Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
275s -
max time network
269s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
10/07/2024, 22:17
Behavioral task
behavioral1
Sample
genericloader.exe
Resource
win10v2004-20240709-en
General
-
Target
genericloader.exe
-
Size
4.0MB
-
MD5
434d9673864e5418fa2e6e0e1fe1b58f
-
SHA1
f3f389e163fad7c590a099b25ba24fbc857c22bd
-
SHA256
6fa68d4e9d00bfde3613fe4dc8d6e58fb86cf7bfb647ddeb3cbf1a09fb8cdce6
-
SHA512
1b23c3b0b996da5878c075ee57f1f5c09ecbead95ae4d2fab83771bf607dfe4b644eedda1e2e327d513339d8b4970aa8fbb3549f6d54babf97574f8c21e3d947
-
SSDEEP
98304:ZpNWeyWJvwujsD4tG84DPGrkNeQ1y1Ovw6Dmp0MmYd7:ZpNWeyWJvHmx84DakNjyovw6DnMmo
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ genericloader.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ genericloader.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion genericloader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion genericloader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion genericloader.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion genericloader.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation windowsdesktop-runtime-6.0.25-win-x86.exe -
Executes dropped EXE 3 IoCs
pid Process 4748 windowsdesktop-runtime-6.0.25-win-x86.exe 3880 windowsdesktop-runtime-6.0.25-win-x86.exe 1668 windowsdesktop-runtime-6.0.25-win-x86.exe -
Loads dropped DLL 64 IoCs
pid Process 3880 windowsdesktop-runtime-6.0.25-win-x86.exe 3944 MsiExec.exe 4756 MsiExec.exe 1824 MsiExec.exe 5056 MsiExec.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe -
resource yara_rule behavioral1/memory/4716-0-0x0000000000400000-0x0000000000EEF000-memory.dmp themida behavioral1/memory/4716-10-0x0000000000400000-0x0000000000EEF000-memory.dmp themida behavioral1/memory/4716-9-0x0000000000400000-0x0000000000EEF000-memory.dmp themida behavioral1/memory/4716-12-0x0000000000400000-0x0000000000EEF000-memory.dmp themida behavioral1/memory/2784-1147-0x0000000000400000-0x0000000000EEF000-memory.dmp themida behavioral1/memory/2784-1146-0x0000000000400000-0x0000000000EEF000-memory.dmp themida behavioral1/memory/2784-1175-0x0000000000400000-0x0000000000EEF000-memory.dmp themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{2deb241e-99d9-4489-ae8d-4778d470fedd} = "\"C:\\ProgramData\\Package Cache\\{2deb241e-99d9-4489-ae8d-4778d470fedd}\\windowsdesktop-runtime-6.0.25-win-x86.exe\" /burn.runonce" windowsdesktop-runtime-6.0.25-win-x86.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA genericloader.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA genericloader.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4716 genericloader.exe 2784 genericloader.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Net.HttpListener.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Reflection.Extensions.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ko\ReachFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\mscordaccore.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-timezone-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Tasks.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Resources.Writer.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\System.Xaml.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Security.Cryptography.Cng.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Windows.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\WindowsFormsIntegration.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.CodeDom.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Diagnostics.EventLog.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-locale-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.DriveInfo.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\System.Windows.Input.Manipulations.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemXml.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\ReachFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\WindowsFormsIntegration.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\System.Resources.Extensions.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-handle-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-crt-environment-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\PresentationFramework-SystemCore.