Analysis
-
max time kernel
240s -
max time network
241s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:04
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://drive.google.com/drive/folders/1E1R8VpaGyEy9fn8HJJ4f5Jb3_inx2RUY
Resource
win10v2004-20240611-en
General
-
Target
https://drive.google.com/drive/folders/1E1R8VpaGyEy9fn8HJJ4f5Jb3_inx2RUY
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation wscript.exe -
Executes dropped EXE 7 IoCs
Processes:
BCC Installation (Adobe).tmpvcredist_x64.exevcredist_x64.exeVC_redist.x64.exeVC_redist.x64.exe_setup64.tmpbfx-license-tool.exepid process 3136 BCC Installation (Adobe).tmp 3988 vcredist_x64.exe 2448 vcredist_x64.exe 2568 VC_redist.x64.exe 3644 VC_redist.x64.exe 4612 _setup64.tmp 4852 bfx-license-tool.exe -
Loads dropped DLL 38 IoCs
Processes:
BCC Installation (Adobe).tmpvcredist_x64.exeVC_redist.x64.exebfx-license-tool.exepid process 3136 BCC Installation (Adobe).tmp 2448 vcredist_x64.exe 3644 VC_redist.x64.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe 4852 bfx-license-tool.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vcredist_x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{050d4fc8-5d48-4b8f-8972-47c82c46020f} = "\"C:\\ProgramData\\Package Cache\\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\\vcredist_x64.exe\" /burn.runonce" vcredist_x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
bfx-license-tool.exedescription ioc process File opened for modification \??\PhysicalDrive0 bfx-license-tool.exe -
Drops file in Program Files directory 64 IoCs
Processes:
BCC Installation (Adobe).tmpdescription ioc process File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Universal\is-CJQSE.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Universal\is-126A8.tmp BCC Installation (Adobe).tmp File opened for modification C:\Program Files\BorisFX\ContinuumAE\12\utilities\bfx-tools-pylib\qt4_plugins\codecs\qjpcodecs4.dll BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\utilities\bfx-tools-pylib\qt4_plugins\codecs\is-5U7SA.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\is-4FIID.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-FTLIT.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-7231K.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\translations\is-6MKG5.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\plugins64\Continuum Plug-ins\is-9H2PS.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-HMDJ3.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-F8PVN.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\is-HHL4G.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Material\is-ES9KQ.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Universal\is-20H10.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\plugins64\Continuum Plug-ins\is-N4CCF.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\ImageProcess\Linear Ripple\is-PLN0M.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Utility\is-R6S5I.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls\Private\is-N48F2.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Universal\is-C170N.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-AIIDD.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-HPD0H.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-BS3TD.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-JSKJP.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-4RLF1.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\ImageProcess\Blur\is-K0830.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls\Private\is-B05HI.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Material\is-7O16L.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-KBJEK.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\plugins64\Continuum Plug-ins\is-18Q7H.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\utilities\bfx-tools-pylib\is-QJG1L.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Geometry\is-UEC8D.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-0E9EE.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-G2D9T.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-ANINL.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-GTM88.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-9JCC3.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Utility\is-JF69L.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Dialogs\images\is-IHA36.