0e774f8533566b6221fdd374f4f6f30551f4e6aeb4848521445d15158f029855

Analysis

max time kernel
1565s
max time network
1567s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
06-08-2024 14:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerInstaller.exe
Size

4.5MB
MD5

c9c89a5180728704d9fc8b10fcfa5124
SHA1

6eb7edac4c879645641394eb20db3cf707019b47
SHA256

0e774f8533566b6221fdd374f4f6f30551f4e6aeb4848521445d15158f029855
SHA512

98fbac35cbfff889ffb7a9b26684aee196237a54a9548285c233c2abf0a6a1f7588eb28d166a3a32e103f974418a7e75477cc699e5f0c8e3e290916b44ffc220
SSDEEP

98304:Smvn+iSkszLaY6ZZBrKv0Log5yGj06VuXJ+2npsbLfNzt:P+iBsGZ7KngtE+YK3fdt

Score

6^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 24 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\Roboto-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\particles\fire_sparks_color.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\StudioToolbox\EndorsedBadge.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\vr_idle.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\textures\ui\LuaApp\icons\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\fr.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\sky\sun.jpg	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\VR\buttonBackground.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\onnxruntime.dll	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AvatarEditorImages\Sliders\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\PlayStationController\ButtonR3.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\textures\ui\LuaChat\graphic\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AnimationEditor\btn_expand.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\PlayStationController\PS5\ButtonTouchpad.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Lobby\Buttons\scroll_left.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AnimationEditor\button_hierarchy_closed.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\MaterialGenerator\Materials\Metal.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1432_1064204421\109.0.1518.140\msedgewebview2.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Notifications\SoftLandingAssetDark.gif	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\gd.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\DeveloperFramework\StudioTheme\search_20.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\LuaPackages\Packages\_Index\UIBlox\UIBlox\AppImageAtlas\img_set_3x_12.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AvatarImporter\img_dark_RthroNarrow.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\VoiceChat\MicDark\Unmuted80.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\VR\notifications.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\StudioSharedUI\spawn_withoutbg_24.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\icon_friendrequestrecieved-16.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\PurchasePrompt\SingleButtonDown.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\VoiceChat\MicLight\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\AmaticSC-Regular.ttf	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\TopBar\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Notifications\SoftLandingAssetLight.gif	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4FB6.tmp\msedgeupdate.dll	MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\avatar\compositing\CompositFullAtlasOverlayTexture.mesh	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AnimationEditor\Button_Dopesheet_Lightmode.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\MenuBar\dropdown-arrow.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\PlayerList\NotificationOn.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\textures\ui\ImageSet\LuaApp\img_set_2x_4.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\textures\ui\LuaChat\graphic\gr-profile-border-36x36.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\MaterialGenerator\AddImage_64x64.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Emotes\Editor\Large\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\kk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\icon_ROBUX.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\shadowblurmask.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AssetImport\btn_light_filepicker_28x28.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\MenuBar\icon_chat.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Settings\Players\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\WidevineCdm\manifest.json	setup.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AnimationEditor\icon_keyIndicator_selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\Debugger\Stop.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\PathEditor\Tangent_Handle_Selected.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\PluginManagement\unchecked.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\StudioToolbox\AssetConfig\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Input\Disk_padded.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\VoiceChat\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU4FB6.tmp\msedgeupdateres_ml.dll	MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\LayeredClothingEditor\Add Icon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\VoiceChat\MicLight\Muted.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\109.0.1518.140\Locales\id.pak	setup.exe

Executes dropped EXE 30 IoCs

pid	Process
2144	MicrosoftEdgeWebview2Setup.exe
3968	MicrosoftEdgeUpdate.exe
3504	MicrosoftEdgeUpdate.exe
3500	MicrosoftEdgeUpdate.exe
2376	MicrosoftEdgeUpdateComRegisterShell64.exe
3216	MicrosoftEdgeUpdateComRegisterShell64.exe
3888	MicrosoftEdgeUpdateComRegisterShell64.exe
2756	MicrosoftEdgeUpdate.exe
3184	MicrosoftEdgeUpdate.exe
3396	MicrosoftEdgeUpdate.exe
1152	MicrosoftEdgeUpdate.exe
3704	MicrosoftEdge_X64_109.0.1518.140.exe
1432	setup.exe
2972	MicrosoftEdgeUpdate.exe
2196	RobloxPlayerBeta.exe
1932	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
3860	MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe
3816	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
2756	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe
3340	MicrosoftEdgeUpdateComRegisterShell64.exe
1252	MicrosoftEdgeUpdateComRegisterShell64.exe
1724	MicrosoftEdgeUpdateComRegisterShell64.exe
2628	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe
3356	MicrosoftEdgeUpdate.exe
916	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2752	RobloxPlayerInstaller.exe
2752	RobloxPlayerInstaller.exe
2752	RobloxPlayerInstaller.exe
2144	MicrosoftEdgeWebview2Setup.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3500	MicrosoftEdgeUpdate.exe
3500	MicrosoftEdgeUpdate.exe
2376	MicrosoftEdgeUpdateComRegisterShell64.exe
3500	MicrosoftEdgeUpdate.exe
3500	MicrosoftEdgeUpdate.exe
3216	MicrosoftEdgeUpdateComRegisterShell64.exe
3500	MicrosoftEdgeUpdate.exe
3500	MicrosoftEdgeUpdate.exe
3888	MicrosoftEdgeUpdateComRegisterShell64.exe
3500	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3396	MicrosoftEdgeUpdate.exe
3184	MicrosoftEdgeUpdate.exe
3396	MicrosoftEdgeUpdate.exe
3396	MicrosoftEdgeUpdate.exe
3704	MicrosoftEdge_X64_109.0.1518.140.exe
1432	setup.exe
3396	MicrosoftEdgeUpdate.exe
2752	RobloxPlayerInstaller.exe
2752	RobloxPlayerInstaller.exe
2752	RobloxPlayerInstaller.exe
2196	RobloxPlayerBeta.exe
1932	MicrosoftEdgeUpdate.exe
1932	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
1932	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
3860	MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe
3340	MicrosoftEdgeUpdateComRegisterShell64.exe
3024	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdateComRegisterShell64.exe
3024	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe
1724	MicrosoftEdgeUpdateComRegisterShell64.exe
3024	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3356	MicrosoftEdgeUpdate.exe
916	MicrosoftEdgeUpdate.exe
2756	MicrosoftEdgeUpdate.exe
1152	MicrosoftEdgeUpdate.exe
2972	MicrosoftEdgeUpdate.exe
3816	MicrosoftEdgeUpdate.exe
2628	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d9909000000000200000000001066000000010000200000001c286b1c919b65d9b89cf8705c0830e4021421a01e95b1b760e2dd61593b6b00000000000e800000000200002000000033e63f6e2fafd996dbfd42cd3d95898027d40a567e5baa8dae8f41bfb6b288b790000000c19b3ab9f06419a58481700e54afb94aea50f7b24013cb1c264b546dbce81946999fec7c685deeaf42da5843ddb54222170b5a8d4e2ca13a2a3d86782f7e01ef25ae3abc57c7dcfda8dc86b1632f7b7c0453e104853deb5e97d64e263c4c26b175420bc75d08e4dd789dccd4a2e8fb8b1ab359efb5e3251c81d28b02a51d9cf80c98d570ba42e0befc781cfcadbf3941400000001405e3b0c1ec25399a7e32c086f84b3c9acd6e4d78ddc5d53212bc6a6ce3cce05ef84b4b329ffa793346958f7bc8eba1816f91ba59321326cb80ffae60cd7b2e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000a41ebc5a7208145d2725e08a50bf005db2555eafb6f5031a36a19df1cc218064000000000e8000000002000020000000b6226ad1a377fd03637e1be215af04543e79fae66f8eb239317eb578e0d8499e20000000cd3c841e3fc3d0b7b2cfa9e4fd34b697b2d164563cfb4c92b0970a831e9ac6f8400000005c1c45803092cdd4496d0a68739ceb308c1df3245dea9ebb4f114defa4b45fa66bd07ba56c21708a59d84f23d33f697c8413c72634dd861c615b49c6ddac9354	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1EB382D1-5404-11EF-A1F7-DA486F9A72E4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429118087"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f00631e410e8da01	iexplore.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0"	RobloxPlayerInstaller.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-73-6d-b4-ba-58\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-73-6d-b4-ba-58\WpadDecisionTime = 3086ae8811e8da01	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9352DC2-2A9B-4CDA-99AE-B30F21EA782E}\WpadNetworkName = "Network 3"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-73-6d-b4-ba-58\WpadDecisionReason = "1"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-73-6d-b4-ba-58\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-73-6d-b4-ba-58\WpadDetectedUrl	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-73-6d-b4-ba-58\WpadDecisionTime = c036623511e8da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9352DC2-2A9B-4CDA-99AE-B30F21EA782E}\WpadNetworkName = "Network 3"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-73-6d-b4-ba-58\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9352DC2-2A9B-4CDA-99AE-B30F21EA782E}\WpadDecision = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9352DC2-2A9B-4CDA-99AE-B30F21EA782E}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9352DC2-2A9B-4CDA-99AE-B30F21EA782E}\WpadDecisionTime = 50cf333111e8da01	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CurVer	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ = "ICoCreateAsync"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ServiceParameters = "/comsvc"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ = "IGoogleUpdateCore"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ = "IAppVersionWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E8770A1-043A-4818-BB5C-41862B93EEFF}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.15\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{0E8770A1-043A-4818-BB5C-41862B93EEFF}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ProgID\ = "MicrosoftEdgeUpdate.CoreClass.1"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0E8770A1-043A-4818-BB5C-41862B93EEFF}\ = "PSFactoryBuffer"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusSvc"	MicrosoftEdgeUpdate.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2752	RobloxPlayerInstaller.exe
1148	chrome.exe
1148	chrome.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
3968	MicrosoftEdgeUpdate.exe
1932	MicrosoftEdgeUpdate.exe
1932	MicrosoftEdgeUpdate.exe
1932	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
1308	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
3584	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdate.exe
1252	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe
3024	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeDebugPrivilege	2960	firefox.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe