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\Microsoft.WindowsDesktop.App.deps.json msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\PresentationCore.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\System.Windows.Controls.Ribbon.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\de\ReachFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\ReachFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\hostpolicy.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.Queryable.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XDocument.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\it\System.Windows.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\UIAutomationClientSideProviders.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\WindowsBase.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hant\ReachFramework.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\System.Windows.Controls.Ribbon.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\DirectWriteForwarder.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-sysinfo-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ja\PresentationCore.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\UIAutomationTypes.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\LICENSE.txt msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.ComponentModel.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\clretwrc.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Linq.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.FileSystem.Watcher.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pl\System.Windows.Forms.Primitives.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\ru\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Runtime.Loader.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Xml.XmlDocument.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-synch-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\System.Xaml.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\zh-Hans\System.Windows.Forms.Design.resources.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\api-ms-win-core-util-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.Threading.Tasks.Parallel.dll msiexec.exe -
Drops file in Windows directory 27 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{906F835E-F52B-47C2-A996-A769EB284880} msiexec.exe File opened for modification C:\Windows\Installer\e58fa78.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{73191C34-7ACF-493B-B92E-FE368D8F4071} msiexec.exe File created C:\Windows\Installer\e58fa82.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e58fa86.msi msiexec.exe File created C:\Windows\Installer\e58fa7d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1526.tmp msiexec.exe File created C:\Windows\Installer\e58fa87.msi msiexec.exe File created C:\Windows\Installer\e58fa8b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI2911.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI555.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58fa82.msi msiexec.exe File created C:\Windows\Installer\SourceHash{AF1BA644-A730-46A9-BFE1-C1B79EBBE36D} msiexec.exe File created C:\Windows\Installer\SourceHash{6D7737C0-9538-48ED-ACB7-688A891417C4} msiexec.exe File created C:\Windows\Installer\e58fa81.msi msiexec.exe File created C:\Windows\Installer\e58fa7c.msi msiexec.exe File opened for modification C:\Windows\Installer\e58fa87.msi msiexec.exe File opened for modification C:\Windows\Installer\e58fa7d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1640.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1901.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1A69.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2036.tmp msiexec.exe File created C:\Windows\Installer\e58fa78.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF49.