\VisualElements\SmallLogo.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\ar.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\msedgeupdateres_ja.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\nl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\msedge_pwa_launcher.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\vcruntime140_1.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\libGLESv2.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\msedge.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\tt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\identity_proxy\resources.pri setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\vk_swiftshader_icd.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\sr-Latn-RS.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\msedgeupdateres_lb.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\telclient.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Trust Protection Lists\Sigma\Fingerprinting setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\libEGL.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\pa.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Trust Protection Lists\Mu\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\fil.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\ffmpeg.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\elevation_service.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\identity_proxy\win11\identity_helper.Sparse.Beta.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\da.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\identity_proxy\win10\identity_helper.Sparse.Stable.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\sq.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\qu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\zh-TW.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\psmachine.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\msedgeupdateres_zh-TW.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\en-GB.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Trust Protection Lists\Sigma\Advertising setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Trust Protection Lists\Mu\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Locales\tr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\Locales\fa.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Trust Protection Lists\Mu\Other setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\Trust Protection Lists\Sigma\LICENSE setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.85\msedge.exe setup.exe -
Executes dropped EXE 29 IoCs
pid Process 1888 MicrosoftEdgeWebview2Setup.exe 4064 MicrosoftEdgeUpdate.exe 840 MicrosoftEdgeUpdate.exe 2356 MicrosoftEdgeUpdate.exe 5020 MicrosoftEdgeUpdateComRegisterShell64.exe 844 MicrosoftEdgeUpdateComRegisterShell64.exe 3316 MicrosoftEdgeUpdateComRegisterShell64.exe 1164 MicrosoftEdgeUpdate.exe 4044 MicrosoftEdgeUpdate.exe 4908 MicrosoftEdgeUpdate.exe 2088 MicrosoftEdgeUpdate.exe 5020 MicrosoftEdge_X64_125.0.2535.85.exe 3536 setup.exe 2668 setup.exe 688 MicrosoftEdgeUpdate.exe 4248 msedgewebview2.exe 2492 msedgewebview2.exe 392 msedgewebview2.exe 3652 msedgewebview2.exe 4344 msedgewebview2.exe 3264 msedgewebview2.exe 3344 NightLight Desktop.exe 4044 NightLight Desktop.exe 3148 msedgewebview2.exe 2308 msedgewebview2.exe 2688 msedgewebview2.exe 380 msedgewebview2.exe 4868 msedgewebview2.exe 4188 msedgewebview2.exe -
Loads dropped DLL 56 IoCs
pid Process 4064 MicrosoftEdgeUpdate.exe 840 MicrosoftEdgeUpdate.exe 2356 MicrosoftEdgeUpdate.exe 5020 MicrosoftEdgeUpdateComRegisterShell64.exe 2356 MicrosoftEdgeUpdate.exe 844 MicrosoftEdgeUpdateComRegisterShell64.exe 2356 MicrosoftEdgeUpdate.exe 3316 MicrosoftEdgeUpdateComRegisterShell64.exe 2356 MicrosoftEdgeUpdate.exe 1164 MicrosoftEdgeUpdate.exe 4044 MicrosoftEdgeUpdate.exe 4908 MicrosoftEdgeUpdate.exe 4908 MicrosoftEdgeUpdate.exe 4044 MicrosoftEdgeUpdate.exe 2088 MicrosoftEdgeUpdate.exe 688 MicrosoftEdgeUpdate.exe 2560 NightLight Desktop.exe 4248 msedgewebview2.exe 2492 msedgewebview2.exe 4248 msedgewebview2.exe 4248 msedgewebview2.exe 4248 msedgewebview2.exe 392 msedgewebview2.exe 3652 msedgewebview2.exe 3652 msedgewebview2.exe 4344 msedgewebview2.exe 392 msedgewebview2.exe 4344 msedgewebview2.exe 392 msedgewebview2.exe 392 msedgewebview2.exe 392 msedgewebview2.exe 392 msedgewebview2.exe 3264 msedgewebview2.exe 3264 msedgewebview2.exe 3264 msedgewebview2.exe 4248 msedgewebview2.exe 4044 NightLight Desktop.exe 3148 msedgewebview2.exe 2308 msedgewebview2.exe 3148 msedgewebview2.exe 3148 msedgewebview2.exe 3148 msedgewebview2.exe 2688 msedgewebview2.exe 380 msedgewebview2.exe 2688 msedgewebview2.exe 380 msedgewebview2.exe 4868 msedgewebview2.exe 4868 msedgewebview2.exe 2688 msedgewebview2.exe 2688 msedgewebview2.exe 2688 msedgewebview2.exe 2688 msedgewebview2.exe 4188 msedgewebview2.exe 4188 msedgewebview2.exe 4188 msedgewebview2.exe 3148 msedgewebview2.exe -