Suspicious use of FindShellTrayWindow 56 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
2344	iexplore.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
2960	firefox.exe
2960	firefox.exe
2960	firefox.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2344	iexplore.exe
2344	iexplore.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2092	IEXPLORE.EXE
2344	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 1080	1148	chrome.exe	33
PID 1148 wrote to memory of 1080	1148	chrome.exe	33
PID 1148 wrote to memory of 1080	1148	chrome.exe	33
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 3040	1148	chrome.exe	35
PID 1148 wrote to memory of 316	1148	chrome.exe	36
PID 1148 wrote to memory of 316	1148	chrome.exe	36
PID 1148 wrote to memory of 316	1148	chrome.exe	36
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37
PID 1148 wrote to memory of 2412	1148	chrome.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2752
- C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe
  MicrosoftEdgeWebview2Setup.exe /silent /install
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2144
- - C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks system information in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3968
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3504
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3500
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2376
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3216
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3888
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzUzMkNCQzYtMDkyNC00QkE4LThCRDUtQUUzMTJGMzM2Q0Q3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyOTEzQjFFOS04ODY4LTQxRjAtQkQ4NS1CMTM1MzI4MDA0RTF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMS4zLjE3MS4zOSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMzk3MjM1MTAwMCIgaW5zdGFsbF90aW1lX21zPSI1ODUiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Checks system information in the registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2756
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{3532CBC6-0924-4BA8-8BD5-AE312F336CD7}" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3184
- C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\RobloxPlayerBeta.exe
  "C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\RobloxPlayerBeta.exe" -app
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6189758,0x7fef6189768,0x7fef6189778
  2⤵
  PID:1080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1164 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:2
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:8
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2244 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2252 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:1
  2⤵
  PID:2284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1392 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:2
  2⤵
  PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1320 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3508 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:8
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3504 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3828 --field-trial-handle=1368,i,18442254224147282454,3136083513644313213,131072 /prefetch:1
  2⤵
  PID:2156

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2760
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2344 CREDAT:209933 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2092

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:592
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.0.305214784\255694054" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1056 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b96a24f-7101-4686-be57-cede599c4afe} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 1328 113d7858 gpu
    3⤵
    PID:1940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.1.211433491\419083646" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d8f919b-5c7f-4124-be2f-0f713f6a3437} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 1496 3e3bc58 socket
    3⤵
    - Checks processor information in registry
    PID:2196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.2.357005217\616619880" -childID 1 -isForBrowser -prefsHandle 2020 -prefMapHandle 2016 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3dfc737a-8c70-4caf-b435-b4ea6a7cd885} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 2032 19a69658 tab
    3⤵
    PID:3180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.3.509870827\1224019650" -childID 2 -isForBrowser -prefsHandle 1648 -prefMapHandle 632 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3472bf38-9f1c-4785-a7fa-e3dec980d43e} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 580 d69958 tab
    3⤵
    PID:3452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.4.840516958\899528958" -childID 3 -isForBrowser -prefsHandle 2776 -prefMapHandle 2772 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e694bcbc-6c2f-48f8-82a0-bae9c591dd4b} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 2788 d62258 tab
    3⤵
    PID:3472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.5.1628793884\1393400110" -childID 4 -isForBrowser -prefsHandle 3776 -prefMapHandle 3464 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {594ca6f2-77c6-4742-aa91-daba11ba607a} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 3744 d2d258 tab
    3⤵
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.6.2054253087\1652554171" -childID 5 -isForBrowser -prefsHandle 3876 -prefMapHandle 3880 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9bd0331-aeb9-42f4-ab9e-bcd050c7266c} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 3864 1f7a7258 tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.7.1211049085\1205877680" -childID 6 -isForBrowser -prefsHandle 3936 -prefMapHandle 3932 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {20322da7-dfc0-4efb-945f-9e602157d3fe} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 3944 1f884758 tab
    3⤵
    PID:3336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2960.8.1042394770\1167685628" -childID 7 -isForBrowser -prefsHandle 3880 -prefMapHandle 1860 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 808 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa0a689c-b939-48d9-93aa-ed1580055a17} 2960 "\\.\pipe\gecko-crash-server-pipe.2960" 3900 1d79d358 tab
    3⤵
    PID:2620