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 9 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86 windowsdesktop-runtime-6.0.25-win-x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\ProductName = "Microsoft .NET Runtime - 6.0.25 (x86)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43C19137FCA7B3949BE2EF63D8F80417 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\ProductName = "Microsoft Windows Desktop Runtime - 6.0.25 (x86)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0C7377D68359DE84CA7B86A89841714C msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2CEDA13FAE350F370A1989A8141A409C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E538F609B25F2C749A697A96BE828408\Provider msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\446AB1FA037A9A64FB1E1C7BE9BB3ED6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.100.4028_x86\Dependents\{2deb241e-99d9-4489-ae8d-4778d470fedd} windowsdesktop-runtime-6.0.25-win-x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.100.4028_x86 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\SourceList\PackageName = "dotnet-runtime-6.0.25-win-x86.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A036181AE3507D45E36606F9464ED83\E538F609B25F2C749A697A96BE828408 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{2deb241e-99d9-4489-ae8d-4778d470fedd}\Dependents windowsdesktop-runtime-6.0.25-win-x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\PackageCode = "ABDB187258D2F0B4EA515F900DB9F5EA" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\Version = "811863996" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.100.4028_x86\Dependents\{2deb241e-99d9-4489-ae8d-4778d470fedd} windowsdesktop-runtime-6.0.25-win-x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.100.4037_x86\Dependents windowsdesktop-runtime-6.0.25-win-x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43C19137FCA7B3949BE2EF63D8F80417\Version = "811863996" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7C7BD660A965DCC59E639153F37F0365 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\Version = "811864005" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.100.4028_x86\Version = "48.100.4028" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43C19137FCA7B3949BE2EF63D8F80417\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E538F609B25F2C749A697A96BE828408 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0C7377D68359DE84CA7B86A89841714C\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\446AB1FA037A9A64FB1E1C7BE9BB3ED6\SourceList\PackageName = "windowsdesktop-runtime-6.0.25-win-x86.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.100.4028_x86\ = "{6D7737C0-9538-48ED-ACB7-688A891417C4}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\Version = "48.100.4028" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{906F835E-F52B-47C2-A996-A769EB284880}v48.100.4028\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\Dependents\{2deb241e-99d9-4489-ae8d-4778d470fedd} windowsdesktop-runtime-6.0.25-win-x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\446AB1FA037A9A64FB1E1C7BE9BB3ED6\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1705699165-553239100-4129523827-1000\{04A712E1-2B24-477D-AA7D-648EE0E6E719} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43C19137FCA7B3949BE2EF63D8F80417\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{73191C34-7ACF-493B-B92E-FE368D8F4071}v48.100.4028\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\43C19137FCA7B3949BE2EF63D8F80417\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43C19137FCA7B3949BE2EF63D8F80417\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\PackageCode = "0C3B27A58F0F0E1479CC5D09E08A190B" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5A036181AE3507D45E36606F9464ED83 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\80DD5FD7E8E53FD5016C7744B1A8C497 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\43C19137FCA7B3949BE2EF63D8F80417 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\43C19137FCA7B3949BE2EF63D8F80417\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.100.4028_x86\Dependents windowsdesktop-runtime-6.0.25-win-x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.100.4037_x86\Version = "48.100.4037" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0C7377D68359DE84CA7B86A89841714C\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\43C19137FCA7B3949BE2EF63D8F80417\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x86\DisplayName = "Microsoft .NET Host - 6.0.25 (x86)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E538F609B25F2C749A697A96BE828408\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\80DD5FD7E8E53FD5016C7744B1A8C497\446AB1FA037A9A64FB1E1C7BE9BB3ED6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{2deb241e-99d9-4489-ae8d-4778d470fedd}\Version = "6.0.25.33020" windowsdesktop-runtime-6.0.25-win-x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.100.4028_x86 msiexec.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 619704.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 31 IoCs