Registers COM server for autorun 1 TTPs 33 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2B1EC306-3EDE-4012-9BB0-FB836132FF52}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedgewebview2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133620828681081464" msedgewebview2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ = "ICredentialDialog" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ = "IApp" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LOCALSERVER32 MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\ = "Microsoft Edge Update CredentialDialog" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\CLSID\ = "{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0\ = "Google Update Policy Status Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{2B1EC306-3EDE-4012-9BB0-FB836132FF52}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{89FDB4D0-1F76-49D6-A941-6C3C08FC261F}\InprocHandler32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C NightLight Desktop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 NightLight Desktop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 NightLight Desktop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 NightLight Desktop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 NightLight Desktop.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 NightLight Desktop.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4064 MicrosoftEdgeUpdate.exe 4064 MicrosoftEdgeUpdate.exe 4064 MicrosoftEdgeUpdate.exe 4064 MicrosoftEdgeUpdate.exe 4064 MicrosoftEdgeUpdate.exe 4064 MicrosoftEdgeUpdate.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 4248 msedgewebview2.exe 3148 msedgewebview2.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2560 NightLight Desktop.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 4064 MicrosoftEdgeUpdate.exe Token: SeDebugPrivilege 4064 MicrosoftEdgeUpdate.exe Token: 33 4104 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4104 AUDIODG.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3100 wrote to memory of 2560 3100 NightLight Desktop.exe 84 PID 3100 wrote to memory of 2560 3100 NightLight Desktop.exe 84 PID 2560 wrote to memory of 1888 2560 NightLight Desktop.exe 91 PID 2560 wrote to memory of 1888 2560 NightLight Desktop.exe 91 PID 2560 wrote to memory of 1888 2560 NightLight Desktop.exe 91 PID 1888 wrote to memory of 4064 1888 MicrosoftEdgeWebview2Setup.exe 94 PID 1888 wrote to memory of 4064 1888 MicrosoftEdgeWebview2Setup.exe 94 PID 1888 wrote to memory of 4064 1888 MicrosoftEdgeWebview2Setup.exe 94 PID 4064 wrote to memory of 840 4064 MicrosoftEdgeUpdate.exe 95 PID 4064 wrote to memory of 840 4064 MicrosoftEdgeUpdate.exe 95 PID 4064 wrote to memory of 840 4064 MicrosoftEdgeUpdate.exe 95 PID 4064 wrote to memory of 2356 4064 MicrosoftEdgeUpdate.exe 96 PID 4064 wrote to memory of 2356 4064 MicrosoftEdgeUpdate.exe 96 PID 4064 wrote to memory of 2356 4064 MicrosoftEdgeUpdate.exe 96 PID 2356 wrote to memory of 5020 2356 MicrosoftEdgeUpdate.exe 97 PID 2356 wrote to memory of 5020 2356 MicrosoftEdgeUpdate.exe 97 PID 2356 wrote to memory of 844 2356 MicrosoftEdgeUpdate.exe 98 PID 2356 wrote to memory of 844 2356 MicrosoftEdgeUpdate.exe 98 PID 2356 wrote to memory of 3316 2356 MicrosoftEdgeUpdate.exe 99 PID 2356 wrote to memory of 3316 2356 MicrosoftEdgeUpdate.exe 99 PID 4064 wrote to memory of 1164 4064 MicrosoftEdgeUpdate.exe 100 PID 4064 wrote to memory of 1164 4064 MicrosoftEdgeUpdate.exe 100 PID 4064 wrote to memory of 1164 4064 MicrosoftEdgeUpdate.exe 100 PID 4064 wrote to memory of 4044 4064 MicrosoftEdgeUpdate.exe 101 PID 4064 wrote to memory of 4044 4064 MicrosoftEdgeUpdate.exe 101 PID 4064 wrote to memory of 4044 4064 MicrosoftEdgeUpdate.exe 101 PID 4908 wrote to memory of 2088 4908 MicrosoftEdgeUpdate.exe 103 PID 4908 wrote to memory of 2088 4908 MicrosoftEdgeUpdate.exe 103 PID 4908 wrote to memory of 2088 4908 MicrosoftEdgeUpdate.exe 103 PID 4908 wrote to memory of 5020 4908 MicrosoftEdgeUpdate.exe 106 PID 4908 wrote to memory of 5020 4908 MicrosoftEdgeUpdate.exe 106 PID 5020 wrote to memory of 3536 5020 MicrosoftEdge_X64_125.0.2535.85.exe 107 PID 5020 wrote to memory of 3536 5020 MicrosoftEdge_X64_125.0.2535.85.exe 107 PID 3536 wrote to memory of 2668 3536 setup.exe 108 PID 3536 wrote to memory of 2668 3536 setup.exe 108 PID 4908 wrote to memory of 688 4908 MicrosoftEdgeUpdate.exe 109 PID 4908 wrote to memory of 688 4908 MicrosoftEdgeUpdate.exe 109 PID 4908 wrote to memory of 688 4908 MicrosoftEdgeUpdate.exe 109 PID 2560 wrote to memory of 4248 2560 NightLight Desktop.exe 110 PID 2560 wrote to memory of 4248 2560 NightLight Desktop.exe 110 PID 4248 wrote to memory of 2492 4248 msedgewebview2.exe 111 PID 4248 wrote to memory of 2492 4248 msedgewebview2.exe 111 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 PID 4248 wrote to memory of 392 4248 msedgewebview2.exe 112 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NightLight Desktop.exe"C:\Users\Admin\AppData\Local\Temp\NightLight Desktop.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Users\Admin\AppData\Local\Temp\NightLight Desktop.exe"C:\Users\Admin\AppData\Local\Temp\NightLight Desktop.exe"2⤵