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3396
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzUzMkNCQzYtMDkyNC00QkE4LThCRDUtQUUzMTJGMzM2Q0Q3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxOUY0Q0M4MC1FMDAxLTQ0QjEtQjVFQi1FN0NENTE4NTQ2OUZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIxMDYuMC41MjQ5LjExOSIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjMiIHN5c3RlbV91cHRpbWVfdGlja3M9IjM5NzQzNjEwMDAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:1152
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D24B3D34-FFB0-4D73-B9B6-1689D3DC1234}\MicrosoftEdge_X64_109.0.1518.140.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D24B3D34-FFB0-4D73-B9B6-1689D3DC1234}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3704
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D24B3D34-FFB0-4D73-B9B6-1689D3DC1234}\EDGEMITMP_EFBFE.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D24B3D34-FFB0-4D73-B9B6-1689D3DC1234}\EDGEMITMP_EFBFE.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D24B3D34-FFB0-4D73-B9B6-1689D3DC1234}\MicrosoftEdge_X64_109.0.1518.140.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1432
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MzUzMkNCQzYtMDkyNC00QkE4LThCRDUtQUUzMTJGMzM2Q0Q3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4RTZENDFBNC05ODEwLTRGODUtOUZGNi1DNTZBRjE4OUQwQzZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTA5LjAuMTUxOC4xNDAiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQzODgxNjEwMDAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0Mzg4MjYxMDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQwNTc0MTAwMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvMGM0MDg0ZjMtMWJlZC00MjQ2LWI4ZWQtMjA2Y2NiZTYwZTNjP1AxPTE3MjM1NjExNzUmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9Y0lORjMlMmYlMmZ4YXk3TmdPYjl1Z0pDbjJheWtvUFBMaCUyYlhIS3N0JTJiZWZXU1NZb0hibUVrcG1aQ0FYSFN6WkRucjZFJTJiRUlTQVJsMzBuVUV2U0xHajhqMzNnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTQwNjk2MDA4IiB0b3RhbD0iMTQwNjk2MDA4IiBkb3dubG9hZF90aW1lX21zPSIxMDAxOTIiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDA1ODcxMDAwIiBzb3VyY2VfdXJsX2luZGV4PSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQxNzY5MTAwMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5NjYwOSIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ4ODY2MTAwMCIgc291cmNlX3VybF9pbmRleD0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijc1MzIiIGRvd25sb2FkX3RpbWVfbXM9IjEwMTc0NyIgZG93bmxvYWRlZD0iMTQwNjk2MDA4IiB0b3RhbD0iMTQwNjk2MDA4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI3MDg2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:2972

C:\Windows\system32\taskeng.exe
taskeng.exe {49A4E799-C386-4009-8BCB-2825AC42B69E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1548
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1932

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1308
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0BB40302-1DEE-4970-B594-6E6DAF2C9391}\MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{0BB40302-1DEE-4970-B594-6E6DAF2C9391}\MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe" /update /sessionid "{C91751DC-3EC7-44EF-9421-B5EB878F4961}"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3860
- - C:\Program Files (x86)\Microsoft\Temp\EU4FB6.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EU4FB6.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{C91751DC-3EC7-44EF-9421-B5EB878F4961}"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks system information in the registry
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3584
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2756
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3024
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3340
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1252
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.15\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1724
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzkxNzUxREMtM0VDNy00NEVGLTk0MjEtQjVFQjg3OEY0OTYxfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7RTYxNjY4MzAtMThDMy00QTZDLUFFQjItOEE0OTBFMzUwREYzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjIiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMSIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTUiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZT0iNjQyNiIgaW5zdGFsbGRhdGV0aW1lPSIxNzIyOTU2MzMyIj48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5NDc0MjY5MDAwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Drops file in System32 directory
      Checks system information in the registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Modifies data under HKEY_USERS
      PID:2628
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzkxNzUxREMtM0VDNy00NEVGLTk0MjEtQjVFQjg3OEY0OTYxfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntFRERFNkI3Ni1GMDRELTQ1MUQtQjAwQi03MDBGNTA3NTQ0Mjd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMTUiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNzAyODgxMzAwMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MDI4OTY5MDAwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkzMjIzMjUwMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzMyM2ZhN2Y3LTQ0NDUtNDEzNy04MmVjLTcxNTI4OTQ5MTgyYT9QMT0xNzIzNTYxNDQwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUZnQVh3SmRkWmNwQWVRd0xBOXUlMmZocnMzMCUyZng2TW1tenpYeDFVemtaM0FTZ1g1RlFvSFFXTTRPcDk3dDZ1cmgwSGhnb0YzUDRLbENTJTJiVHFoSHRrVSUyYnclM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNjQ1MTEyIiB0b3RhbD0iMTY0NTExMiIgZG93bmxvYWRfdGltZV9tcz0iMjI5MjExIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjkzMjIzMjUwMDAiIHNvdXJjZV91cmxfaW5kZXg9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTMyNzQ3MzAwMCIvPjxwaW5nIHI9Ii0xIiByZD0iLTEiLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTA5LjAuMTUxOC4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY0MjYiPjx1cGRhdGVjaGVjay8-PHBpbmcgcj0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9IntCNEY0RERBRS1FQzlELTQ3NEUtQjM5My1ERjlGMTJBNzY5QkV9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  PID:3816

C:\Windows\system32\taskeng.exe
taskeng.exe {218F0B77-4D97-4D7E-9223-8C3C7F1E2237} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3128
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1252

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3024
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzBFQTJEQjYtNkJCQi00QjU2LUEzQjEtRjdBQUYzQ0YyRTJGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7OUUxMkRDNkEtMjIyRS00OTZFLUExNzktOEFBMDIxMjg3QjI0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjIiIGRpc2tfdHlwZT0iMCIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iNi4xLjc2MDEuMCIgc3A9IlNlcnZpY2UgUGFjayAxIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMSIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjMyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MjAxODU1NDciIG9vYmVfaW5zdGFsbF90aW1lPSIxMjg5MjAyMTI5NDY2OTY3NjgiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxNzE3MyIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI3NDA0NDEwMDAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:3356
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMTUiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzBFQTJEQjYtNkJCQi00QjU2LUEzQjEtRjdBQUYzQ0YyRTJGfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins4NDNGMTU4OC02N0ZELTQ0QkEtOTExNy1EMjA2NEI2QjM4Mjl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iMiIgZGlza190eXBlPSIwIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSI2LjEuNzYwMS4wIiBzcD0iU2VydmljZSBQYWNrIDEiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxIiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjE1IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2NDI2IiBjb2hvcnQ9InJyZkAwLjg1Ij48dXBkYXRlY2hlY2svPjxwaW5nIHJkPSI2NDI3IiBwaW5nX2ZyZXNobmVzcz0iezc3NTA1RUNGLTAzRjktNDc0OC1CRUM0LUMyMkU3RDkwRkY4QX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTA5LjAuMTUxOC4xNDAiIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGU9IjY0MjYiIGNvaG9ydD0icnJmQDAuMTQiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjY0MjciIHBpbmdfZnJlc2huZXNzPSJ7QkExQTdBMDAtQTYwOC00MzBBLTgxNTYtOUU3RkY1N0VDMDYxfSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Drops file in System32 directory
  - Checks system information in the registry
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies data under HKEY_USERS
  PID:916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.15\MicrosoftEdgeUpdateSetup_X86_1.3.195.15.exe

Filesize
1.6MB

MD5
90decc230b529e4fd7e5fa709e575e76

SHA1
aa48b58cf2293dad5854431448385e583b53652c

SHA256
91f0deec7d7319e57477b74a7a5f4d17c15eb2924b53e05a5998d67ecc8201f2

SHA512
15c0c5ef077d5aca08c067afbc8865ad267abd7b82049655276724bce7f09c16f52d13d69d1449888d8075e13125ff8f880a0d92adc9b65a5171740a7c72df03

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1432_1064204421\109.0.1518.140\Installer\msedge_7z.data