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Images\is-AMIF4.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Images\is-C7IAF.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Dialogs\is-75DL5.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\plugins64\Continuum Plug-ins\is-G6I9U.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-VAPVE.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Utility\Composite\is-T1RPM.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Images\is-N5FHP.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Utility\is-FQHKU.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQml\RemoteObjects\is-7CBJM.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\plugins64\Continuum Plug-ins\is-IULDV.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-8K5VN.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-86530.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-COQMQ.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-6FRBO.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Universal\is-AAILI.tmp BCC Installation (Adobe).tmp File opened for modification C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Material\qtquickcontrols2materialstyleplugin.dll BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\Images\is-LBO4D.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Particles\is-7RMS0.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Resources\3DOImages\is-GLEPB.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\ImageProcess\Scan Lines\is-U4TEB.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\Shaders64\Images\is-MBVPH.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls\Private\is-549OM.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls\Styles\Desktop\is-UU8FK.tmp BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Controls.2\Material\is-L2UTC.tmp BCC Installation (Adobe).tmp File opened for modification C:\Program Files\BorisFX\ContinuumAE\12\lib\ParticleIllusion\QtQuick\Dialogs\Private\dialogsprivateplugin.dll BCC Installation (Adobe).tmp File created C:\Program Files\BorisFX\ContinuumAE\12\utilities\bfx-tools-pylib\qt4_plugins\imageformats\is-8PU2J.tmp BCC Installation (Adobe).tmp -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e5a4ebd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4FF6.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\70916FFBD2AA62A36866899D656AA2CB\10.0.0 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\70916FFBD2AA62A36866899D656AA2CB\10.0.0\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File created C:\Windows\Installer\e5a4ebf.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{BFF61907-AA2D-3A26-8666-98D956A62ABC} msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\70916FFBD2AA62A36866899D656AA2CB msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\70916FFBD2AA62A36866899D656AA2CB\10.0.0\F_CENTRAL_msvcp100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\70916FFBD2AA62A36866899D656AA2CB\10.0.0\F_CENTRAL_msvcr100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\70916FFBD2AA62A36866899D656AA2CB\10.0.0\F_CENTRAL_msvcr100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\e5a4ebd.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c49f428bb6d5aae20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c49f428b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c49f428b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc49f428b000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c49f428b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe -
Modifies registry class 31 IoCs
Processes:
msiexec.exevcredist_x64.exemsedge.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\DisplayName = "Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501" vcredist_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\70916FFBD2AA62A36866899D656AA2CB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\ProductName = "Visual C++ 10.0 CRT (x64)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\Version = "167772160" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f} vcredist_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\Dependents\{050d4fc8-5d48-4b8f-8972-47c82c46020f} vcredist_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\Dependents vcredist_x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12 