- Checks whether UAC is enabled
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exeC:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU5A07.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Sets file execution options in registry
- Checks computer location settings
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:840
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:5020
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:844
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3316
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEFGQTYzNEItMDM0Ri00NThGLTg2Q0MtNjVCREQ4RDRFN0E4fSIgdXNlcmlkPSJ7QjY5N0VGNTktMENDRS00MEFDLTg2MzMtRjA1QjQ1RDQ5MjcyfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezJDMTJGMTZDLTkwMkYtNEU5My05QzE4LTFGQTQ1Q0JEOUU4RH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtEeE9iakhHYStuUmEyYXRDM3dvK0lFcEM3OCtaWWVBVWJrWHBEQzJjajdVPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTg1LjI5IiBuZXh0dmVyc2lvbj0iMS4zLjE4Ny4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDYyNTc2OTk4MyIgaW5zdGFsbF90aW1lX21zPSI2MDkiLz48L2FwcD48L3JlcXVlc3Q-5⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
PID:1164
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{8AFA634B-034F-458F-86CC-65BDD8D4E7A8}"5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4044
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.2.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=2560.3080.133878857512218766403⤵
- Checks computer location settings
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4248 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.85 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7ffa21e54ef8,0x7ffa21e54f04,0x7ffa21e54f104⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.2.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,13439752485269174419,2087992685212442910,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1820 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:392
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.2.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1824,i,13439752485269174419,2087992685212442910,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1924 /prefetch:34⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4344
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.2.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2308,i,13439752485269174419,2087992685212442910,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:84⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3652
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.2.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3572,i,13439752485269174419,2087992685212442910,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:14⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:3264
-
-
-
C:\Users\Admin\AppData\Local\Temp\NightLight Desktop.exeC:\Users\Admin\AppData\Local\Temp -wait=true3⤵
- Executes dropped EXE
PID:3344 -
C:\Users\Admin\AppData\Local\Temp\NightLight Desktop.exe"C:\Users\Admin\AppData\Local\Temp\NightLight Desktop.exe" -wait=true4⤵
- Checks whether UAC is enabled
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:4044 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.3.1 --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msSmartScreenProtection --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=4044.4496.7311231652143132335⤵
- Checks computer location settings
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- System policy modification
PID:3148 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.85 --initial-client-data=0x160,0x164,0x168,0x13c,0x170,0x7ffa21e54ef8,0x7ffa21e54f04,0x7ffa21e54f106⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,10242680044777913073,9263027539044313560,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1764 /prefetch:26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1936,i,10242680044777913073,9263027539044313560,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1828 /prefetch:36⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2228,i,10242680044777913073,9263027539044313560,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2276 /prefetch:86⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4868
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.85\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView" --webview-exe-name="NightLight Desktop.exe" --webview-exe-version=1.3.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3472,i,10242680044777913073,9263027539044313560,262144 --enable-features=MojoIpcz --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3508 /prefetch:16⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4188
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEFGQTYzNEItMDM0Ri00NThGLTg2Q0MtNjVCREQ4RDRFN0E4fSIgdXNlcmlkPSJ7QjY5N0VGNTktMENDRS00MEFDLTg2MzMtRjA1QjQ1RDQ5MjcyfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7NjU5NkMwQUEtNDJEOS00ODNBLUE0RTMtRjVFN0Y4QjhBMzI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0Q2anhQZVVtS2ZoOHl0eTZGMDdZeE0xZVpESC9UVjZGUVQyZmZEaVp5d3c9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0MCIgaW5zdGFsbGRhdGV0aW1lPSIxNzE0MTM1OTIxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNTg2MDg1ODAwMDAwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDYyOTk4ODc2NSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