pid Process 4716 genericloader.exe 4716 genericloader.exe 4548 msedge.exe 4548 msedge.exe 4872 msedge.exe 4872 msedge.exe 4724 identity_helper.exe 4724 identity_helper.exe 1820 msedge.exe 1820 msedge.exe 1448 msedge.exe 1448 msedge.exe 4400 msiexec.exe 4400 msiexec.exe 4400 msiexec.exe 4400 msiexec.exe 4400 msiexec.exe 4400 msiexec.exe 4400 msiexec.exe 4400 msiexec.exe 2784 genericloader.exe 2784 genericloader.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 4876 msedge.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe 2784 genericloader.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
pid Process 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeIncreaseQuotaPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeSecurityPrivilege 4400 msiexec.exe Token: SeCreateTokenPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeAssignPrimaryTokenPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeLockMemoryPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeIncreaseQuotaPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeMachineAccountPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeTcbPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeSecurityPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeTakeOwnershipPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeLoadDriverPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeSystemProfilePrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeSystemtimePrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeProfSingleProcessPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeIncBasePriorityPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeCreatePagefilePrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeCreatePermanentPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeBackupPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeRestorePrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeShutdownPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeDebugPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeAuditPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeSystemEnvironmentPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeChangeNotifyPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeRemoteShutdownPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeUndockPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeSyncAgentPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeEnableDelegationPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeManageVolumePrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeImpersonatePrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeCreateGlobalPrivilege 1668 windowsdesktop-runtime-6.0.25-win-x86.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe Token: SeRestorePrivilege 4400 msiexec.exe Token: SeTakeOwnershipPrivilege 4400 msiexec.exe -
Suspicious use of FindShellTrayWindow 63 IoCs
pid Process 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 3880 windowsdesktop-runtime-6.0.25-win-x86.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe 4872 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2784 genericloader.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4872 wrote to memory of 4244 4872 msedge.exe 90 PID 4872 wrote to memory of 4244 4872 msedge.exe 90 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4020 4872 msedge.exe 91 PID 4872 wrote to memory of 4548 4872 msedge.exe 92 PID 4872 wrote to memory of 4548 4872 msedge.exe 92 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93 PID 4872 wrote to memory of 3996 4872 msedge.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\genericloader.exe"C:\Users\Admin\AppData\Local\Temp\genericloader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8290e46f8,0x7ff8290e4708,0x7ff8290e47182⤵PID:4244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:22⤵PID:4020