vcredist_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\70916FFBD2AA62A36866899D656AA2CB\Feature1.BFF61907-AA2D-3A26-8666-98D956A62ABC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\SourceList msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\is-OE8GA.tmp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\PackageCode = "70916FFBD2AA62A36866899D656AA2CB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\SourceList\PackageName = "Microsoft_VC100_CRT_x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12 vcredist_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12\Dependents\{050d4fc8-5d48-4b8f-8972-47c82c46020f} vcredist_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\ = "{050d4fc8-5d48-4b8f-8972-47c82c46020f}" vcredist_x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\is-OE8GA.tmp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\Version = "12.0.30501.0" vcredist_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\Language = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\70916FFBD2AA62A36866899D656AA2CB\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12\Dependents\{050d4fc8-5d48-4b8f-8972-47c82c46020f} vcredist_x64.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 134 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exeBCC Installation (Adobe).tmpmsiexec.exepid process 1788 msedge.exe 1788 msedge.exe 1708 msedge.exe 1708 msedge.exe 400 identity_helper.exe 400 identity_helper.exe 3776 msedge.exe 3776 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3872 msedge.exe 3136 BCC Installation (Adobe).tmp 3136 BCC Installation (Adobe).tmp 2844 msiexec.exe 2844 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
vssvc.exesrtasks.exemsiexec.exemsiexec.exedescription pid process Token: SeBackupPrivilege 460 vssvc.exe Token: SeRestorePrivilege 460 vssvc.exe Token: SeAuditPrivilege 460 vssvc.exe Token: SeBackupPrivilege 2916 srtasks.exe Token: SeRestorePrivilege 2916 srtasks.exe Token: SeSecurityPrivilege 2916 srtasks.exe Token: SeTakeOwnershipPrivilege 2916 srtasks.exe Token: SeBackupPrivilege 2916 srtasks.exe Token: SeRestorePrivilege 2916 srtasks.exe Token: SeSecurityPrivilege 2916 srtasks.exe Token: SeTakeOwnershipPrivilege 2916 srtasks.exe Token: SeShutdownPrivilege 3876 msiexec.exe Token: SeIncreaseQuotaPrivilege 3876 msiexec.exe Token: SeSecurityPrivilege 2844 msiexec.exe Token: SeCreateTokenPrivilege 3876 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3876 msiexec.exe Token: SeLockMemoryPrivilege 3876 msiexec.exe Token: SeIncreaseQuotaPrivilege 3876 msiexec.exe Token: SeMachineAccountPrivilege 3876 msiexec.exe Token: SeTcbPrivilege 3876 msiexec.exe Token: SeSecurityPrivilege 3876 msiexec.exe Token: SeTakeOwnershipPrivilege 3876 msiexec.exe Token: SeLoadDriverPrivilege 3876 msiexec.exe Token: SeSystemProfilePrivilege 3876 msiexec.exe Token: SeSystemtimePrivilege 3876 msiexec.exe Token: SeProfSingleProcessPrivilege 3876 msiexec.exe Token: SeIncBasePriorityPrivilege 3876 msiexec.exe Token: SeCreatePagefilePrivilege 3876 msiexec.exe Token: SeCreatePermanentPrivilege 3876 msiexec.exe Token: SeBackupPrivilege 3876 msiexec.exe Token: SeRestorePrivilege 3876 msiexec.exe Token: SeShutdownPrivilege 3876 msiexec.exe Token: SeDebugPrivilege 3876 msiexec.exe Token: SeAuditPrivilege 3876 msiexec.exe Token: SeSystemEnvironmentPrivilege 3876 msiexec.exe Token: SeChangeNotifyPrivilege 3876 msiexec.exe Token: SeRemoteShutdownPrivilege 3876 msiexec.exe Token: SeUndockPrivilege 3876 msiexec.exe Token: SeSyncAgentPrivilege 3876 msiexec.exe Token: SeEnableDelegationPrivilege 3876 msiexec.exe Token: SeManageVolumePrivilege 3876 msiexec.exe Token: SeImpersonatePrivilege 3876 msiexec.exe Token: SeCreateGlobalPrivilege 3876 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe Token: SeTakeOwnershipPrivilege 2844 msiexec.exe Token: SeRestorePrivilege 2844 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe 1708 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
bfx-license-tool.exepid process 4852 bfx-license-tool.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1708 wrote to memory of 3020 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3020 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 2856 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 1788 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 1788 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe PID 1708 wrote to memory of 3412 1708 msedge.exe msedge.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1E1R8VpaGyEy9fn8HJJ4f5Jb3_inx2RUY1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdabb846f8,0x7ffdabb84708,0x7ffdabb847182⤵PID:3020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:22⤵PID:2856