PID:2088
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\MicrosoftEdge_X64_125.0.2535.85.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\MicrosoftEdge_X64_125.0.2535.85.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\EDGEMITMP_9D2D0.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\EDGEMITMP_9D2D0.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\MicrosoftEdge_X64_125.0.2535.85.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\EDGEMITMP_9D2D0.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\EDGEMITMP_9D2D0.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{9527BF5C-BCEF-4F5D-B58B-3F5F43412B7C}\EDGEMITMP_9D2D0.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=125.0.2535.85 --initial-client-data=0x288,0x28c,0x290,0x264,0x294,0x7ff7d7264b18,0x7ff7d7264b24,0x7ff7d7264b304⤵
- Executes dropped EXE
PID:2668
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7OEFGQTYzNEItMDM0Ri00NThGLTg2Q0MtNjVCREQ4RDRFN0E4fSIgdXNlcmlkPSJ7QjY5N0VGNTktMENDRS00MEFDLTg2MzMtRjA1QjQ1RDQ5MjcyfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezM0QTcxMDQ4LUU0MTctNDc0OC04QTdFLTdGRjg1NjdGMjBDNX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjUuMC4yNTM1Ljg1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0NjQxNTUxMzMwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNDY0MTU1MTMzMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MzUxNjAxMDciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzNjNzc1ZTc1LWFmZjgtNGFmMS1hZWRlLTdhNWMwMzQ5YWEwYj9QMT0xNzE4MjEzOTM1JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUlYSGw2QzRuSU52dzlZRGFrTVlQdW1wc1hOJTJiSFNkUVF2MkZxM00xdThxeENHWE9YYVpDNlBKYnBRQW55VTJ6MGslMmZncTlLVmhBSUZrZHVzUFJXJTJiUHRnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTczNjc1NTc2IiB0b3RhbD0iMTczNjc1NTc2IiBkb3dubG9hZF90aW1lX21zPSI3MjI5OCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0MzUxNjAxMDciIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDQ4OTEwNDMwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1ODgzMTY3MzMxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNzE5IiBkb3dubG9hZF90aW1lX21zPSI3OTMyOSIgZG93bmxvYWRlZD0iMTczNjc1NTc2IiB0b3RhbD0iMTczNjc1NTc2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0MzQyNiIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
PID:688
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x404 0x4a01⤵
- Suspicious use of AdjustPrivilegeToken
PID:4104
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.9MB
MD5776d096934ab49e06d98f228f2f09578
SHA185843747c6b28fbfa094ffd37306260a0b80665c
SHA2564454ee06716329235c9395b1bc3c5498565074bd43fffd70123935ed68096796
SHA512cada5800ea29613e4cebc370a77b0fa589656ed27cf52eb3f6ae0321d951a98afaa192ae1e06c3a4662726b64a9f84903cc3ec633f7170d1bf25cc66c8ad4354
-
Filesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
Filesize
179KB
MD580779f870e88307143083fcf97f251b4
SHA1e299c63a8745ab0a46cae731514f936f9714d622
SHA2568a75eaf5677dc11b1c37fbf57ca354b0e3d25c8aa867269c2deb0e7fb7fa0693
SHA512a1f56f0706cf7cbd35d74840ed58c685f3bf86e35efcbd73ae2d73ca6ce9a8ad1f7ced8528b3d81785e3bb9297023bf42f8e60bc4631232d9947cdbeb56afb47
-
Filesize
201KB
MD5d80d6c8774203980beb027e2192f7df0
SHA1cadf926c78a87b65289979388c34191925b57167
SHA25641587c47ed8b365599332d5e321437a6dfca746edfc782a231f5d0d4174b5cb8
SHA512c7f67d6c11ab42619b10f341bff9e433fbd36c40fadd283485d60cadbffee8f7448144b221416445aab92593a08c42a6639a225f0baa064cb9cf090d9169cbde
-
Filesize
212KB
MD5f87a4644fd6dc581ef7b67062fdb55ba
SHA138feeaf764e787bd68c06fe243c6064f130b8eab
SHA2561c2fd257dfc2c3967f7afc0ee726319cb6eaa0f1db86c34f97d703ce7bdcb5eb
SHA5121f054a7111c9d7576ca80b3102670786f8d44276d36446c96f1c8f6aa7f51aa4d81edd4cc36a33cbffeba6d5b6b313f5de0e4209f6edbfe291958b2022677125
-
Filesize
257KB
MD508e9b96eb44be746d65eae418abeb20b
SHA1eb86e91462752a1187d73cf678671bbe34d16dad
SHA25639f7c35da1df0dca19b5bc426f0687ff0f8ae8de3ae997857a4672f1176de161
SHA51270e08d09ef398eefbace3bce84e6b6c3e55b6caad8886002fd89466e455e6ffecbfca8d233f47de5cd99a5f6805952726676c8545c7d4884209355a48a34d396
-
Filesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
Filesize
2.1MB
MD5bfc0ece0ce72654a772f425a2f6a7f89
SHA1a464076f5d87582dce2adeeaf3b522c688d5a14a
SHA256bd57792535d7f2c75136fe09241fce48b225b7d451b5e6241cd40e6374db388e
SHA512b027339fe0d73fccbad23ecb34dc8e40f6e0c64584ee0367a2c565802fcd6870fd28563f19789207d2e6a4e13d1ffff515fc10a22193a7765115be927106255c
-
Filesize
28KB
MD591295713d791ad6378b117d020c63444
SHA10055846b91740c4631026affb5c044b1261e53a8
SHA25641d0565075327e4a0d1364eb556a238981659f063054404458c0b7b37ec64574
SHA51255fbbe74bf45ff9700d5a3b940aac9992625a994bc64f842560a0c15e9a8f85a9cb51db993fc43b412608089d3ed6078a8a81afcba33e7e0b0d9b72a4a5b0358
-
Filesize
24KB
MD5f18d85b1e1c45b935e0003f1dbb912f0
SHA1ba3da8ed55807f6dbb8641620e2594b245e80ced
SHA2562fa5350047962335602e7a450d1e29951609487e997bf183ce0eb5d01b28f066