Filesize
3KB

MD5
bd70ed26e6e6f3193043ac09c58c6a1c

SHA1
d733a65e17f2851d5116598dd80533efc1656468

SHA256
7a474217d20b9a6fe3c3a46c0d6d5b2d2040fa790663f6da9202ee7cb07bb448

SHA512
3e2ecade6d687b0736d5eafd7527b24095b9c51f0c8ba99398b23da2d8843c49fc8c1fa37190d385b504d8224c8c517d78d44ae32e10e45d54b19477a6970756

Download Submit
C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source1432_1064204421\109.0.1518.140\Installer\setup.exe

Filesize
3.8MB

MD5
3a92a61a6e01c80ecc7d9499abb901b7

SHA1
d89d05802d937f9c71ced14282b8a19623fca7c8

SHA256
b70b2ed82c7afde8003983992b74f8182f55080b43da3d96dd29e8c0c7e8b47e

SHA512
3867efbd984ddd1eec084c70a42104cbc0057c3bed222af8963051779b612b46bf4cea3311452f6564513d7558d49a1e66a9473ad53f1b2fb4c43a9d7d0fb47d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
179KB

MD5
7a160c6016922713345454265807f08d

SHA1
e36ee184edd449252eb2dfd3016d5b0d2edad3c6

SHA256
35a14bd84e74dd6d8e2683470243fb1bb9071178d9283b12ebbfb405c8cd4aa9

SHA512
c0f1d5c8455cf14f2088ede062967d6dfa7c39ca2ac9636b10ed46dfbea143f64106a4f03c285e89dd8cf4405612f1eef25a8ec4f15294ca3350053891fc3d7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
212KB

MD5
60dba9b06b56e58f5aea1a4149c743d2

SHA1
a7e456acf64dd99ca30259cf45b88cf2515a69b3

SHA256
4d01f5531f93ab2af9e92c4f998a145c94f36688c3793845d528c8675697e112

SHA512
e98088a368d4c4468e325a1d62bee49661f597e5c1cd1fe2dabad3911b8ac07e1cc4909e7324cb4ab39f30fa32a34807685fcfba767f88884ef84ca69a0049e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
257KB

MD5
c044dcfa4d518df8fc9d4a161d49cece

SHA1
91bd4e933b22c010454fd6d3e3b042ab6e8b2149

SHA256
9f79fe09f57002ca07ae0b2a196e8cc002d2be6d5540ee857217e99b33fa4bb2

SHA512
f26b89085aa22ac62a28610689e81b4dfe3c38a9015ec56dfeaff02fdb6fa64e784b86a961509b52ad968400faa1ef0487f29f07a41e37239fe4c3262a11ac2c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdate.dll

Filesize
2.0MB

MD5
965b3af7886e7bf6584488658c050ca2

SHA1
72daabdde7cd500c483d0eeecb1bd19708f8e4a5

SHA256
d80c512d99765586e02323a2e18694965eafb903e9bc13f0e0b4265f86b21a19

SHA512
1c57dc7b89e7f13f21eaec7736b724cd864c443a2f09829308a4f23cb03e9a5f2a1e5bcdc441301e33119767e656a95d0f9ede0e5114bf67f5dce6e55de7b0a4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_af.dll

Filesize
28KB

MD5
567aec2d42d02675eb515bbd852be7db

SHA1
66079ae8ac619ff34e3ddb5fb0823b1790ba7b37

SHA256
a881788359b2a7d90ac70a76c45938fb337c2064487dcb8be00b9c311d10c24c

SHA512
3a7414e95c2927d5496f29814556d731aef19efa531fb58988079287669dfc033f3e04c8740697571df76bfecfe3b75659511783ce34682d2a2ea704dfa115b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
f6c1324070b6c4e2a8f8921652bfbdfa

SHA1
988e6190f26e4ca8f7ea3caabb366cf1edcdcbbf

SHA256
986b0654a8b5f7b23478463ff051bffe1e9bbdeb48744e4aa1bd3d89a7520717

SHA512
63092cf13e8a19966181df695eb021b0a9993afe8f98b1309973ea999fdf4cd9b6ffd609968d4aa0b2cde41e872688a283fd922d8b22cb5ad06339fe18221100

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
570efe7aa117a1f98c7a682f8112cb6d

SHA1
536e7c49e24e9aa068a021a8f258e3e4e69fa64f

SHA256
e2cc8017bc24e73048c7ee68d3787ed63c3898eec61299a9ca1bab8aeaa8da01

SHA512
5e963dd55a5739a1da19cec7277dc3d07afdb682330998fd8c33a1b5949942019521967d8b5af0752a7a8e2cf536faa7e62982501170319558ceaa21ed657ae8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_as.dll

Filesize
28KB

MD5
a8d3210e34bf6f63a35590245c16bc1b

SHA1
f337f2cbec05b7e20ca676d7c2b1a8d5ae8bf693

SHA256
3b82de846ad028544013383e3c9fb570d2a09abf2c854e8a4d641bd7fc3b3766

SHA512
6e47ffe8f7c2532e7854dcae3cbd4e6533f0238815cb6af5ea85087c51017ea284542b988f07692d0297ebab1bad80d7613bf424ff532e10b01c8e528ab1043a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
7937c407ebe21170daf0975779f1aa49

SHA1
4c2a40e76209abd2492dfaaf65ef24de72291346

SHA256
5ab96e4e6e065dbce3b643c6be2c668f5570984ead1a8b3578bbd2056fbad4e9

SHA512
8670746941660e6573732077f5ed1b630f94a825cf4ac9dbe5018772eaac1c48216334757a2aeaa561034b4d907162a370b8f0bae83b34a09457fafe165fb5d7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
8375b1b756b2a74a12def575351e6bbd

SHA1
802ec096425dc1cab723d4cf2fd1a868315d3727

SHA256
a12df15afac4eb2695626d7a8a2888bdf54c8db671043b0677180f746d8ad105

SHA512
aec4bb94fde884db79a629abcff27fd8afb7f229d055514f51fa570fb47a85f8dfc9a54a8f69607d2bcaf82fae1ec7ffab0b246795a77a589be11fad51b24d19

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
a94cf5e8b1708a43393263a33e739edd

SHA1
1068868bdc271a52aaae6f749028ed3170b09cce

SHA256
5b01fe11016610d5606f815281c970c86025732fc597b99c031a018626cd9f3c

SHA512
920f7fed1b720afdb569aec2961bd827a6fc54b4598c0704f65da781d142b1707e5106a459f0c289e0f476b054d93c0b733806af036b68f46377dde0541af2e7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
7dc58c4e27eaf84ae9984cff2cc16235

SHA1
3f53499ddc487658932a8c2bcf562ba32afd3bda

SHA256
e32f77ed3067d7735d10f80e5a0aa0c50c993b59b82dc834f2583c314e28fa98

SHA512
bdec1300cf83ea06dfd351fe1252b850fecea08f9ef9cb1207fce40ce30742348db953107ade6cdb0612af2e774345faf03a8a6476f2f26735eb89153b4256dc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_bs.dll

Filesize
28KB

MD5
e338dccaa43962697db9f67e0265a3fc

SHA1
4c6c327efc12d21c4299df7b97bf2c45840e0d83

SHA256
99b1b7e25fbc2c64489c0607cef0ae5ff720ab529e11093ed9860d953adeba04

SHA512
e0c15b166892433ef31ddf6b086680c55e1a515bed89d51edbdf526fcac71fb4e8cb2fadc739ac75ae5c2d9819fc985ca873b0e9e2a2925f82e0a456210898f9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
29KB