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:3996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:12⤵PID:1272
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:12⤵PID:4192
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:12⤵PID:4636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:12⤵PID:4972
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:82⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4724
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:12⤵PID:2548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4024 /prefetch:82⤵PID:464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4760 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:396
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:12⤵PID:4036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:12⤵PID:4384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:12⤵PID:180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:12⤵PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:12⤵PID:4476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:12⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:12⤵PID:3976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5096 /prefetch:82⤵PID:1756
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6072 /prefetch:82⤵PID:2860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1448
-
-
C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.25-win-x86.exe"C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.25-win-x86.exe"2⤵
- Executes dropped EXE
PID:4748 -
C:\Windows\Temp\{31633966-F3EA-4963-8DD3-DB5409CE274E}\.cr\windowsdesktop-runtime-6.0.25-win-x86.exe"C:\Windows\Temp\{31633966-F3EA-4963-8DD3-DB5409CE274E}\.cr\windowsdesktop-runtime-6.0.25-win-x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.25-win-x86.exe" -burn.filehandle.attached=568 -burn.filehandle.self=5763⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:3880 -
C:\Windows\Temp\{14B7352B-541D-4F03-B366-A361A707FAF2}\.be\windowsdesktop-runtime-6.0.25-win-x86.exe"C:\Windows\Temp\{14B7352B-541D-4F03-B366-A361A707FAF2}\.be\windowsdesktop-runtime-6.0.25-win-x86.exe" -q -burn.elevated BurnPipe.{26AFD958-278E-4EBA-82C6-FDDEAE706BCD} {2CF32111-659E-41B4-A378-BBE123FF7372} 38804⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1668
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,397563935530614200,6034244689671184813,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:380
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2216
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CDC606DDF5167A2FBB6DBB9F16AD832F2⤵
- Loads dropped DLL
PID:3944
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0E34DBCB02433160A2F9A1525AA3411D2⤵
- Loads dropped DLL
PID:4756
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 64D2D7BE9E36514EB6917D852A997BD52⤵
- Loads dropped DLL
PID:1824
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 222560D37F597C6A292811703A2660012⤵
- Loads dropped DLL
PID:5056
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4176
-
C:\Users\Admin\AppData\Local\Temp\genericloader.exe"C:\Users\Admin\AppData\Local\Temp\genericloader.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2784
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost1⤵PID:3620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
57KB
MD55a6c857ab12b5643e5fb846008323711
SHA1f8343baace7c1a67befcbed5e042668a9ebb9340
SHA256a7347bf60285de4d4c1ef1ad0f4e3c99af5c3f8082f1658b65372ab7d345a5e4
SHA51268a27de862538c0243da99642bb909487137d01cf340ae41418cf898f8c7d2c69d9597a9af5dcc750e479e7c9e773178e3ec4dbc5006e732827bbae78e618aa2
-
Filesize
8KB
MD56552522db3fb5ae4cf65c3e2763e390e
SHA1a67048fe4d274b85b2774ca7f10335b73ce31265
SHA2565770ee911304eab190dcb33b6e9cb07b7aa0ce1b0d5d627158d504102d3d1ee9
SHA5122c7e250f6d1bd69e4b663f32da1f8c74261d7b7043da5c7986fb2e1f49a25ebb5bd0769a76822e4dfb2e3df3d4fef03bda946e494b44c4970425c8d6142aeaa8
-
Filesize
9KB
MD507539de3db5328cdc6332cac83b72f30
SHA1df973f235ad14d08957625ed657dac78c6bab1f9