SHA5127a0a22a7efe14f8f8541dd5d59a355d6b601ab3aed2d7ab3895e31d4a1c6531b199243223a3b001dad06186c1f4eca882966c197f2c05256c9f73d8ba96e50bc
-
Filesize
26KB
MD5b09436f36b5a4a81a153984bbf3fddfc
SHA16939928c6c5cfa89525e728b541568869de2804b
SHA256b4e66f907dde78b4d4f85c5c44656667b7b0fa0659eb56f7f96d974cb66d4dd0
SHA512472798b8419b2e6614c72eac27bd3c3a2ac0d93b3a15c992d26d44f1ee3f628406a405df36145bdeeee45b2e96b2def9058869dd2dc857030ae7972e0b0bcf52
-
Filesize
28KB
MD57b0f190cfa90f9cfcac3f22644b03559
SHA1de5aa579ead3696433d5509d922fab6fc4954746
SHA25668a495ee65652ebb55f856b7a82dde20fdda0b38880019170fa5cbafb336c123
SHA51262572ed3b1cef8d8aac514c9224c4b44546b4c935ab141eeaa696a69caa88b3525199d75fd2f5edaf15fae07b354a7c5e7df86d50dbc50cc093448640b95fdae
-
Filesize
29KB
MD5f4c8a5f7bc960a03ddf8b74dfae1b060
SHA174ee2f8420d86652cb4be3b72dadd52c31ee6689
SHA2563ccf9900953a871a129280260909acfc20aa23644181e354847fbe6b2e005110
SHA512c9c1b64a5da33130be847f0f2e5acee2af78ec84df14c873d1413a495c40a84c318435c43b5e17ccb0fe2929cc97350bef882b68632f1a80551c0e79ff2bcdcd
-
Filesize
29KB
MD5e53485ec77800ab9ea0283aac2d0aa89
SHA17b4bd4a142a78a95273a91396fbed85432789f34
SHA2566b380706e9273948be9995da09e3aebb71e7275ba6852086cf5bd1594c7d1232
SHA512514617c4142cb5f1eb2f72be50d81158136d427d83a8d4f93e6c0c08c30fa012379453a2046ab068cb51853e8c8b12b81df4c18ee80cfb279d80ce4ba5d65b04
-
Filesize
29KB
MD5c00dd2c1ada230d747f4914e569a4766
SHA13c71082db0a88876fd0c929cbf2e25969669c395
SHA25619fecbe5aa1f007f5f4ed719ad474b3270603c1535f187067c30ceddd4444091
SHA5125a33f9b756ed41251f4e85a2b85489c679c350e2838e07b1df00b17f655f73d4b16783cbd4031863fb9c9851815ebbd5bb1f58c465e7d88a41d642d0118530c0
-
Filesize
29KB
MD5f010d0ef5fa1c42df991e6a0dd63ea85
SHA1ebb19b0804b99f55c41754bfc43d654b87f86b14
SHA25697e41d2acb8b638ac2a039da4f9750a0e9387ac10433cb68e0415c0093695ce0
SHA51231fcca5c46be1967696fc9b3e9d23a4d81700fea64a826245b674dd1a0c4571a4515ceec6e9fc7d3c9d6bb2a7b7139082bded78847d614917e605b806597ce84
-
Filesize
28KB
MD5cfdfa919f3f9b33b9e75f9e22a023063
SHA12bcfdf9abfe7c13b8883da19cb973da2156a93c2
SHA2564d2ad964da1441bb08800618db62f9e8117751a4a78bdfa3ae1c2dcf903d6d43
SHA51242481f9700d2afa9d28d7d4d1d1937e1acd569b3039230fb6d7c52de12d473e708324d1cd285985186e2531831004d5ec2b801f48a0ce3dbf53549fb88ac7793
-
Filesize
29KB
MD5acfd43f9fb09dc5e05842bb8dfa5b3c5
SHA1e673afb66da1f0065bee5da6d52ea9af75e7ecec
SHA256e703d0fe2e49eef7b8a072830e76143281039527d9c2873c8162f18217b0ed5a
SHA512df2416d672f059451607a6aa5752bdfce1989fc461f3781033ae8b000941ecc2a29920e7c2c61f7f879cc2a9a63aceb390b627aa602506833ae41f8e574c66aa
-
Filesize
30KB
MD5a1f2eb33a406b65da04306f52686d6df
SHA11a5314c97f23df4ced0466c46aca61286f87d9d2
SHA256d75877f6cc1b4be175872e8d33778721e3e5acfe1a1154772a68c799f2e3ee1a
SHA5124d0bfaf9fa80cf308c629eddee7a850dd485d36753fa5c0825b05dd680998aba96eaad7835de1ddea357a124bf5107d3f10b1b71c0ba4fecdc4fc362b6f326f2
-
Filesize
28KB
MD5ea83abf1891a11ff03172d0473a64923
SHA1a19f2e3a26467d8dba5eb73194be1becd0f5563b
SHA2568a981d1abbd9c6454d2798c7df5708e4af44f54991ac06e988e4e66022c15489
SHA512f717431b7fca156a476059525307c7f82c74570b1b9c41d6596af14a340d8b3c26493f962c4f4cbfef0d6971d47822e91111ce2f1204c7127a6f6503942bb39c
-
Filesize
28KB
MD5eafbe4b540d5717792cf9e1107aaba90
SHA199daa2697b99139c966e58d8e89a64667a9015b3
SHA256a12771439505f2d419b246d6a974fe8937e0aa5d3b1f9863dbae9f4b7e6197c8
SHA512d89ca2292190b5914b92f11087970910d18b5e60bbc853466d2439b84612f74248f57b8347c48ee3b1f11232771f99ddb07229cec4beb206bcb1bcee68e6183b
-
Filesize
28KB
MD5887777535ec4dafc37e04009dc33d46e
SHA187755165910c80b6451e6e49c6a5dea346f949f2
SHA2568123fc78e3217a67de7051574abc16d33043ac9a1d67fbe1220a51ef92c8d80e
SHA512a67f21474ffdad53ffbdaa8cf8142b399eba399daedaa7c82b62b4d4629b1d60bcb6f04e87ca030299c14dac9f6c291c5d4069181bdc14c83def63c0ac0c68e3
-
Filesize
30KB
MD588580c499f109cef95f3020b64266097
SHA1da6cd858d8e9715a82a792da35a4c97b76e341a4
SHA256444f87c7ab5a89e3d423b497abf05fe22ae4605569abd83f3925d3a50a74cd08
SHA5121838d59b0e414b68b785646b01c8c5f6ebf0466e59c946ebf845782edeca76a396609ef2742341b4d89fad58468d9f0e0e24492be78255ac71a3e0e963e1c999
-
Filesize
30KB
MD5f9bbe44306e396b4f5828033d4a8e129
SHA12db819ba55ceaa502f7158159d1d6c3de8844ccc
SHA2563723b0bb625284d49824ab7689721e180238e0c693fb41d9948920210fb171ce
SHA512608e1122641ff864627d144925d853bfedb7704cda6bef9257d6ae2a6c5d6eb4e2ef773f717cfab1f9c463b17997acf8762b08ac24412ea898e4cd690809d1fb
-
Filesize
27KB
MD5f80b43c11b35344c4601f91d61ba01aa
SHA19cdbe9b73dc803e642cdf8fa7c9be3ed13928009
SHA25618cc6c1c2cb593f1f0450745e5ad4d5d0be3b7d6d3f904b907ffb863391badba
SHA512be390c82be4956090d55f96ef78387d3fe4abb149ddeb66fa6e61c52d2c480f0cd7cce580554ad2743c118697a2d761e1f0ff37f7f50ac437e6f154143fc1ff9
-
Filesize
27KB
MD57f82701452b6dfdf75c83df9b865a168
SHA1cbc560711f74a63781c5de971421a7c3d87452de
SHA256fb69f9c72a5026b21ebe7717e58f7382ac8a960849c4676b5733948aedf186a0
SHA512be6ef129d66a0413edb0c67b82bd4fa3d58e63f61ba5969781c19fee11b37fc6665dad3f99331e5b813e40f9b5a0ecf80412712885b8cd920ded6b7d43d2c82b
-
Filesize
29KB
MD53c2f0bf38763071676a0e2d3428d3ce2
SHA1d7f550ad1b00df2ef3dc962ace455958e0c715c3