MD5
2929e8d496d95739f207b9f59b13f925

SHA1
7c1c574194d9e31ca91e2a21a5c671e5e95c734c

SHA256
2726c48a468f8f6debc2d9a6a0706b640b2852c885e603e6b2dec638756160df

SHA512
ea459305d3c3fa7a546194f649722b76072f31e75d59da149c57ff05f4af8f38a809066054df809303937bbca917e67441da2f0e1ea37b50007c25ae99429957

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
39551d8d284c108a17dc5f74a7084bb5

SHA1
6e43fc5cec4b4b0d44f3b45253c5e0b032e8e884

SHA256
8dbd55ed532073874f4fe006ef456e31642317145bd18ddc30f681ce9e0c8e07

SHA512
6fa5013a9ce62deca9fa90a98849401b6e164bbad8bef00a8a8b228427520dd584e28cba19c71e2c658692390fe29be28f0398cb6c0f9324c56290bb245d06d2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
16c84ad1222284f40968a851f541d6bb

SHA1
bc26d50e15ccaed6a5fbe801943117269b3b8e6b

SHA256
e0f0026ddcbeafc6c991da6ba7c52927d050f928dba4a7153552efcea893a35b

SHA512
d3018619469ed25d84713bd6b6515c9a27528810765ed41741ac92caf0a3f72345c465a5bda825041df69e1264aada322b62e10c7ed20b3d1bcde82c7e146b7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
34d991980016595b803d212dc356d765

SHA1
e3a35df6488c3463c2a7adf89029e1dd8308f816

SHA256
252b6f9bf5a9cb59ad1c072e289cc9695c0040b363d4bfbcc9618a12df77d18e

SHA512
8a6cbcf812af37e3ead789fbec6cba9c4e1829dbeea6200f0abbdae15efd1eda38c3a2576e819d95ed2df0aafd2370480daa24a3fe6aeb8081a936d5e1f8d8ed

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
14KB

MD5
0cdcde8777d033b979a4a203463598aa

SHA1
1d9606db5ac02e8c9522476b84d828bcc4e1b089

SHA256
eb348868c3c8f10689f92498bab0d212c02347c9c86a51e4fbf784fb720ec61c

SHA512
9da23fe1bbca0e9659724e8f9cffb42932a9a8d1f6c610876e3ed6f8549b2eae7e0d92b3f32f781a3dfe6dbe7cc6a6bfc0d2f10efdc3804439574b0975f68b50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

Filesize
579B

MD5
f55da450a5fb287e1e0f0dcc965756ca

SHA1
7e04de896a3e666d00e687d33ffad93be83d349e

SHA256
31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0

SHA512
19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

Filesize
252B

MD5
c1e0925fde9c516e52f6accc5f932ca9

SHA1
90593ee6053abf416c06a07ed7d1eaab761f73d9

SHA256
1666ba81cfa3dfaa94e9f5b15e989956138bbfbcebcc63f9ac616fadf421a617

SHA512
ec46fbffe522f80aaa779726cd88174a051c31aacbdc0d27c7a2caaafd3163c7fa3ff680242425a379bf4b6920f65a565f7ac2b79c221b111d22e47280c378c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cc31c54d2b0f679a5b15fd5eb1645c8

SHA1
efa23965e5a23e8211bea061d94b9c97c1df10a3

SHA256
19f4713d3854b4be2511d5cb3a5b5bad36e30adc495e7f564e9be39b00447845

SHA512
78a83c60ae2291b5be91007f776e5a43dbbca50fcf9ea6c9f05088d4480da17f3a736f0eb0465a65e38e6562696af2dab7393416649440ec4578a484b71d1ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b392980fa4e5b499ade9ba346da74da6

SHA1
209f94ca7dd6c4e061c5d6e0a7b43a1cee94d52b

SHA256
9b26c73781558e1b69ff72d4c2fc9cc092ad2405b7d96f4424a5408b2917e0c2

SHA512
f2b40cb8c01468d08bf9af117ef59f1c72df890084129a8f037917607a97c3e9df1efcda9074a6ffc568fba282ba12becfddde85579238e4fb8b6dcabb72d280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
171a4729674c58ce0869d7cf9722a36a

SHA1
e5e23ac30bf27a6de69eb5c7625563345ddaf31c

SHA256
45f5cca2ae3ca714ae9fcf4f5702ab1bfb5669927e418ea55c49c6c0eb5e7c2f

SHA512
52383466fc74c0504a3cd51ce79bede64e3e2911f6962efe063da47ac8ab2eb2f32c6f8270cffb0614766077025cb8d60cbd2dd37fe40afa3aa7fb39b0dec8c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bbb98ee6f003d541899c90d2b00536e

SHA1
002ff9e1eb0aa7ea26c7e97cf21a1d86066764ab

SHA256
2d32d228f78baf2ef509c0a2188fdfea437ed9227743818d5c3e9fcac9cf7d55

SHA512
1959e1c81bd77e57d21c6481e356149466316d529155c8d81d0dc85851cabcfefc088486b1ca4a379271f99ae4432df3b79f3a0d2287f1bc890a8a277ed414f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9723a162bd6894effec3f50b82b6c5f

SHA1
aa5b48a581c9abbba2faf39e04981a47f69dcd14

SHA256
d86f3f52d05917c9f98c101d9fb7efa43c3b36b48b0a652f57305cf55a3b9b46

SHA512
40a5b8fb7dd47fc81caa106c79e3e10134dfa741c1ec3afbd14673d71550d291d87b5998d193e1b3c52ccfbc01c2618141ee2519a898dc2d2dd1f34f221e0f52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c06356d1dbee4fa832db6d81bfafe882

SHA1
9e7a9984cb1477d26c00cb40a96140837428ab4a

SHA256
8b69a3ab950cbc2b3a896a45ad6b05b61599873663b515996219d95e370bede7

SHA512
3b6024cbb5f7f11ef961b5bb0026dac8ed1cf0c5719908658d1f330b0997bf339f34c156b367aa63fdb6dc804ab9e225023054cef13115e8dad2251deea56514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27dd32bd3a9c7b11c093b84783e6d975

SHA1
ea059a36a3cfe2f9773b62aa62123afd165aafc4

SHA256
dc1dc3ce05139892ea92016fc99b4b937f8ef384774916a57378d96b97200660

SHA512
e2262651544dbceb1de9577d516135da5ffa426310fc38817d8d9348a72fa73cf9a63fa004849bf5cdd7d150f5e3cac04377ad75aee257396313c2cc37cd82a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e9a8a6e6f097329c17127a104f50941

SHA1
689fb47c38b6623417b0f3aab0f4029cb02f2c49

SHA256
68ad3f185fa8b8b39dd69a0e1b6b8bb2abd201f77e97b852a91ba0177bd5f900

SHA512
ce298056e7c3189189279ba22afcf2bf50635627545526d67ac93e58ec3433c8819030b38936be39d1ebe5a22e0b6a35559487f637ebf011d15bfd559aecf918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e6e465d6759bcad5225b97b07d58108

SHA1
58fd04f46a185de931e7cd240031e1446fc54df8

SHA256
bed2c7a4641986b7c68e8c6983fb418d49762e2a784bc806732d460629ba5ef0

SHA512
ae36077c1d076da9035c3155613ac484292ee4df103c95f039bb2af23c962e674982e0ffc86cc5970e60f2f4a658d584760cacdb420f7f6e6aa0f6c96ec35098

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cac8453252af1738dcb4ba70bed0c72