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1788 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:3412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵PID:912
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵PID:548
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵PID:3968
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:400 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:12⤵PID:1684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:12⤵PID:3432
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:12⤵PID:1736
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:4660
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3068 /prefetch:12⤵PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5496 /prefetch:82⤵PID:2724
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:3764
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2268,10704518167493225783,8338147839434700720,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4880 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3872
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4080
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4532
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3052
-
C:\Users\Admin\Downloads\BCC\BCC\Adobe\BCC Installation (Adobe).exe"C:\Users\Admin\Downloads\BCC\BCC\Adobe\BCC Installation (Adobe).exe"1⤵PID:3432
-
C:\Users\Admin\AppData\Local\Temp\is-S32E2.tmp\BCC Installation (Adobe).tmp"C:\Users\Admin\AppData\Local\Temp\is-S32E2.tmp\BCC Installation (Adobe).tmp" /SL5="$40406,223120698,486912,C:\Users\Admin\Downloads\BCC\BCC\Adobe\BCC Installation (Adobe).exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\vcredist_x64.exe"C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\vcredist_x64" /q3⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\vcredist_x64.exe"C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\vcredist_x64.exe" /q -burn.unelevated BurnPipe.{133C98EF-11FA-4209-852C-4C3716A9B6C4} {070118DD-481A-4163-9B59-36FF9D3E4540} 39884⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\VC_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\VC_redist.x64" /q3⤵
- Executes dropped EXE
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\VC_redist.x64.exe"C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\VC_redist.x64.exe" /q -burn.unelevated BurnPipe.{9023769F-8534-4CEB-BFAA-33300491F81D} {990A60B3-D824-44CD-A62C-A64863DBB6D0} 25684⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3644 -
C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\_isetup\_setup64.tmphelper 105 0x4A83⤵
- Executes dropped EXE
PID:4612 -
C:\Windows\system32\msiexec.exe"msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\is-OE8GA.tmp\Microsoft_VC100_CRT_x64.msi"3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3876 -
C:\Windows\system32\wscript.exe"wscript.exe" "C:\Program Files\BorisFX\ContinuumAE\12\run-python.vbs" lictool-during-installer "C:\Program Files\BorisFX\ContinuumAE\12\utilities\bfx-license-tool\bfx-license-tool.exe" --installer --api ae --license-file C:\ProgramData\GenArts\rlm\floating-client.lic3⤵
- Checks computer location settings
PID:4320 -
C:\Program Files\BorisFX\ContinuumAE\12\utilities\bfx-license-tool\bfx-license-tool.exe"C:\Program Files\BorisFX\ContinuumAE\12\utilities\bfx-license-tool\bfx-license-tool.exe" --installer --api ae --license-file C:\ProgramData\GenArts\rlm\floating-client.lic4⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4852
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:460
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2844
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5af3de5fd32f10698fc3284ffee6855b9
SHA11e345024da438c65b88ec06c02db4d201dc50e10
SHA256a31fee4c16f6d9b47c8ea784ba27a27ca524a25a70633263e2f4469fa2dfc379
SHA512742bd33bc80a75151e102bb01aadf09aa65a6ca149c4358624b98534d222e33e2ed227b5fd7c3ece0aa773dce0f190f3da80729c8554c930b985c950434124d9
-
Filesize
40KB
MD531969c50b20cfba63736427521402bb6
SHA145a3e5ed64e782bb8fcd32ac1d71e67ae5b79d40