SHA2560ae0b861bc4079593e4fe9a2721b187245a80afec33742f80fa7bab4c63928bc
SHA5129317ae64848b626b95c7f129c4ca30ec64e6ae6f686b4a71a9a31d2cbc1adde352001463421a5581324a85d4492b9d06f58698fb89c4c80775fdb1ee91eaf87f
-
Filesize
28KB
MD519d6139c5aa6162e8a2a8ba17ec81822
SHA1d81f95f5e4021c4ef9b9781d32a729782eeccbbe
SHA256f9ba82d35d780cf5b4819570e81933b06da524eacb5d0eebeef4276aafb9c96e
SHA5127b287470db50e78bebe8c0906d5f0ccf3aa2c20f70948f7074a8dad29eef40d850c996a790eccdef6ec3d5271a22a5100cb96720966cf0fc032c139e42e10e37
-
Filesize
28KB
MD5bd8f9362d99be154cdd697b8120e096d
SHA1c15f2533bd74320a85cafe96b37947bdc3d7cdb3
SHA25649424f739809b3d7fe874852420cd91752cfa605005bf6186c9f89b1b704f40e
SHA51269341c9521488c26b16740e9a5501ee6f0a95689d14aa3806df06bf1a21e9b902743e24d3d169a66b5a19c28a6c9217538162ce4fa6b2b3f658e276327de34d9
-
Filesize
28KB
MD5e3db9c5ec70ac6c8bf69272f3596c7bb
SHA1815d877bfe2dcf83a5387da48c3e7534c97f0bb8
SHA2560aaa5b02f2541fdbea4357155e3ff28c4d715994646364fb9cff591c27c8150a
SHA512b6d283923b7ad531014f9113dc95c8484deb76cfffd738f223057839de0b163053b5fbb2447fda238369275637870b3e5e911b8f4ab04e4115b6ce7a7f84cd5a
-
Filesize
27KB
MD53aa4579d9819617c80568f1f2cb1e287
SHA1271fa4f97b32d76fa890c4cb9c30ddb2e0298152
SHA25677b558ba96080390a79ec321af1579b1d17b7179e8a893e10462c7b22c8e8a5e
SHA512aecf49ff9385947cd7b5c9c0626015c36b106ef6482ecc47c8c189e5d9e4d670ef119e47302accab93214e6b70e9641aebac552d0b2cde4ef4ac252d3ee8d465
-
Filesize
28KB
MD58f5be4d7e225f2cbf66f3960b56502d0
SHA1f43fe1f55007dda26ebf78711ebbfb512390b7ed
SHA256a121a308be48878337fe8c68a45aa10ca898e39c2d195ef244bb657755327366
SHA512f92088d7babe2d0f4eee14e16f6d67fab8225dff0d3798b1c47f5a291cc9b820c2a7a0c2eecaa97850fa6998e260932941364b100eb8047e5e4bc9e1432a3c06
-
Filesize
29KB
MD549c11b98ab805533476c335f62502a73
SHA174bf2b11f0a695f5581ede4f2e4215decd5e0409
SHA2566b982a78ff95831477342ed6935dbd3abd1f730dd9bf364afc2556ce6a3afd50
SHA5123e64b2f1b15bf4436368732757f2a92f8983da5a996dd179824e82205041c41b2235a00c3bd0d765d5630d20902dc978018436657114f569aa89e09b3bde69c4
-
Filesize
30KB
MD5f5c88d98f81d525185f5ad8ce5572e86
SHA15cd1375cc42a430aec940e4d73b90748890abc79
SHA2566f6eef8c4afb0deee2497a55854f10407a69dd76e2211c83dc33546f6917a7ad
SHA512ce41a2dcaa35145e4a638af9e70d3efb9ae5ba8357d0ad3762ab2dd5ed7a1bf141efa83ad9922e0aa11d73521d498226e83515b0166611e7ce1c81f0be9d4ba2
-
Filesize
30KB
MD524d190e6f80c7a09dd0ea52db8dc3495
SHA102997fc50123612e7100aeca728153b62de8ca52
SHA256f3cfc3eecf03e256dd6df7d95fae127a4e2c86f3dce58545ae16c422fa8f562b
SHA5120b5f2c59c3e740c70308174757015f25412f64643abd6fc7965dbc4cc1fd8540a06550b983b62d70dc77cbfdcffc4475143436eef76a07ecb23485bbab054f03
-
Filesize
28KB
MD5d6ef74d45d1dd95d9c3c07abc6ec2b85
SHA18a161184979d02361688f4214a415ee909c58401
SHA256f595794586d38fd55bee18c9dbd21c87d33dfc0d03dfe87ade8b0bef5e97252e
SHA5123f74f4c47757b3a0c6969dc1e9ccccc6c03161014184232430cadac4c85a8fb0748d6f894e99b169d4fcc8190d5cd20ff03157e0d155c3c6e40d4a212e981cdb
-
Filesize
30KB
MD50be6761d833c240b79c092afa2f4d4a0
SHA13f13b2fb19489bba686cd681b00d6178a2ce9923
SHA256248bb8fba661f7b7d4045331d1e4ad808ffe8f446f732c14d2f3a6857f0ebd4e
SHA5121ec9596ce5ada65ba5739ed11c7554133217d9352913e109012f07d810883080d613e057ea75df6c4cd6a4150e669e55c5100b07026073e9bab68af44974e56c
-
Filesize
28KB
MD54ce45acdc229b38aac0b4849c1f18d94
SHA1d43eec8a4f689be874541a0c0e6859d3acd78a95
SHA256cb37f5288928cf0a89f7711366b70c943f7e6ade43e73b8bfee5e1660cc54032
SHA51243a0c7eaf20b3827d8a33b1fb696cf9d3eb596b975b24175cbbd28090fcfb090d6bedd59d2d63514c9ff334d1bb0ceaeb77b61c632f9bb8666346abc1b384945
-
Filesize
29KB
MD55ad48f292a34d8a600f3ee5b02664536
SHA1bdd7bb9e1b730cd63de7e8a50f9c3d76963db4a5
SHA256faf2d0d88df753be0de3fa0218b78c3582947ead0be012c0af30f863cb3dda2d
SHA512527c425b5ec64554154bd226bc6488fd4c1af47db67020d865cd1f52400e55c01797a0fd38422278bfc2d481a293902b1cd51a4e5882e3cc6b4ebc223384c38f
-
Filesize
28KB
MD500661e0428373734fa46030533215a12
SHA15af1f8606a60dbc8126431d568acc0ab9e48e164
SHA2564e2b724f581f3eeb2a3bb7c561d635741f515bc01be84c9d6ae245e5c7ddd37b
SHA5127c7b30ff996d29efacb5877edc6840cf88a7148c7f9f42bae1fc2f142169867fa2a66863a5b01a0096b01ad18d9eb9fe6eeb2653879cc8f7519634bb3c49a133
-
Filesize
29KB
MD5846b9b5f9f5ce6d8e1e18b053ccc96e3
SHA1be17600fb7f1f305158eb735206e1c2a6eddb410
SHA25610e40940f8dc323c6e1fea3f625de0cf2efaceb266b64e81cfa66a2eb51d1f0d
SHA512148a48489b2787051074ded3a0f38f03b0b034a8b2b1b991ec833848fdcb307e3c6570d829439dc2205455115aaf166f845866cf7d89a07e011aa8d822e9bcdd
-
Filesize
29KB
MD5cdff9cdd17e3950f3d274e1be976b2d4
SHA141590b06ca7e74db8d286e5952f32f5be47d7abf
SHA2567cf8997e700cbb81931bc9becf7d0887db7477d97c9f88718c0c2d7849310048
SHA512e0386fd5e0dbdd4e65fb04a554dc0e3d5ef4f862c685614abbf66e8a14cfaa3d2243e77c3d6d14d56aaf1ae38465aa0762a5c3d32a0ed81605b1c7b3274562e7
-
Filesize
27KB
MD565fb1c07237d63bc38d11a2416c34ba8
SHA18eabd2b245511809e00b78b06b1985152dd2578f
SHA25657b01bc5a7b4e8c656b08c89213278f81ce264cc399999e76733ddd90c580f26
SHA512e66cba2a1951706186ab1b13b85679d0aef21dbe56bd3c15e0f2e76ba25df15dce0826ea050b40c8e1c05cdbe257f629fe018096bf488c6845b0a9f5cf565e8d
-
Filesize
28KB