SHA1
7f114bb472e79572060be0d9576c6a501a7954b3

SHA256
7a39fcac73df5ecaf4d58efe66bfdeedffbf0da70566c53cf799679261dcd030

SHA512
8d3bbdcbd736a3eaed05ab6a4fccbbad5d2fa7befc18dafee97d35a3535d3ca10c1d335065a1c3bf489731933c8882fd0e11418f506e8c4656cc5723edf50009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
730cbdae4fb2ad82bafa27d1270cd118

SHA1
57c65c47e3f24096009057947cac99a5161b46e0

SHA256
91dfdcac9780b7a4a3c0dd2da07955140ab1085825a331626b5e2f452d19d846

SHA512
e64d2581577c834481c8365c57ba5ff85ddbabbb75db6d70aa0306c236e23806d913d2986e78a0493993dc9fd173ed2d652349b080d4f6298888fa73442dff54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a74d313579055496cc2cfcf47b1ccf87

SHA1
37397a925758b495405cef00fcbad3adc047618d

SHA256
97017f3cba41c26167671a7db2a9f8ecd971a8cdfcd4383e53f6ac2d950334b5

SHA512
f70033b148ccd4f3e46e5dcf9fed8b6bb1737531141be3b889872656cc70bbce082211fb4767342408ee458a520de5b9ad05b3a8ddb0c3a43e46f921b46c639d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa93c96c2af30ec340b4f226371984d5

SHA1
e1ebbbf433fc104dcc3eba84c115a47c511caacb

SHA256
c64f41671cde36519a21f331286542e9a81a83fc6f0ee521af95b69ee6335d2b

SHA512
79df9321f61f5116459cbe9c8f61d37bf4b92ab2822ceebb223f2acb0da9f9493e6c6557350621ae1e057dea453e733cc5e420cee8987ebfe8f0ab2a654091de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd88cffc736e6d72d5b74b4d6246e3df

SHA1
0e3355722318d44ad56d914cc338eb999754d7be

SHA256
8638d6a197adff9631da606181c968cb65b83660bce6a2ac5342cb56b279a3d5

SHA512
57de9eeb51fdcc78bfe840cd71e56a38fc2f4ad90e7dae37a21ee750a5c753469aeb3862256aa1d87adb5a60a82d2152e9283714a1c51a34bfa1f51591843db2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ea9670ee39e29ec60dfb945ee9ad9d5

SHA1
33b0745b92ba877688102b075fbd6e8397ea30c8

SHA256
02413ae2cd2cc123176dbd47c9a6f22d4ab05131e5e47e9058a36c205f38ad09

SHA512
d6facc7a413aa56d9108c1bad68ec228d4d1aff4a0cd273692de8d829203193563bd4fc871ce804770dcb25a6a6cabfce324e97cf4a7d07d28a6b278ad049031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1e3b18f5fa966dc33a64ab9d7d614a3

SHA1
58f0a81440c9ee3914dd18dec5f001e88a778a79

SHA256
b232db5e02f5aaa26d4e682024c12e4ca0f838785b51bf75d0e4e8f2f7161af7

SHA512
2ccdfb298ca584cbcd8b21c7c86b66d8bb5aef2574f5f3d1dcc12e991339e10d50921782b1b260915cade34b125ab2750ceb64e02fe6b6ed0928dfed80fdb372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d837bc3fbe4d2edfe43a1f8fa5c8e7a3

SHA1
bd3e280c5b8a61f8b8b0b42212de2eb4c76218f0

SHA256
dec3fe6f848cd091a8bd4a818bb4b25232926816e2d7c6f0967c875d699214ab

SHA512
d7a2ed215b35bdf577ee51c3523686611af6203a88ed0eb3dd1807dc12de7eadb44328331f5f53ddfa9bb276e1de6d9ab7f6f26d69b0a5f8e682984c8221aa29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12cc634ced36ebd1e9da350533a6c3b9

SHA1
6da38786478d1f3cde505edc99618852eedafadf

SHA256
426c12d1fd1139276f6d857e5172915bd243636ece272846eccd3f04e577dae7

SHA512
fc4d51d510825db81f337c7170c792fd59082c2b80af89e5044fd8f851cf9efce3d346f66ab382e5fc711526bc82def78c793968d4b7d24ca17f703b4c63394f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b25209de90d5c9faad7ca9a4b4b5fb5e

SHA1
f062545b7136758431640405a476f88a6b36091f

SHA256
996e715e6030ff337a0b1e787f969f593a23d1a9d38f6ff730a1d2a8bf63ab32

SHA512
f68400339fe490132824c6f502299f8d6a2036214655bdf24ce802507d616406cf626ccdb3fc3c6bb71b23a8ea038a5268f895a5af0e92aef3b8bf4632bf3f39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d67e8f2fc3779a6b2f39c69e3b04a7c2

SHA1
89c5ca504b81a8e4d290c8dd855c8be3cc0b1404

SHA256
dc0da3fb78c4c842dd195a4bf410783dc4f810893dd01d5e42a80a9736b0f267

SHA512
94d4abf0752dcfa3b8abf25a141a731902430473ba5eea00327a9adda5591a7c3245341b2dcace402e7c5c6446d5d2aeefcf469a70bc0f7b5fbbc87706a4321b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b42e6ee11c7b37acecfa18af9c01142

SHA1
aebbc8c546662e9af4770fc2b304e8c8813b8d11

SHA256
7da7961467b87bea5ce6623bb800d1ac396ffd998fedd803507b7ee17887844b

SHA512
50fe520f8f2b793a1a498dd2658be78db4b21cae5cc0cba55dfb72db891dd2f64ebc00677cc684fbf0281e749dc00921488df4cf51bb71f5b2b19f4c1746b6b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc2c4eca0c20f92ba545446c4715fa68

SHA1
197a171252c06d800a8983c7e435b036337ef86a

SHA256
6a08ff978182c8bdc47d970e2a9ad17e235dc2600fee16c62a2e5cbd06aaeacc

SHA512
e8a261adc9d1944507a7a65ac3ef9d9130f06d99c187e80411d37cb57d618cf4a5e282a10ed5d7fb9df7c44e6105787fe94b2d6652ca1f42a8b69d6caeb6216b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ede80f015a5931e48adf5dd435eddfc

SHA1
080ece1f21b315ad5768958c75a239ab72ce09e7

SHA256
b4d72282f704a3cf62049b71bb6b01d29f0096083f8c92ca72b6541a0eb1aa58

SHA512
aa6515b3840191581b739fb45ae5d1104292c2e37c9e982f10aafe5b81e0969fc81f6e4103b6ef9b187abf707c1d6ae3aad5e50b083a75b18222bb36d8fd9807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
187e51419bac4549ecc09d3286c4becb

SHA1
0896f5dfec768f9b51ddf0607728f72b23cd359d

SHA256
83c91a47ef459156fddd4f71016b768ea119c1e7df1628bec0c4ba2dc7b28ebf

SHA512
7b6b9ffef30bf51f215ae4bc7a2d5c9074aa31174218978e11f42f55b0447a551006ff991efe79a7f401e536d0603cd550df0006226eb14c4573230c4137e83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97a2ad3f97c1d579e1cee8b508df1e3e

SHA1
b3d1848f8e36bf32b85931522380d324804de57e

SHA256
c4c219edc09aaf30eeb58f10e0d64788c20485623c4484b3ba45c0f05402f912

SHA512
2fa6b8e5a1b9aca0f3f492e018f9667b9659be9e32f9da47740ecb3cb083990659c1b07fe752a76228ff632a1723dde844be2e3927ae6ef41c331ae408222206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98335b15766441a8e5330e8cef16734f