SHA2567665b13cd42f65da76261a212b5ce473f84a085f8b80fb2bb01b0e83760c14e7
SHA512df87f7b03d618a7c32887c8dabab570e3a1911bff92d53d876de580b9eb426186f4f42fdc8146e12ecb68805144a262ccc8ea94925c5e1d6b6bd6e131e50f470
-
Filesize
90KB
MD5450eb6182178da4b156c4a08c249ec80
SHA199c15672ceea2d381cdcf1233f733596f8511ed1
SHA2560417cb4949282619b0a22c2841e98cc5dcea7c39652cc792af4c4024d3fd6a77
SHA51262f93c0d99bb7324b9d6e9e4efe679492e45c3ac3b5ea6038714e4de20c920b0f71a3d7401e003377cf6eecb33f9aab838fbdfa0564ad318f9d14e792c11cf8e
-
Filesize
9KB
MD531c5a77b3c57c8c2e82b9541b00bcd5a
SHA1153d4bc14e3a2c1485006f1752e797ca8684d06d
SHA2567f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d
SHA512ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6
-
Filesize
78KB
MD5f77a4aecfaf4640d801eb6dcdfddc478
SHA17424710f255f6205ef559e4d7e281a3b701183bb
SHA256d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA5121b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b
-
Filesize
304KB
MD5300cdb880472aaca87729954146d2570
SHA18c99b709785fb5cdf21a35221e9e3804fc269120
SHA256497649f25ff7e5f024bb1155a51fb76b7bee7aa85cf949df7806f0463aa49f33
SHA512dc6c84351e9023f065d1135b07fa8ecd69d6f144187bbaefc67d87f2fc7801d6f584dc38f2553023c05cd9b9d93b8624bc871ed0387c534240b62103354c2e1f
-
Filesize
32KB
MD546846ba56529e39afc115ae47db6888f
SHA1d3490e2ddb3a3b900df0a0679b7938f862022f85
SHA25694a3b4408b74bf2b41dc5d193840457c85e0b9c44a7e283eabb06c99a7ac1eb2
SHA5123a94e4e1296ac977ccfff8b080270bd40e6a69e8a0df51aca02644014897de25fe73c4f0a6f6b6c782e9379b984a0d934db01400a57c45e2c5e012fd49a5253d
-
C:\Program Files (x86)\dotnet\shared\Microsoft.NETCore.App\6.0.25\Microsoft.NETCore.App.runtimeconfig.json
Filesize159B
MD53fbd84a952d4bab02e11fec7b2bbc90e
SHA1e92de794f3c8d5a5a1a0b75318be9d5fb528d07d
SHA2561b7aa545d9d3216979a9efe8d72967f6e559a9c6a22288d14444d6c5c4c15738
SHA512c97c1da7ae94847d4edf11625dc5b5085838c3842a550310cca5c70ba54be907ff454ca1e0080ba451eacfc5954c3f778f8b4e26c0933e55c121c86c9a24400b
-
Filesize
141KB
MD563088a6285a6387da63536bac73e32ac
SHA18d7f6ec4394de4e6929d80e2124bff26018ffbae
SHA256756c0824def8345f7e2b246f0620a6ab897eab88667acceecfa4c15bca704ac4
SHA5128e5d666f6617c2dc9424490f3eee62db6c9585a7c2b9fec861e895bd5c786b7348ac91b02d3250af38e5dae89bc849d857dce7c694702396f23ff60047b47718
-
Filesize
9.5MB
MD5c74528e88b0d127d45fc138e70742cab
SHA1a4a41160310437bb7ff492a37abf8f0be3ee6766
SHA2562cf7abcbea4eca4023aec579dee14ad18572f13ff36f9d7db0e88e519b7f0772
SHA5129b2d3195742f1d5bea064238a05acb61ad847efb1225512c4086293c519970ef92f226e112cf5edb4d0ac672974920b8c62bd71d537fbf104f55212281c744b3
-
Filesize
41KB
MD5bcae015718aa9348c0be0f31c2b0b4e2
SHA1fec631fd1014b44ed00e524e2937d47cb5c1b551
SHA2567d8575ee34c117fe7cc5a37a1814cac56a91476be060e56421f6f44379326918
SHA5129c8a0461a58e0fee057da9915e87d177e20f8d89e0da72f2fe3f43e242c884db96981cfae4e00c4c0ab2257263c5e1b3a859b8dbdef98a9d037932135b5eefee
-
Filesize
1.3MB
MD5b2677e05dae1910f23886c68d6e0680b
SHA1a8978dbdba226da8b27c971fd8942ce3c7541f7d
SHA2566e31be85fa069a1631be0a8401c9866b316c8ceb0dd57456d946d2bc3bc2a35f
SHA51224342643533595b75dadc71446663a7b76684d92db528177ae1045b41af56444a3364aa2ea205daa8aee7fa73b1b44b6c8a2743f3cfaf2fb1c6aae8dad4382ad
-
Filesize
1.2MB
MD5932ab0988bb417fb9a0627848b8f8313
SHA15bd519c41c12d2a4bcc9aa466121e885eb04939c
SHA256294d3a9a40f34a0224f1e424a7fb5dff3342d5ab22eeb50453185a93e5c5122f
SHA512e24a1291027298baba7d3034005e4a490af18fcfda6338872807bfc8bb1e8e991136287f1e0331b46f0cd1dfa88a217fb5fb7a7bba72042da1fd15d4c3f6bf18
-
Filesize
4.1MB
MD52104464df3bd54668291460b62b0f448
SHA1241072a3b2f765979e13615c450fa91e1b119eb4
SHA256a69b7c4587f5f3747b9c8523babe464526a31f300200888b6f4a77e2fe3e366e
SHA5126a3ff204d1573b5bead1377969ae97d7ca3b8873fecc027b55407c0b4332fcf266a9603e1ca4355ecda4411123e1be2bc3b9d4815ab278311aa1e0b6fa820a7c
-
Filesize
319KB
MD5f2f2d04db11d9bced32e10b264a16d51
SHA1f16f2b38bf5364b2953bb2dafd70ceea7f4c2b17
SHA2564a01ca332f6d524e5ebba26d85ecb9dc67877353880d4612390445ea08d25f7c
SHA512808f34081cdf7478a1e6f7b1c08b660ff315b81b5b2ed605d795e5dc856e806c7f27fd54f4754e23e2d1ab56233bc4dcde58982cb2317b2cb976709ed826f20a
-
Filesize
143KB
MD50616048dc4d9191a5227c8e6ae93ada3
SHA1d465306bfd3da6e9d54e8a62624f6a417b4708bb