MD51c49739edd71f83f2adbb770616bfb41
SHA183b0ee79f63f6ec24360197e20cbac24ae02b688
SHA2560ace9ef559a167d3f36266c036306473a5cc2161ad12294217e2d2061c5a4e0f
SHA512f3316a96e84a5bcbcb176387540bfc0397855dcf049975d0b1dff44d6bf75a0dcefd34d4e914cd760772ff295d979dd7959b64e0eaaf0e10f7e6039b23b7478e
-
Filesize
30KB
MD5b73574b5bdfa3126045dcf4b489df505
SHA17cd73a13d1f0af197637b14977427f9df761e29f
SHA2562fb9bcb4826b747701d41ed53f1dc7d4c0e2f0b2c8d0b1b7a6dbf43fa5349197
SHA51213e6dc225cfcb2292d72a161270d6ecb0a0c1b6b48ee1708e49ac64000e512f7f6a3984bfb680add36a34d44bdd7ba619da873eca4aa63f53215074f420f576e
-
Filesize
25KB
MD587c3c118e280e39eabb8d545617592e7
SHA1b952980c0436df129e10571fbc79ae6dd78aa5a1
SHA256f14b2b780c72815e2e398816867b6dee5afcec9eb5e72efe733b6926f08c9d14
SHA51237469d8fc4cb037f057ea96fe49edbb02515df2584018b04dd7665c6544c1fc140430cf5be70fa99e6392227f92e7383291570c32f79b271f0f771a8dfe93b53
-
Filesize
24KB
MD50a4f6041656b7441e2aa9184163f4b44
SHA13f4f700e5b9b82a661681d37a4c321fcf98e1bf7
SHA25653e4719733ae1819d642815bc27e576dae5cfba1e592714e2c9976bc2f1246b6
SHA512f63d1873f4b364d7eadb26bf0a2fca2146e7c4e4ec17350f1adfba82b76cf127c5f1983bcd12895713ec3299624b6f0fe9c09ac4b58add475e4b633938ade235
-
Filesize
29KB
MD5ac87df6bb94463336a09c2cbdd17b23d
SHA171b45a3e00d593aa0569a4316d9f48dd7ae6540d
SHA256f97d24c55a1563767cb606ab7644ce10c871989a8fe86786e27d17dbede4de7f
SHA512391d352fe0d997db1462e00e19da52c48ae79225afcfb083ff1e10a9f005090b1de0b3e1f5129c8a2cde1d2264dd4a91398d8d1c121c24e7d847eb824028a38f
-
Filesize
28KB
MD51349c9ae143856ff8af98d8969f97964
SHA1b0774042bee34fa2d1fe2bb65ca21a71b6a5e630
SHA256d8ed80b5de016554f15b67c68dbcf495807697f56c3bd2ddd3c587719b870c9b
SHA512912e36fd2e23d4508a89392e713ebe6e8fdbd99576afa1a12a743cfeb3e1cefbbe024d973550015f9dea8bda9309d353871f3ed32d7a51b1e44ac46449b72180
-
Filesize
27KB
MD5e133ef71c5724664908ef2cd7af775b4
SHA1a30990a3384c62b04259c10d7019ee41fe517c7c
SHA2560425f6ec9cfc4f79a43a2963903922526fcd877225da01f88009c7380a0678b8
SHA51286e7188d9faad6635439c9518b5d038b5f60bec3de16b18ae9c1a6574bbeb76b8ba677bfd77b24329a4b6df00c4571a7a932d9afd025d43747007b73fbb419bf
-
Filesize
29KB
MD5055a4f614d8056ae16ff91959a0f3570
SHA148cbb61f7f6bdf5399cb9aa0f512b78a57ba1e18
SHA256458ede85c40745a5f79201bbc8b0785549e2c13be8ec726d32e4ff2e052db27a
SHA5122e2991582c5d0776880063052d483feae79d7d97a45580465e134c517b080fe7761410de8401722dbfaa3211aa7ac1cbb030d5002e544fd196735bad3706767a
-
Filesize
23KB
MD5b2d7a95280580a921ece1f65593e79d0
SHA1b611e29593788ab46b3d86f472d08e90a2a3ca88
SHA2562f4221684404a9a0dca802102ef5e1bc263d5ea4435265384cc85d55188dfd3e
SHA512bb6cdbf4f8ea20bf39bd24801d0a8710c714b9d7070776178810325213f8c797978437f9e647510a8ff613ae8245871bdf7daff7e48372eb395604022442aa1d
-
Filesize
28KB
MD5cad04507b6038d757a28aee789d16fda
SHA10bffa7678d129a235becac22662fa807b7b6319e
SHA25672c3acca20e4fc82d12635756977a353f5698249ae87e401012d243cb348746c
SHA5124567b19fb854f3866b627ed13aa6c122b5ee9d0d06379b09f38f3a15f15e81e26ac7f3ef572fb4340313e47c1285ebddf8438c6b19da527f72c3b051d5f954d2
-
Filesize
30KB
MD5ff47bde993d34dd79c66acb70db09009
SHA16a8817b7cab9d2335059c0130f1b95e35431591e
SHA256db43e3263a24600cea81ae634c8f42a41d22a52479c873b28bc260b0400e7220
SHA5123ec1bf2363534f399093780503a4c77b4d878d208ef55613c2e41687eb6dac26c75e541b4f93115de5a06432cb3aef3715d3f282cd06a7d41983db3a1ad28a4c
-
Filesize
27KB
MD5cc680df66d6678d2eb8cfbdee2e44a61
SHA129c5286be2304147f1b9e9ebb0ed1cf7e41ff791
SHA25630ba2826611d043a59314f335e6af343d6bcb738ca6ebf0307268a20cbc03d46
SHA512fca9dcd7deaf2d5870f70df0be8fec8d8df395b71b931819f848c9bbd922a85b8d55eaba4c00106c364f5fc85fd10254659df29be8d87b0296eeb830719effe8
-
Filesize
27KB
MD5ad30a4fe50163bfdb3796ed7bd5fa376
SHA13d307f23e8be36575806a12de3eff54fce9240e3
SHA256cef18c955461bf41a2f0dffbdd4680f5a4d760fd587aa595caadbf6e5ecc173a
SHA5128f318e17fcc89d3a637253bb253851fc65bee1baa2fe4ecb8b93966f05f5a207ad1fd8f9a5899a0b276d0efb61cfc5c3dcaad917d4012d343ffc31a8c315788a
-
Filesize
28KB
MD5d6ecc88f4c614c2968a18f2dbbea3a77
SHA11c466ec539c7af23607d2b8d4ee2bff0936836ae
SHA2562b042ca049760e903fb9918079d20bd17bd724e6c2a0212528d236aa18f5a4a9
SHA512edd1ee4b6a46f7de2378399c20f4740b17a9fb07ee307409dd1bb49397afb3ede4480b744b337b197fd3f96c8e0088d322f64ea0b9b8db92690589fbb520aa2f
-
Filesize
28KB
MD5ea85038966f2d1590cf0eec9a1121f66
SHA15588cbcff8cf45068ed22918792b43d3a84ae13f
SHA256706b7ec4c6703952c75b405f06e09c1a8dcf1ec82cb46f2b7a322a911fa4815c
SHA51273dc7b24b55106b95d5c9a79bf012a93304bed5d6f905e1fba001bb05988fce33a73bfc402bb28b381fc59143c770e6a19c3fbfa5ac0dff5c9ed0f25a7a33eb3
-
Filesize
29KB
MD5e3f432ed48166aa5eee026e78670af10
SHA16763f5f8c924557aee5c7dd7e43ba4c7025e85a5
SHA2568612e8bf3935d24cad3435b569c37d87d2c0a38d067183c7db41a2f13d18e74c
SHA512b351b3425fc488c970a2128b59a1d9526b390eaa4cc2c449227bde63a3d281d06d5d4d559f1562203d4139e24d499fd41761575422dd5ebb2749db80e38296fb
-
Filesize
30KB
MD56a8f4cd03794b550fc7dd37fafc74ecc
SHA1903099d40fa1031292c4266131567b5e29b583a5
SHA25677d9b5ef256a2685bfa2cf06eb7cdb9ae2297d2129fd8e03a00d9c88573b98d7
SHA51283ad9ddba650e5c2af938d4b6c5fda82244cd7066ef7f0108e2508fce715c122f8d6d82a1c6a45c145a1e628a32c2fa93936e26a902c26431aa3970e39feb8b4