SHA2566774fdffdddcb1f2e3813ec4cfcd841c02ce8095056b94e999db31b6f822329b
SHA512e0726429445a869d0a0329da9e486a3d64556843d1d4091548ac411f95ffd370959468f7cd2016bc091b17857c3774602114add09260cf7546e48b7fa0393880
-
Filesize
46KB
MD5a82743660ec87cfb117bbc1322492148
SHA1756ef1fc63b510cdff516c6cb47e54a9700eb384
SHA2566801265b0d59ac6afb5364929522155081f19bb4a65504b77782044d4c4dfeb1
SHA51200dc48830fce37d78ac0f5f40f7d3f19b134e95203d7fb59898d3ee6b8a7f0116e15c558e1be16bed7dfe3c6c52bb9fd852ec39cd073108efec59903ee1894d7
-
Filesize
8KB
MD52fecced6c93c2e0e7547f73468a83bb4
SHA1be76d70a59e50ebda9d4753cd836114ce06f1809
SHA256e84e27786d9e3e9c443a489034d96091af0470d86c8e9c5c9c7a8b9a33fe3e0a
SHA5124fa7f49a332868ba9bebefaf23dbbd50277ae6c6e05a8098f04ef7b0cd78735ba1ce3a44c442936a9c08dd8bc92a7428819b0e43a3eb02829d5e0686fcee0e3a
-
Filesize
11KB
MD514cd31a44548fffa5f35a7f17c9da7ee
SHA199c6a84f59fc5f1b4821b0d336fd0f5ded3f7188
SHA2566cbe86a030900981c5e93b278345ea2f19d99ff42ba685b21667a33808dcf892
SHA51247a97dbe117eef5d7e7dea4f7ff2413b1317e142cffee4be65dcd1b53d064a52cb78105d41d19aae623d86b6bb0482b54843eeecb50cee4def6599e55b5de789
-
Filesize
8KB
MD59795300ac2349850550117f70d7b6a14
SHA1e03c3d70831f06a47942c908deadffd898242b11
SHA256aa1e8b748122feddfa8020e235f7872f935ebd049bbff076a0d4a2d8823568a9
SHA5124c284396e7c4d2ef8176c79d44fabd4bd439740db34b6f25665d83283609551ff362efef8172bd1c7c25bb94891667189b438ebeaa2b4e11d2674df90a3e4307
-
Filesize
7KB
MD57fd0304744707ba02f3f0a5db46adc79
SHA15f6951ce70dbb88d9dfc3eca54e4d209942ea607
SHA2563e96b24d493aa225d84967da1c51560464230ef3e4e26f8d7079fbb20b7291a5
SHA51233495a9e84a56be72a486b7f590c74c2ddffdea2d2b6f42a997be275b76bc47412ec23a3bc519d6adf910da0c13aff67b49eed382a4f35ff0b96f874fcb25e08
-
Filesize
192KB
MD538d22ffa9717f071466ad0b902b747ef
SHA13cefc2c23316fd26d920e26d887281a3bea0f971
SHA256fd025128a032eb2b8a88cfa355c570f354c14e655d1be311870a5aae7649c065
SHA5127a6cd443ab803740523498e47701ea100f70ec304e68f40ca8fde95a9333dc4aba71229f4b4b19949a1df16fde5dfed5d035383d2b595734b3a1a3bef4ab8681
-
Filesize
2KB
MD5910c9d8024fb5a1d9e6fca58f0bf1d50
SHA1a450ccf41f045b7d23f2c27ecdbbefc3f2e61eb2
SHA256e03cb00088cc488a4b0f29e82fad5addab1bbf06cf1e675be896b3f004902631
SHA5121ef310bf3973b436395f41dec86e8a5f8dd918cd09a1b005d6d7b709557b76ac7e4561509adb24a779974ce66552b56f12609a43e59bf8fbdd283d1b2e7945b5
-
Filesize
7.3MB
MD5f55413721120e171f9cef09aa46ae057
SHA16baf02bb05133a6c49b5e8823e71ccb6e93480c7
SHA256b333b86ba6dc939b007ac5398065a640b2c8d35d39784d76fe9456cf6f6c755e
SHA51291ee101dfdb59f6566a3a2a16efd4c4d87e1a35d48be4439beb3211db6aaa51c00fe7eaea14c19ff808ffcb5f7d39f7e62adf51debb3a550e7957a7bc54d9ab9
-
Filesize
2.1MB
MD5ff72bea11907507c63b1b9f87808aca1
SHA1828321caac693b9e81836abfdd937eba43d4caf1
SHA256ec95e6e404c4e157f04a238456021acb0d553c2f767f70c00c0d1e29e04c6f4c
SHA5121d69b03f1f207f68b9824b6ed4a331bb2addb0730876f64816898dc665e2ada12237d4837e81b1326a5c418cc41c61b341f40366aa7f1b5e66dbf634a0f80925
-
Filesize
7.5MB
MD5e644735ea585194e391c02a92f43910d
SHA1106c6a4c5fc6deb5faeca78e818ab8179d7476f4
SHA25607a1026cfbd47c23557ee24c806a40d0c5755811aca917522252ba596a1e5b81
SHA5126ed3ab623015a1bd31d5f3563e639af2efcc656a853068ec960f4471e2842afbea5c4b006d5a59cfc54905c41c15970b4792198b58d39c1d45e33513ce8a239f
-
Filesize
3.1MB
MD5e550570374d4063bdc26b272019d3743
SHA148340c93c39ce444f5b2cf554c57c5150daaa332
SHA256d6254f1861ef703518c5fbb754f41d2cf8d81280efaa454f4fc65aa4e90734db
SHA5122da6d11dab1f6d98f903fe481be49407af23cf96a283f0622de64f8cc234923292920a60d5c24721d50fe952318d8420caf1fc0ae4c4b37d6cbf2fc1a84ae188
-
Filesize
10.2MB
MD5ff2a1d8da46e2cd48a1b207320113a83
SHA1176dc789b8b1c6c1af7556f7b262d207a885450f
SHA256bc95f8a2a18e320f9749ae1e40f0ec8c157353a861bc3b9d4a0483d8dfeb3cf5
SHA51214dce3962786f6d49a75f343878ca1f825d2d99a33bd52ca3dbca2067096fc9d43fcda076905c8281d140745b44acc8052ec1ebcf9718a6167e72406cce44f2a
-
Filesize
110KB
MD5252a115a2a497034b1c7f800f299d2c1
SHA1258432b68517e5d99ba97a091cd6d8a6abea1543
SHA256749fd1ba716b2c4781a072a6883c0566f72e1b402a60ef69bf394eb1d016feb9
SHA5124c40087d343068076dff765623b16ec24739672e6b00092b304df0eb6f21243fd2efd51371b41f611d8f7a7700ce38787ab91cf2ebf5e72077b791da43e405c2
-
Filesize
1.5MB
MD51837e43744c95b9a644ae19db8fcc561
SHA1c7050735dfaca4c645ffc4ac7bda6550be970b29
SHA25631f966f905064f7adabcac7b9e78c2203f673597fe87e6732c7bef69683cf816