SHA1
239d8db885c6f95606c5344a30bc8fcd49cc6eda

SHA256
a447b37cb20fc5a0fd4a01aa2ccdd3b8136f1a68b6d53961bf68e4adc2b73a51

SHA512
c1dddb01b6e54baf78c8d3666e7655ec47c962b96e4a00e98683069b545692d036f5dee8d39f8003095b39a1482e455fdfd356a548d2587966a39520c278fb7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb172468f9e2204a76df1049da160716

SHA1
981ffbdef5d840b961b94e09e3e4f7dcdd49565a

SHA256
8dce93f79c14467e75d529e48fb980c5758cf7f993896cef6bc3edbeca987ee4

SHA512
3b7b92c4b6064404cc5074bb63f930c23c9b7a384873238bf6e264f8dbf0d2745dae8702189e8d6151a40cc498c2daee7b54e09189900808efca20b23db3129e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26c60614f42d2238286851cb0fc5ccfa

SHA1
77e8f815af98a7a276488a3802835d3ca1c53551

SHA256
7b6f2d708bc1d132ca16dc39519311e6a50fa32493b6ff602519944ad62dda5e

SHA512
08118f7e0fb7eaaf931e63d432af48b7e90eadc82905cd53507270106fba1e0c878bb57893d74fca605e04ded5c395f9b32b54e32231f9c183b2c62c13dbb693

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d660a5801e087e12b058695991a2b1a0

SHA1
5d88291e3fcdabf5df871c3f0262c7cebcac4411

SHA256
abe26bcea0b6daf6e4c58c90cd50ce3565e73b3d60f8f92764ce201848a0faee

SHA512
73ed7315db15ff8b9f8ab7cc342c98f3ea0024271442425ee9f332de9d0184fa6dbfc883132624d7efcee658bbc958221f56cd27d5a2e486ed81710be02fed93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dc7eaec03399f8fdcd1c89d58e109de

SHA1
7e7e19debd7381f93d438b7ff60f742a51763aa3

SHA256
1f8aca89a36d13ae7b2312987a6c1787fbceba70054e73db0fce190e74169fe4

SHA512
a63b29ffb2efb82e11bec4d2a639273bf59076cbd0cdbee8a13737978d06a020bad9c8aeb92be1721f7a41204586da6f85cd14a9d5a1e37507c414208bc4cd2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
154854675366f2d22735af9a3280ae31

SHA1
75150ca4699ccb347b0fbdc0d10817dc283ead70

SHA256
918b4d497a1073acb7ff81dc622bef6e7f12cb985b0610cb774cacc2f3276d9a

SHA512
8e39ffc87d2be1efa3bc5c33670661adb7f34bbbec0eb8dbfcde0e3400eb08bb2a9d3d1dedbc9ada1ee5dcc30fa2c139225537df35848e5a2fcf64a1992e2fe6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a938fed6d2e3fe2c7aafd677affe8a0

SHA1
65a98f4a29fa3e609e064b8bb49ebbbef489ff77

SHA256
c454eedfc9dc682519bc301ad0467408fc7a6819975e54fe050c48c2dd8095aa

SHA512
08d45f50334c3d756ea1f06f8f0b3020cbf95d99a1eb291094853dae4d2b1b8a4d9ef45545ad888bcf96130125aaddf844b4aa87ffa40b2264b4b009f8c9175a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce77d786099c3bf8ae4e1750825bc036

SHA1
2460b969bdc2da5e6ae07d60c95dfec91128e0bd

SHA256
36b22faf5e29192fbd34e4508cc667daadca0ff2caed7e01be19b54f97a083a4

SHA512
d8949edbc4fa0910a2fa06d9320a0e052917e03cb1e1e66cb4a5db358e9cdcc399d649c4ff99efce5b9b67fda29bfdc530b16e509286a81e40854fd8faa7441c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a43749e0c3835f8e9b80669fbea74bbc

SHA1
6e936301c0ae996f5698267f0f04e7572d91cd87

SHA256
007f277794289bf221ba5287e68098b882fc75f3d56e9fbbe4b85db3b9acb752

SHA512
7071e89686e743ec15afc330b0ae571ad39bc78ed9bca29049ec8ac76f801cccf29158dd5cdc57663686149719469e46610c25370633b4bd5003087e3059d9c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c71513542428eac348751c91c9448532

SHA1
9ea1c9d2747f99e970ece11cf759c1318b87d741

SHA256
00e8bf8dbffc5e7e8b3a06d80021ebdfd0d1ee2894a2d54a42d8807cbf3d0643

SHA512
8256feacbdc1d10c9d099881a3312f83d33fe5b6a645db9c721d3669ebe53a868acbcdf7034641126e48280a16bc76aeb7fb392ad082abb6e18c528d6e8f97e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93bde5d4e983afd714070b3038024880

SHA1
10dcdf1b85d2e9d6648d5197931c421c6511c510

SHA256
0ed64cd37ec809f31891b1a3e4e6e9f849141aaa017e46d4e05b84408b1556ae

SHA512
44c766373e197ddf22fe6171c67f74ca88c743aad63e888594061c6182d1e9501d9dbd6591c64784ed7f87041efb5b3502f76e1c4171b86cc37ac18845ad7d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3461533a964b1a355fc1e4c934dffca7

SHA1
bdbaba04ea2b537713b65d803578431de11ab0f2

SHA256
2083fd934260038febd30e4bc03101aa7dd4ee8e80f838157bd3330780b0e734

SHA512
83c9a9390c9575f18ae397e4f2afb243068d618ac6120b111338a2b840bd3c8ecbdecf783f0ff1ca71b727b188d99e4fb3795e0d9e2aa9ae8e7e14e97e524b46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1cb766f2c482dcc2bb64fc41d555e709

SHA1
066998e625d18494e7272310081d39dab801a081

SHA256
0c74469972d068708d85905eeb31444d874e59e0095562e89b4c2ff0277889a3

SHA512
e36f3c7153d12790bdd7bb51ce10cde46330be8a9aa84432c62d14e1cec7189a077314308e860019435b6045b2f4ea312cd3364c728556204aaaa85f056f8d28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fee2d2e0c9c5e63bd84f6c91cb497c0d

SHA1
5f1f137e22e4c463cb66cd24eb8ad698b5e457e2

SHA256
47151c3f02dbc8248f52ea40718f85b0f1d380140877ab49ecd57db76821b1a6

SHA512
0b57da7da1e9d874f73f39a79f7daf102f4c733671901c649624cbef3f15ece38d1d9c631fcbb8d4f4ccc2843a01a43f36c94b551e3d8630b5ac19de4b60e8c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39b7047361d07f326bc160a8d2bf0f5e

SHA1
22b197b862bffded495024e959faff09303cdb2a

SHA256
db69033a085a13a7aae794c3d6797e259c7b109a874373a3e36abef20e18f78a

SHA512
ecd9e664c8f08eff29de5c49a664cee3deb0fe9b9d9df920f53b91d99fd86e7c2b2f9908324260deb323eeef9ab5930d932ba29309d680b6f5016b72612d2a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
370536f10a84a07cc9ccf616cae7a7ea

SHA1
9cfe2b5ac36ac52df42946f90a84fa99b6067d7f

SHA256
6904138cf46652f5c600c0a28fc5d29919a2ddec1b40d35df2199827f08eb807

SHA512
4175a17c12148fd019c21294a68c8eaa8849ffe6e61f8e21c815eb3c78fbdb3054eec67ec9192c8832a237b6c6c9868f14cede92ccebc5bc1db7a1eeed2c1de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b192feb1084df013305dc16e4c7a6796