SHA2563bea0078946d905fd14b12f07e73280e818255357edb32308d2a6702c6ae20e2
SHA512d6ec4c7de38f43291247d3acee7b4839ff1cc1ecb281f97a6f6b7d5eb9d9a98843a8d9f62c7ad4ffc1a6ff009c43884804962d7809bd4521ed64d9d3eec686e1
-
Filesize
265B
MD596cef2f03d2443b27c4505ecdbbb11fd
SHA1be4f6655f8be38d4695055750dd6913881621c91
SHA2564a94e43d1ef65cbd19dabbb4cf57eb871ff5b242ce07daf6234531c10ecd0eb6
SHA512052a6403501ecd5822f7038f91694e9004048d2bbf03fbeb120b14fe20e0b8383c11d722d24d118f1b0135610081d077e3dffd5b92e9b5b8221d109f0dd550ee
-
Filesize
152B
MD5a499254d6b5d91f97eb7a86e5f8ca573
SHA103dbfebfec8c94a9c06f9b0cd81ebe0a2b8be3d1
SHA256fb87b758c2b98989df851380293ff6786cb9a5cf2b3a384cec70d9f3eb064499
SHA512d7adcc76d0470bcd68d7644de3c8d2b6d61df8485979a4752ceea3df4d85bd1c290f72b3d8d5c8d639d5a10afa48d80e457f76b44dd8107ac97eb80fd98c7b0c
-
Filesize
152B
MD5bafce9e4c53a0cb85310891b6b21791b
SHA15d70027cc137a7cbb38f5801b15fd97b05e89ee2
SHA25671fb546b5d2210a56e90b448ee10120cd92c518c8f79fb960f01b918f89f2b00
SHA512c0e4d3eccc0135ac92051539a18f64b8b8628cfe74e5b019d4f8e1dcbb51a9b49c486a1523885fe6be53da7118c013852e753c26a5490538c1e721fd0188836c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5fdd608ef48acae1cc817bc9c33e800be
SHA10ff18faa611d768a934786d967b3bb85ce12cb68
SHA256c685af536090cbc31bc24fc2b29d09ac304ae3573931e55c0ed25f5196b64b09
SHA5129d289d5f8543c4ea0e2ef2c4bc2b35c776e3f47c9db92f9a32847a1fd634d5b590a3266b95748231aab50d8ac72648079b560c117aac33597a1c4b9eda4a725a
-
Filesize
1KB
MD5b7fde70b14ab374ae3f979b609b92f20
SHA1234da7758238c34fe795d026ac8168e44913e42b
SHA256b5c881ad9accd38cf813c60d14b7817e7c32faa71b3149b2cde7c6a141d5be3e
SHA512011fa4b339132b990adfb47236fe3e97d8db6713d936c03fc0e302fb82aa73d479fdb9daf5efacff1cb28341075de1ea777667df8c0458c2247a0a7b0b817d1b
-
Filesize
6KB
MD5098df3a5ef2f777a4613c6a1c829bc49
SHA1aab476d30ac4813839429b2a0c9d7b70f688170a
SHA256a4eb3f4080eb243b3af68f1829737076f7b9b932421a2c31b657d347df7b5a11
SHA512404dd47b808616fead9b3a43bfb32631869d1ada0eb50888dc1cd31cc3289e1c33d778d156860e402601e0f51d6c4c560b597a7874226d0d6ea13d103e504be0
-
Filesize
6KB
MD5909e130725b6f689dd7a0ae4c2b0fade
SHA17b34c8778fd416d5cec3418a99f22500df0455eb
SHA25658a1459143b54596824a56270952422c95680f54c57104651c5241da99e7f015
SHA5123ee95686a45cb297d848eb92f48b2781163ae01b17602fff8f8d375400e9eacc7bfa847fd35a1389957b27f9bbf4e17973a00d696301e13b1e148ad05b66b8c5
-
Filesize
7KB
MD5cb51d1b954e89c28dbeedf45be4a51a5
SHA1f529c9e6a78baad0f591dd5d8a08457a8d057850
SHA256dee4258331be82aea3a8cf5f5cdfb9882961e884031a919740c43b6cf1c9f861
SHA51237f71d4ec2663f5efd689bbf9d4dd1a2507711f26ce2dea528fa45adb17c5a68a7861cb1cec9cb3fb655f064cce1378674bb51378ef6072452cf15711049cb24
-
Filesize
7KB
MD5b1792f9d034dc23abaac8ec4cafdc723
SHA18d3c6b7c681e7190d6ace2b8930addf661ceb87d
SHA256ec6277f54cf45f12747e0b82252997aa5deaf3b72562cca79a223b069af55431
SHA5123a0fff5c26fd216b19d6e51491b34a444c36a2af77fc3e7c97dece60ab6ac9883afe1637f82972504a4df99e77e40fa411ba9f31c850c77f9b8795639e10b72d
-
Filesize
1KB
MD533e0d5027b42520897f790fb0df01a64
SHA1ec09efa8702d782882cc8639c9987d08e28b838f
SHA2566c2a7aa5cda77889c7725396fb6d60ebe185e5c9e0a8ab97b31aaf7f0f551d28
SHA512b70fd868aca7eb04d6b52d990700c457f12598aa6ca51ad4caa283c2634de84d670c40559f54ff8ca5cb8dd5211e6030b5328ee913fb38a9cfcc4d5b1a52ff62
-
Filesize
1KB
MD529168cd78c3ac57f0308ad66de2ffded
SHA141b86ef31ecfc4ff8cc7671d132d46e563c0fda4
SHA256f0cb5c013b077d8be7786289f94606e877f1a4e0cd2056ac82b5c0f165642f94
SHA512f877781fca5f037fc98ccec8ebf790a132d9ae9a2eb97fc2e44a6e64a57df887b0e0a3cbe3d2cbb5ccb5e621871126d2adbb2c2925c1e07fa04996847ea39df8
-
Filesize
1KB
MD5340287702f09e957b2ecf86ded0b7ea6
SHA1fc0396d2f778f7fc894d6111094ab19411110775
SHA256bbb6eb85eeb0b88cc16ca51357b7ac63ab510313e6130d1b5270a17b5a4f2c71
SHA5128cd69f1a4ce4927651fa57425badd79a069b52ea92db86f6fc78443d8b4785e957e930e93a403acb5547e082508778e7aba1df36b8556a2388e13515be942246
-
Filesize
1KB
MD5501ce7353df5966f2b26a1d7b248b8ba
SHA11170fb3cf1cf5ea463efa1e8f44993cb5ff7b95a
SHA256a948803d5857f1f0803af50b3cd1505a7f54138b0749f6f264138a2499540369
SHA512a5f1d11fae183412f132555117294003e246c76bcf51f5ed407fe7277d4a2e36d715d091d98627815e0a226b5d896f457dd75eb2c14feb8aa1d948b360bedec8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD52db09779c2bb935acbd361d8bfb66065