SHA5126382bfb373f176d4cae6b2d7b801cf3ae494ca41ab60870fc465fda742ee9f505e88a427d6407d6032ff079e290ce6b49d5584199da28dae9bf7618fecec604a
-
Filesize
1.6MB
MD57aacbc268212b92e15e563cf610f7d33
SHA1ff6099a87a59488e388e74916a53d4cac108384c
SHA25617412d7cd7df0f9641092c52743e9b714125dc19d807d4fd2ce016f7776c2441
SHA51265037f6ea45296c900f6783bc86b7723785d4ba7e657e9e3a790e8cb6bc225426f4d90fa1bd27c42c90ddce331873c5f4ea21b8c9a49e2a00f5ade74f383994e
-
Filesize
46KB
MD5bf3bf556cec633f69320305ecdfc6d99
SHA1fc0865c95216a46af85e5d7867f599189556dfe0
SHA256e1e56d941661a0e44b5c68d1a0e13363d0c4708d1963a6226d044b2d0f34b26d
SHA512efb9465eb31cda5824370dbfacbb1f8f59c0c3702cc2db01748c5f7e978f18242be6e415e63aeacd9e38b605de5018a6b5875a5d72eee3d16a18cb741bbffa56
-
Filesize
2.1MB
MD597645b861fcd32b6bd824d78411e9127
SHA17af69f3b79a19b7a9d3728e988d4017d112e6562
SHA256c4846d109b3474fec7c55d8ca07e1ab2da2743044a157dc864403234be5b320f
SHA51208915111867df1331e7df55f514d921073e96bd70800fe4fbd6121f50c59de245ba8fa69d8a2b9af6ad6f9fd43aadfdf26678b0e674287a0dc2541752501e444
-
Filesize
214KB
MD57e03bedd28ebb7d5c462140fe077753e
SHA107215624d1fd333762eb08d2a64ccb61b417eff7
SHA25631a5d4dbad61e665436c8a58db94a4380d7d9f3afe0e3c46f404bbc18f337fd5
SHA512e8190e7d18e463c226b5b56f1865b8b61cec38158e09e4dd7010ed79fca50beed7bdb2ddee9ed20e9b183ec72aacccee3dca33f1b78ce48a26548c34cf1e8b7a
-
Filesize
2.9MB
MD59cd15ac3e4f33a555b69bf69e65d8222
SHA1a5cde772fc0cb153fc9249457817d853459d17f1
SHA25682424f2a886a6c673c0a3fe52e77d5bd08944ad665aef081c18470ccbbd91e13
SHA512ffaa6ef30fbc549cc3a04b55e2abc8c3d987dc99686781cbb046f86fb445d548ad4f6e7aee183247233857474618cc31e4e8fa418c5796ae6505ea6829c5b32d
-
Filesize
10KB
MD5841c25e3c7954d1b5f0695a33105d791
SHA1938ecbd5d1111b5af42df193322e674bc9977cf8
SHA2565fb0b51878e256da34ebf3b0e08601a9ff7f33fd2e1758cc571585f4611c75bf
SHA51207c381f542f06c978a299b29f7765b8ff47c940dadd4699b675783e42029cb3f3f47f1a6507480291e900ff87f8abc0b06f4c4a23b4a93b3b8d62e3e33e170fd
-
Filesize
98KB
MD5baa4eaaa4d20490ef32dbf42641fa350
SHA146a35f11fa97856a0c77e1145e49ab551b5f2845
SHA256bc6d0fd77772a45707119dbfcdea834e849ef300b745c855962192ced4c7cab2
SHA51245599bdf0d254c337744652d9947509d8ffd27e7bce300ea29b0ce79b930e6f44b36640ee6c26f75238b1567683d6d6a2f86872104e07c7d14df0217e0bdac9e
-
Filesize
7KB
MD5f6ba0ea597e1c1a4df5b19baf1cfad47
SHA1d2a4d7c889c3508ab220d87d51941f7e627d53c9
SHA2564363c5c032db4f47239c8eca6b95037cbcc907ef0aceaeb58142089ababbd26c
SHA51222fd2e90f8d7bf928fd384a99f312ce1a347bf6011d7f966865bcd730f52bb4263c4c076e6ce51449c3de1994a3797dbe7349e1ca81ccd3ad2cae2dc1d6b37c9
-
Filesize
7KB
MD5b5786fb6754969ed2d2b03a5f895abdb
SHA12fcb6f4b0aaf9347a120bc34330f7150017291f7
SHA256370b8a1152ef5b1623d0f13a1144343a2fa51902510cc633e59323db55c562bc
SHA5121444ce15a4547acc508c8057e05edf964d001858a320c2299dde28390e8f0460b7c7bc62c0e16648fbfaebd10d32b503ae8aa961ee4d6f7b7c8b53dd4b4c9832
-
Filesize
7KB
MD5879f41abae01abce490f3dc8b6aab6ad
SHA14f220615392bbd732f7bd7ed96b6bf479ecf3120
SHA2567d253781e2141c4b795af0cecdd6b8d2dc73493624893af2b9340a9508236012
SHA51269fcfa8cf765fce4a74f57cd46820054ded6db0d3b6547e887fa8ac2d26523c09d64d72f01c78fae3f0d88152d8dc85a09b5dc6e4d134009f663e5847ede6a3a
-
Filesize
17KB
MD54a6aa6c857dbb4894254ce677bc9eb22
SHA11a5dd6a3ad023a4db8d214f3be48a253de6cdd6b
SHA256171fee9250c1372573b2191f2b7531c042458848d3b7647f11b7dad50026e417
SHA512f1c03717491fbdeaf33beb949a63be495c5531ee27f3d7334654f33e06af7d1c92d8657dbfe75e900fb0e1cea4f367acdad7cf3b1ee5d5cf5755121c72d0154c
-
Filesize
18KB
MD5cccec49201c6b3ada6ec2d4827a10024
SHA19172a53d72dcfd8f83d8e338ef86f5d4e771ccfa
SHA2564378af03a37da8a3415a0395207aa644c20cf85346aa7153e766a00148d0d709
SHA5124b1e4834d26273d03d0b976019b409d9865265c79b8e1590daf1c0ba2c598089659fb811e9d0d4321c7052d0534befbeef5cec8391dc02a7a667b7b5d67110e7
-
Filesize
166B
MD5faf1ba86c74383840a8cf0e5a49b7048
SHA16caa6561e7b91d2e80be890c114dc815a7bd7873
SHA256f512a8e6cd631ab2caf6faabdefaef3a51bbfc86e5ee29f887008aff4993785d
SHA512cc3c9d950748a20b18828eabe63b63573cfd184338b014f5c731581212cb50f93fd9f27f5bbe4d8fd755ea537a45eb69ec3517fe73dd2abd485c278d03a97540
-
Filesize
152B
MD5477462b6ad8eaaf8d38f5e3a4daf17b0
SHA186174e670c44767c08a39cc2a53c09c318326201
SHA256e6bbd4933b9baa1df4bb633319174de07db176ec215e71c8568d27c5c577184d
SHA512a0acc2ef7fd0fcf413572eeb94d1e38aa6a682195cc03d6eaaaa0bc9e5f4b2c0033da0b835f4617aebc52069d0a10b52fc31ed53c2fe7943a480b55b7481dd4e
-
Filesize
152B
MD5b704c9ca0493bd4548ac9c69dc4a4f27