-
Filesize
28KB
MD523e847dd772151b1acef939f486132cc
SHA16ab55a40c883de391f63cd423d34e8fb66a0e3db
SHA256e9f5d5690a62e780269b981229185978b04c210a6248e1acccccd3162b59a4ce
SHA5124a2541aab913e95a13d1e07177803eaebfbd4eaa9e309d1b58ad36a8a2c091f6262f776b50190f8c9b75a9670abb5f403f4b14cfd469579121e3f673723772a4
-
Filesize
280B
MD5e0f6fc0f5b8d3d5ecc6a00fb8c33557f
SHA1085fb41f74446d0a5c2d779b3ce6b23894e13b3b
SHA25649f44b28923b5b7fd5e686ee08b6756a498c6a6955f4d7ff16636259389241f4
SHA5121b92e37491e3b93433098db01a89bdca56f33e5dd89c464fdde22458fa9d3a99051322b28b8f6047737d62ce9f76b387c5d53b8ce0f4e7c1901a63dd56bf141d
-
Filesize
100KB
MD55b1dc737330393a0e744002bc7649641
SHA16b8b39e101cad1e08414c796dd62aecb26c357e2
SHA2560c628d180fc5b235f25175f46598986b8e478990ab9f3aa543215dd390e8a318
SHA512229d4b66cb5a6137007bc4c548bf458a135ce275768f177848a43c3a6a80bda118fb95d3be0c3f89a53faac5063ca3fc3de53a9b1e56cce483672ffbd8f98556
-
Filesize
1.5MB
MD5c06e9135c420469715d4310bfb3c1b33
SHA108b7b18662f19a5193ef92cdcdba63eefb7d80a7
SHA25634efce66f80ccdf56ec4697d323922ca751c783099b9e0d1a38eec054776182f
SHA51256260285eb6c19698daf7cc7b74e8b4d4b11a5f892c7d22c62ccb51353947d81192790957916a52dc4eb579f27cb38ed67c5b4fabd449850c8949581f07e847e
-
C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\218c657c-0f0c-4ff1-bd7b-e7986845fb98.tmp
Filesize3KB
MD51871c2c6bc19c1fe9ad3c4a62248e5f7
SHA11d0f403f13ed3f02125d5833a4f756ecb7305c0e
SHA256505669d0d5ab6eeccf68cff248895f8c4d322e2f65aae8947644bdce3bd5613e
SHA512b8ebec35a0f96b3ade85ba9370aac776eacb08a22645684e7c71ae71f317ac0582b2d16b85950f0f5e7931d285be9a3440bde4e181e4d622565f12955939b9c3
-
Filesize
280B
MD5ef593af12e689442bed1937b3c3c8cee
SHA1c86b1320399d48434057a7960b607e6c0337a964
SHA256283c519a24a57bdc80c53d30fb17c50cc0a8fa6ed8d3c658213e202bbf3c32cd
SHA51248a9ee35facd58dc3c4d70d2ee968496f6df19ae436b542fd8486134ee467502c9f6ae8e2ee727c6ff0b63aefbe5f57a4e9277e5d90c0bc5b1f6b69243fddf5c
-
Filesize
280B
MD546f19f8affebb60ea133d057f4d510e8
SHA1b9767606d6d61b43847ec059b89aec57773277f8
SHA2560ce049d8915bf71bb37e1d1e1999d08dc9674761ab89316d1f7f1f617c50e2e6
SHA5123b6faea0c2b271631dd700090fe7aa9f1bf24fd844baed88018288a20522a469ebee556567afa2cb98b84d5d367d9b6e0fb73afc190aa745180e9fa47b4f8a09
-
C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD54739f70681338a436d403b6312f1dc8d
SHA1de5a580267618062afbf8ee5a3c74fb292377884
SHA25642757bd1be1bf8f8a1d74dfc2fb7c9477a4fe4f2b864e6314f0954446624fd2b
SHA512b1b77b35ae7354b8d0e2e77c4e7d18f462134f80896d359c9ab27faee6ce7a327f529c02ba20d38602618f5b0dd9faac7763f0a71a8bca96f886021d68c7070a
-
C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD56fa3ae7b48f33bdd75a5d1c1ec08e489
SHA1f7b46d14d3041dd82c4e0f242a900f6407170f62
SHA2567d91b281c949b1b91b4c0db47ed3fe768606c8d61a3c7a656d1313e9ea3cbf6c
SHA512068464830b99f62d1950b7091f0c56b8f101565cdc14441da9ad42130ae398d48342db37dfebf00e6e818ffbc100aa8cd5d157de1cd9a6ee5bf7ef8c4dd3b55e
-
C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\Default\Sync Data\LevelDB\000001.dbtmp
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\Default\Sync Data\LevelDB\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
1KB
MD5a8c4427c6e90735ea64f68b9b1d37940
SHA15c5a99977e373fc064d81023030546a98f4114fd
SHA2566ca3365ff84d35a627aea979433817f830df10716d9914fb4ae8addd0f841788
SHA5122f50f5e235b412feaa3fa8018d596556bd7570cb699886556400c9bc109d1c1bc46b8c597798a2941e966a078fdaf820b6a6bacf1dd83e075bd2163ef632dcb0
-
Filesize
2KB
MD5a5f73b6efb5a4a3ba69f4353c6176867
SHA1e8fb243d8a06db8695ba8c616a18a5f5863bf1a4
SHA25600b485f59c4649384fe8b27d10f107c42fc7c20c61fa20b48ab89aefa414b576
SHA5128d03ba3808256009da6b9f480e602fbab1e326860355dbf8087859fdd7d1828fc281f0ef33a825a0f6b4478be8206575f658ba4ec320c160fb98dc5680f8422c
-
Filesize
3KB
MD5ff5723d6ab318ae843a9fe3452606341
SHA1e8fd6e6871d473b9b44a6cd93ff573a48077cb7f
SHA256ecd2fcedf58b3cde19c7de96e7134f07374253d440acd1f8015c6884a0617532
SHA512585b798b8d5b2355fb07574b2a0305f4642e71f60b96fbb99b4c4acd6fa74e7cc44fb4ec20448004d61ff3ed31d6859373a7c14e44264d55c2e18696ada5a08a
-
Filesize
3KB
MD5bfcbca3c9c934459aa8994f6324f3b50
SHA1403f28d087fc52735675d8a77a583597d497fce6
SHA256e2d8e10a49331b2c478f18063e1296234b3d61a1c9a337b8ea9ce1e6c8459396
SHA512f6abf6798c45bcd5a37e4733119b4fd7d77150a1fbe3235fda8f8bdf855b5ee76105742624e91ee149836ac1d8aef4719523604e35e77fbedc5e56a66f075319
-
Filesize
1KB
MD5a6b08da6a42e22a236fcecaa3a5a4a2e
SHA1273cd4853046d32474cdd2732ed7fc68bcdc51ca
SHA2561960355a24282667456b8122e113a3d569c2eabf2d1147a1e72843942c249cef
SHA512dcf021106b06e4b7f07647ddf63c1a3494834434436ea306d6d0bbe39b51651203606f1133287e3af36075355eeb7f96e972267916ece17f7d8e05bc8f6f38e8
-
C:\Users\Admin\AppData\Roaming\NightLight\NightLight Desktop\EBWebView\a8e653eb-9d1d-42d5-a49d-2e4555010818.tmp
Filesize3KB
MD588daa269dc01087d14fea341fa2eb60f
SHA1baee6004da963837e539ab4db38ab0ce3c7e5cb0
SHA256a85aae19a84088e55cd5296fd9fa86bbcdd5d3e9d3c9c6b3cd3924cf11bbb574
SHA512883aada293c5b759fc59614aa7ea1d973d0ead54d074f719fa3317413641b7051859b7c0370d99b29efcc52cc4dc64eae9fd030d56558bd7f207c8098b2a63b4