SHA18aaecba6f96417f22b6ffe7e5f63ce66638d1f9f
SHA2568be7d42f3f8740ba72d658eaa24886e237aa1356ae5bea12878698830b594989
SHA51287fef116e32c8a888b8d81ac31dce9a0745267af13a0a55fdc0d1490fc206f276896a3f42b851253e8ebdd24dca2cb578d63974c30d7fd615aebdaad02670d88
-
Filesize
11KB
MD533f0f206ec6f35827b1f4cbdeb9b8588
SHA1fe7400ba5af7e59dd08f2a901ca999ae3b1e348c
SHA256a8d8deaa2f44c3d2644f455258c056f90321aee0b73300e249ec61d9e4f8cfe3
SHA512ad5457612470226af83acff8b77db4f77c9aff09ce8745d562dbbb92431e2059b4d123adc612c83354a99d1087d4d21a6d966d38a5837325aeb5eb9032f3a4e5
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x86)_20240710221900_000_dotnet_runtime_6.0.25_win_x86.msi.log
Filesize3KB
MD53a7c62a67ccf6a4a994184bdf9934b1e
SHA1274f149b1c0f13d57a5c89d2b1d3366f86fea52c
SHA256892b89d81f27024b979ee2cb0e0abb318add9f0a1bf026eb712c82afa45e9b0e
SHA512ee373bc870cd9d5808379429131ab44dfb7c6a750a8c4c8a03be4584947e57d227d3be212c0661f8a78b8dc5421e623a99806f842582bb6861620769b5ecb50d
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x86)_20240710221900_001_dotnet_hostfxr_6.0.25_win_x86.msi.log
Filesize2KB
MD5f275aeb01ebb45836b2088094a5d8b22
SHA1a0523cdef54f58f6441e7cf4f330a9aa5a50a2a2
SHA256510294f0628b88f45824513f7e83c4c5ea1e376c710e72549f67010ad82acbcc
SHA51285288ee03873af9f2d463678af1905dc4627b1537b4c21d4a3330d8f4ccfcb25bf449ab3a44bed2f0b8414c7cc0d9c6aa459563543e01f7ecbebbd88e07eea3f
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x86)_20240710221900_002_dotnet_host_6.0.25_win_x86.msi.log
Filesize2KB
MD51ff9789a2a8890a5f83fa9759f8237bd
SHA1cd329f1e2949c89745bb6cdc016f54dfd9f1ac62
SHA25607b02c1e967e7f0b013145fabff01e50b6521ee8e2bd84f0e0df1a73f53b98e3
SHA512f4cd7cf01a89505d2395cecac48929807e10be24dc7a89931d43a75562537f9d107fdf6974dcf6229e8d40785b53a9015730a85bcf0d11ea55bba12d3de5951b
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x86)_20240710221900_003_windowsdesktop_runtime_6.0.25_win_x86.msi.log
Filesize2KB
MD526ac21f3f324a5592b8c9233e7137e2e
SHA16c4a28a389ea5925b2d481bfc31643d18802d092
SHA2565fc565ae9f496d2e0aa263a7c51919231c3db0cd2a2783b34e1f23badae5efef
SHA512121276f90d6af818c8701864ffd7e227d650ab66eab2dc08b95a021102d66006ee86fe6d0698bcc2a3e893d6b755f70c5314a7baff617d24f0fee204077f1e7d
-
Filesize
49.8MB
MD5c5b67af29311b595d2d6491cf67323bc
SHA14a254e716510900bce7e9b7acd24e6c5791d8dbb
SHA256d81041774cf97e4b142731f2966bbed28ae45acdcac56cd232fe89e3c7c83626
SHA512fb83dd96a7ea4654f7bbd8d2e511df50dfc4633346b78ec317419bc9536b2d13cd71037fb80bdfefc87162fbb91fc9fd978751511877ace1a8788f2bbbaa82f7
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
Filesize
728KB
MD5624a37874dfb5b6f75b4c83c584eb379
SHA141a35c5559c40737f6ab8403dbcd901c9d78f46a
SHA25613db3ebc41617258efbdda7a6304f7929815447af6e41cc781166b7703cf6ae9
SHA512eac9eafb62781f8270eef3c22395bf9f5ccedbf9cb12d2223d272f718b8d2b87f7f4f3ba9e2cdb496245a2e09448c404faaf7d1fce2b256adafe7d64efe9ad0f
-
Filesize
784KB
MD5c93a229515cc1368025dc7783d1d33a1
SHA135b231f0d346fa1d562a8fe76672c49bd5a2c67c
SHA2561ad9fe5ef47fc07def86271103ad4bd95f35035cafb3a00807f6186c28551fe9
SHA512c84b8c9338ad47cc48970fae0ee33bff29802198c4ff77da2133f3a1abfba672322816f2a0d68cb315a37dba4b1042fde9dca7ee0833817272f321826cc84b01
-
Filesize
23.5MB
MD55b3cf0bc3ccb791e0acec56e4b94fe5e
SHA1659f1fa69c38b55fee07b4242df1033c04b91d05
SHA256560ee5221a2e14a39d32ca671da1929ea9168c5d5a26d1dfabb43f925eb081a2
SHA512926cb3e8ad1fe45d306f6b1c91c78a3043e96b9b64e6c288793aa10fd9b5e6f31511c49b07f8f9d5d4e334a5fe26fdb114398e53ed95e30ec68d078410521b9e
-
Filesize
25.9MB
MD50b576a932c0f6e2a00f97e4b71886225
SHA19cf2bc4b557e3dac9cbd404f32c471a7042418cf
SHA2564f7c27123ae5bd818af1c85cc3ab14f27ffe079e3a857ccda1570dc4ed25981e
SHA512db4e25f069ed413a2ac4d573b6e0821229ec5428e2bc803b981416c63a392493b639afb11184b53a355d3f19038ca45d9234f367b2457141286ebca64906fb22
-
C:\Windows\Temp\{31633966-F3EA-4963-8DD3-DB5409CE274E}\.cr\windowsdesktop-runtime-6.0.25-win-x86.exe
Filesize610KB
MD5afdfeb27824e76280bf52522ae1f3025
SHA107ae5c1d52e5ed0ec157b8c3ccc7b4bc7a8ae2e8
SHA256a097116646413fee279f5ef4e8b136481231ffe66f0de8b8079b7b9f02ba6b31
SHA512ace6ccb0a5e21bedf3ea0d2ad8c03b7e7fdc88d575c8e669a5948c5eaa031e5f1de4134240556c073d738885a55b7401f76439af5ceeeb95c8521ccaf3d42d70