SHA1a3e5e54e630dabe55ca18a798d9f5681e0620ba7
SHA2562ebd5229b9dc642afba36a27c7ac12d90196b1c50985c37e94f4c17474e15411
SHA51269c8116fb542b344a8c55e2658078bd3e0d3564b1e4c889b072dbc99d2b070dacbc4394dedbc22a4968a8cf9448e71f69ec71ded018c1bacc0e195b3b3072d32
-
Filesize
27KB
MD597f07e182259f3e5f7cf67865bb1d8f0
SHA178c49303cb2a9121087a45770389ca1da03cbcdf
SHA256c3a70f23a2cf331852a818d3f2a0cf7f048753c9b47aa4e7f0fee234c46b226c
SHA51210056ad3a71ee806a8d8aff04d513a079568bf11799016f76f27c4255be2141a4c2d99c1f46bbfde9c99ba0f8b44e780a92b59f514d3cc1c248ead915c31b5dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD593efb4269c5810012aa9b50d5aba161b
SHA1273570c16f03cf4baecc83047471ac2e9440cc80
SHA2563c7e440b78b075a9dbfaf43363bd477ead48cc32be1b6c88bfc097c4b7582a8f
SHA512c6548681d8a277c482ba31b1ad6ac9d2c8678793d7367af5372cf5afecf8677d50ef3171d34b3cbff067ba78de008a5641aa1c73da059415a42ac2b143522013
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1008B
MD53cb209909cecc199c9e3c234941349c2
SHA1e91bebd655e95864420cac4830de50d7f3f149ab
SHA256656e68a7bd207f739335ab801a446331b9781b7b80ee694eda5afe6156e6ed5f
SHA5128765c38b77208d0009dfc439f0aff6069716d5bfbe4ad70f00c3b96ca78fc05b1607b9b3839860665ac449e63c61f279f6e522c9ff487a6ac52acbea590369ac
-
Filesize
4KB
MD520c0905a3d874c622a819856c01d5309
SHA1c79cb1f9b2fb6b3e30d49205ec6950d45d0a8389
SHA2565c6337d14b964e1bff6316b3c8d0f3783f1ebb3c052c5960b0cb6874cc75aa70
SHA5121af078be795cab93bf6871379e11e3551bfdee47b4dedfc478b0dde3527f2d95559100e145b1556430bf260309a78e8060e5ef8d6c3fccde274ab2f66742b195
-
Filesize
4KB
MD5f906d17789baebd91deb83b4d9ac2537
SHA1e1da87a1f2904d169629575548dea2beac4bea5c
SHA25620fb2fdf72c8610a05dd99c1399df77624b91c00c84636159f491ea22f6ce944
SHA512e6df0f7379b3916319cc112cd7bc1627626bffbec77c8b28d2dfba87e4bb52f57876b66e2d220d735af750ad75346404dd68a342c62838f7cf898ae9faef96b7
-
Filesize
4KB
MD500eac128431c79e846944c1bb9e24c09
SHA126c471107bfc7b297575e5a4fbb7395fae2c807e
SHA256b701eda7d063c07d7cb394ec4b4b8a8ef11b65ed2cfd1c8f83cbe6992121253e
SHA5125e6d388de4da130858e1d24db8db71d70c5672690670d7fb4587363ebfc7084908a32664791bcea4c3c3930f6281b883189c66f2cc1a2b36151dff1cf439bd9b
-
Filesize
6KB
MD541824afe601a975c3c1f94cefa5e88fb
SHA15cd3a0982b93a375fd6e2228e3803064051c61d0
SHA256e95d249fdb69f0619495f13d3239d374c8c5bdf92ca844d473d36e5483f62d96
SHA512823fd2b958b7393dd770e245ba7a31aff3d0ad0cef8dcc735755bdf4fc6c2ca909e21f79a3ca741c804de7cd3236e992f5ce6b911675d0d6ac1a49a3e88f7ec0
-
Filesize
6KB
MD5b80eab1a0cbd17e954fa01ccac8a0fbf
SHA1f74127fa33a6534774065fc9a64d77dda38aa040
SHA2568c85bb0002e6a29c5ce5a028e97e9d29f786ceac9a55e49145b3255b2954e39c
SHA512e407ea9f16768a284c51f6423d44b1814c5d2979b91a54cc90993dfb253302a7ff10b6f059718698260cdb09ffe97651ac677cf53c4f21997f51f6495945b177
-
Filesize
6KB
MD5c8386ce97cb5d5e8a4cc5958d5084f27
SHA18148d4486e20494afefe39339f4111d675712f45
SHA256bf29849ff4b654384f732c6a642b12a3126afffb164301e73e35dae61bad920d
SHA512feb216915b64c62947d0d9c29f4572303d6093f2bb6464acd0d8f2d4e46f5bf6e7d69d200d1f69c95dbb0b6d79fca46cc230a138b3ca22690d8ebadf37908f17
-
Filesize
1KB
MD59bd8aeb79efa27636ca34ab44e890f3f
SHA1402256960db153a2e0045d05b1ab5edb579a533d
SHA256fbe1d4e26f01c2cb25090904ab2c32cb100c85377c0ecc2df1911271de79c50e
SHA51291b915d1faf0cabbce750915812ed271713a9339729f96755459b1d8620f058b6236293bf59a268dd808e2e3a410836dfc8b4857f0dd50481d6ec615f4fd488a
-
Filesize
1KB
MD5b487dc569162f661326998353db65ef2
SHA1d1ba7aa0a8f08e34a80602c5d5437cc3a669f1e5
SHA256b57eb783306b0fe0bfdfe46da7f2a5f4308fbe3b45ba5867325e2798b2c2ed26
SHA512e0135e648e5847af884484c7f431c2f285881a28a3636f6f723e207ebc395c0094c0f3cbe90aa0700b6f11e7a61ffdb73f76c715afe9c2aa91850c716cdaa49c
-
Filesize
1KB
MD579d6f53e5db26085731d89b5c0fef12b
SHA1d75a2681895bb7ed68558f29b224d630c0b351b3
SHA256f245e1c8a95016eb9ee991ff737304cfb0704d2ede643729ea239acf5369859c
SHA51275083ecefe761d7361d116ee2d680abf408b7ba4ae50f208483cd42bfbe171b63f4356312fe74ffa260112996d034b6b64d092447833187d1114ac7e1c36ff26
-
Filesize
1KB
MD57421bf3397276517d8af41cba4b14f87
SHA128fadd09099a6e8a57e0193bed0d203bc8112e32
SHA256d2aaecc8047f30f499839f53ab09fccdc1c4a015a31e76a4b432ae8994998d0d
SHA51238ccef191b7951b8b6e0242c68916117c5011f76f4b23e396aa85654e31186fa610631c900437d78cf5353ca32e8e6cd36dd4d79d8be9df12705ea2cd2facb08
-
Filesize
1KB
MD5efa44fd23d33446e46922c1bf19d479c
SHA1a7f0ba03016690ea993bb0e4712c4ca401a50875
SHA256ce0fcb544feb87ee46b198ed7d6b4bc32e48ce34d70ce17a9407c16c19c56142
SHA512c9dfd71fe874518b32db9f234bf684c55052bebd0a150ded1e880adad5a7587e32423c97517b41f02fff33a0dc0ed8e02580dce5bacfd93c15c23442ba78e361
-
Filesize
1KB
MD5bae00ce2f962d853c58954e29158d327
SHA1a99da3b4186f9e3197631f1892b2b879d302d8ca
SHA256a963a81dc2e67ce2d573dc48246312990ef640d0275ba7ed40e6f299f88f4f1a
SHA512c5aeabf233ab300662e15b1b526a87a3acbe1f513d397c5a3225f5392658c84fae56ee50e204b5cd96c332f28e5f4d5fdf8f3e2319fa9838a72c4576ed50add5
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
12KB
MD5edc30bcd05072f13704af535760ee0eb
SHA1fcd06daa768c0675651178ad00e41ddcf8b65ad8
SHA2563c7f63fc7774eaa157fafcde8490a924a78a86832beb0bc2b2d7aa0140c25ba1
SHA512647c5b5e001cbb09b285cdf9caef8ef0173629e0a8ffb3614f8529975c4eb842ec4d2b8d06b56902ed9b9714274a9030e61ecf36f4e59d354785a8d77ffe0703
-
Filesize
11KB
MD5b9b744082b3808a47b54da3f8b1a6e16
SHA1b66d92fb997063957abea12b6d558ce4042bca90
SHA2563c84dc680d72156da61fd808c5cf8c4c8d81ccaca8afc55141d7d3391c936151
SHA5129600267024275af695423897a7a0188d37fcef1b850d653029822473c3937d19eee6f34d77dc7ed2d720630b067de2b14cc4016623a7194eaff8b4a07c296d80
-
Filesize
2.6MB
MD56e3c68894abab6d0518ec3d8779e1a42
SHA1d67f9e21086a07963c1c9f1ed4b674a3bc1b3e6b
SHA25649ac3a0e8da299945f01f3f280836419942fb84a5871ad3497714b5d70de5bf8
SHA5121f57c6d70746d137daf1d7da9370262817e498c47f90ae75d8bb5ef80d1ceb726a08bf9e93186fdaaa3d10f437cce891fd090b586e4eb51f444e700fcd02043c
-
Filesize
218KB
MD525f2fbfd91894d5d407352ada357fabe
SHA1780017eb1f1fea8fc4e373f283a545288977cf52
SHA256389b315b670b1396f5873359d3041fb267a9a9b9bb53bee876a572353f3e8f1b
SHA5124fb8cbfe9f17daa7af09b9015c13fb727b2a50b7cf13515625c4606f5c6e57902fcce78f477dbeff2e63e42ea4503327bcd5240a6afd07359a13b679b511464d
-
Filesize
574KB
MD57d0b9da8747e74057433721924f168f4
SHA102289a1bf1416a7f78a921767d103484c3d3635d
SHA25664d26ba1dfb663032d7c3855cf7e39599298d5324a511340c96195563e4727a0
SHA5122526d417e52c43615956f8dcc6f83cb3c2b410fd45f73f6ecb8d5b8125f3502a2a75a28c97f36011ee7beb91aab356ae55d861dcee7ddfaf492507f91a487461
-
Filesize
14.6MB
MD57c3e0bfd83d985c9651e8150fca3e84d
SHA16699383b22f2ad050245866a176c2ede6e348443
SHA25652dcfaf0c7cf62c333e12457339a581ac369e06576f93ded45ac002a1b3621fb
SHA51218f0d19a2f2e69dad7f2efd42b7463c82d07a39e64d1d5e95c6796780c221328ceef3936e8dcc5a9340d3d5b84c50039333a28de66be50ee94f154f94d185c3d
-
Filesize
6KB
MD5e4211d6d009757c078a9fac7ff4f03d4
SHA1019cd56ba687d39d12d4b13991c9a42ea6ba03da
SHA256388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
SHA51217257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e
-
Filesize
6.9MB
MD596b61b8e069832e6b809f24ea74567ba
SHA18bf41ba9eef02d30635a10433817dbb6886da5a2
SHA256e554425243e3e8ca1cd5fe550db41e6fa58a007c74fad400274b128452f38fb8
SHA5123a55dce14bbd455808bd939a5008b67c9c7111cab61b1339528308022e587726954f8c55a597c6974dc543964bdb6532fe433556fbeeaf9f8cb4d95f2bbffc12
-
Filesize
1.5MB
MD5dac995a98ccd2d6fadf66a50dbe30413
SHA16af28b7ba68ae237ad4d7c9046c596f9c4bd4c2f
SHA2569cb8ab6ebd29cf444a2df1d4acc5393d830851dcd30f80ccbde9da9c4792ef30
SHA51208b5885a37f3b424c51cf62232db3ffeb176f680152f01d77606c0e7861243f6ff1083bf3f86cf33854c13f46e8eb51e2916d0b407d7207c865b94db3acf1319
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
117KB
MD5a52e5220efb60813b31a82d101a97dcb
SHA156e16e4df0944cb07e73a01301886644f062d79b
SHA256e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e
-
Filesize
450KB
MD5e16e6d68ce1949c9721656390f47ce07
SHA19009cca5dc05e22f4cf0d8529a473f19b363103b
SHA25618e6d3d96fcd39ba069c0e6ebc108881ec5bb07e29a24b0177688ce391dac526
SHA51263a179e4db0cb7954ddc9aee9e3c7aecae9e160154243b248b94647eb8defafb7041ee291f6f880dc3ca7f298dd548e4b3cf0b650e9a7e34f34d2d2f0dd36127
-
Filesize
177KB
MD5f1a281f74d3e91d16dd26d1f313cd8a9
SHA1ddb2ca9032c5a9c091eac53b679f6ba428077b00
SHA256f79108a254f876e0f6bbcb05a9effbe25dc252e7ea256bfe3fd28ceb79737f25
SHA512484c5ca26275427e1fb74d3217a22a0e4aac409aba973e78d7ad68834e7ad1d86c7855d34b227925200f941d288dfc09477b2d7dfe0856810c6c847297b8d625
-
Filesize
126KB
MD5a973cfa4951d519e032f42dc98a198b0
SHA12ba0f1e1570bc2d84f9824d58e77b9192ea5dd94
SHA25625ee85c14c9be619b4f0bf783963ace1dc0af0e802014728c2a2ca8da213d31d
SHA512b4a8c4f08a51bdd9ce7708fe8e2477182a52f1d853954eb5af0430c2df99839b6076a7d93b00391a73d446a6ad9da3ed77ef79c8b23353d32c72fc540415b8ef
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e