SHA1
613838deba2f476962ec456c69d8540a95e3e160

SHA256
59291f3210d4ff2f50cec064ea454026debc8428a5d0031d3c3b7ec1e02b085c

SHA512
1de3743293e3d251253d979d24a4eb0d4cd7200b8e8f86c93acb8b7f68a5cfe380e4c16f5f5cd810b29c4d25e48f02cbc62701b71c83bf637014ac16ef85dabd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16b9ff074b50aa18f8425098418db3cf

SHA1
6ddff41acc61b020b9dd1490e7651bc3ae7fc589

SHA256
797963bfc307f1f9f838f941711e409d0c5eaeb875786690047c4e27c119e808

SHA512
ad998ee878424448c53c8e3597451671848173e42240b4a0eadcdba7d85bcfee81bafd2ce119efa5dcf828ff8064e7f8e1b65f14d0b5e59fff1b04b203a97597

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da8c42875980ae708ae960a4756c31f7

SHA1
979a5991877a94cf937d38e756fa812fc69388b2

SHA256
888499c26e9f81ea900ece38e50517562881c00673aeb8b050646af6a1027a4f

SHA512
90051903535f3ee3389102744dabdc2ffbbfff29f5e5438c96fd2daaca99826fbc941cd0b060ca86521df2b90dba4b251738e93227ba9165d0b0786fa2b9b05d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2b6efbad16096d0ebbcfa06ccdec13e

SHA1
2248fe5d3ddc584be092ac60937e9123164112ee

SHA256
1176034070e006ddabb3ea934d37765ebca5423a101188917f3e1fcd38f73a60

SHA512
841a1bab6b3b5b9731bcc8d5713a74cae5bcd1cbe69acc5355f2f368e93eb88906723012efb4a0c0cd07daac9262d205545be1ce013904431d50eeddc6c402cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3eddbcc7a10eb96eb777280e18a30976

SHA1
23a0297fb144d804475b011802ba2c60937db824

SHA256
c16ec06c866729c3614f41d27a69ce9fb944149769e3a0c21bd024e0384eaec2

SHA512
9e38751bc6fa6e02a4e8b84efb118cc752918c0b276d740323d336fe6f4664690d1dcf72788c1ffae4945ef351702a1b0035c799b1e370d4e2251f0027663258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fb8bef06fbf285fdc0507231c9a01ae

SHA1
9b8d0ae52c590e0c9856e7f0e40801a82efd77fc

SHA256
65093c2db8b1463e0b0d0aada3e4438cbe920814f783af3acb5103caf441909c

SHA512
9dc7a415128d581251e7ea9c5cba2e95384df9af8416d4e827cb5b0440cfd7a27e437417f847af0572375db171dc417601c455f687cd34f31eb65008ed652bb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85773eadcc00b858bcdd72f84e393293

SHA1
1a3397b6becc52d0615222744257f9dde08c7bb3

SHA256
f0d0391015969acb12e038cb60bb42c952eb766f206deb65ea6b1a19965c245d

SHA512
bf09cac70d569083c75aabfc7e7a563f45eed4b82f1c2557e7d06d80823d9621225bfc0b16c53645850fa54e077403af90ad1e4f31ddc2074e04c793a33252f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c755a567a1b4c1651390d767ed646b4

SHA1
d11dd70a8d7b7679c0edfec2aeb9ca5de0acc262

SHA256
a0a2704d00a9c277f88523ec19a67b3a02565d64728a57d97b129a4268d536b8

SHA512
4023389fcf5ecc9a89ed383404bb92955aa50bef6c977ed0ed156c2bad4192a8dae1c06fda3e3aa598f22562c1c17c47c92ad38928426e80f8b7f73a9098f23b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1e04398a-5738-4d5b-8a26-e304fa058aea.tmp

Filesize
310KB

MD5
9ee1fa0c761868ab10a391ec8dc21ddb

SHA1
40b7efd095ab721f9a3e792714c4ceaae529a3ee

SHA256
42a9b8e3ff0c0e67aeaaf32cc416432dc9959574537e4c79a77c70c4906c6fcd

SHA512
2d4aaf4aee14775c8d8a98aea1dfcd79a3513e6789a7eaba8ae0e8de51455ef5b2216d0f85bffb106621becfd2dfdcf0d0699f59df5619edf683470f03d4c6dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
53fc093ded054383a4f9f355102d9938

SHA1
9077f1841653d7331a4ea0d039bd200419345ae3

SHA256
9775931adf647c613326361e2b17f1b690ad9ae132d2907c88203259834f2b8a

SHA512
59bb034d9ae766b39df021b0a13f500bdc56c6e5ecfddb612896baeca8e624ca0887a5555f0f83862258a4e16d9a81f77c7a2ba683f86beb7dbd43d1b0002eef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
985B

MD5
4a58afcb8a6c48aa85072f5f9f15bdb4

SHA1
ac0f21d6efd8a0b49315d2a1545148ccc1fa1732

SHA256
dab08a64508df7bfacf4cfc7c670b9363ba7bb0b0263249732e8efc605b4bb64

SHA512
4199ad59e24655bc205e7a582c5f276c9e79af0593679d4616ddc22284063b971e1b8f4ca8ace25eebc3f60a3cfa90acffbf32c6637d9e49adb90e59ea9ea82f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
985B

MD5
10749f595f9569c4f62b6fcb7af04c89

SHA1
267e1c8b6e6b4935a2516cf7928391442ca4c89b

SHA256
414af056d93301c3f9f3cc8cbc65af4d449d03a4242a77bec4c1ce151d8b5b23

SHA512
1a78aba5401cd5b548671ceb3b0da78d387774bd9a25344285f992168972168f7a5263044aee8196e28e016170fe44f63da7d5d8ef3716487f09c53e0f5815fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
3a03188d5c4e4fef032b3e618b1285ae

SHA1
e8db42e7a5103e01182ad7cee2d8c2a8b2f9b6a9

SHA256
2d8b8ce8d655dc9afafce51992b02e007a7760a8a82688df4b60e80abf6fc3b3

SHA512
c5325eb4014b607fe91440ea473542eec007d0e8a26c5a25aa3de11a8a9ec8aaf39362fe711ae7fa70f1b234ac6a65b07308260b31c9d93b423a10329ae524d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
525B

MD5
6083bf11382de6a4c6d85451b2c13e0f

SHA1
059d1f4a446c1808707ed5d6255c54e154f2b139

SHA256
1d41aa3dc13bca314b51d8b668d53a881f0b0c2633e2a3231bca3dd1a6a3306c

SHA512
0d7d5d974c34717880675b1e881f97c25d83a1dc00d4661340f9299e07df7590d93d71e3b09749dd8cbaf2a8dc194db2ff4a9b9334018fd19650aaf959122f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ae162ca8696cf2a6de7b13ee1ed3d4ec

SHA1
5806e06c8bbccbb4a62a7768101c14d1a5949a31

SHA256
212266eecfeb0afe501f25bbcdd7714d901694a51f0311828f464a21cd8c871b

SHA512
339d0c36b8a6594d33ab878b94ebfe30be618b33f5a9f203c7a4b286296f3201620a71fddc9dbc2e3ec7b86c9d94f401ba007aaddbbab6ec2c5e3df5d8020737

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fc46dfb9bc381de12b013fc88e6cc589

SHA1
d987bd049df491dfcb22aca645066d6f5229baaa

SHA256
106e5a3b6a32e96dea8d65098b8bcf1b5b71112203be5865039e9b3e768b2aac

SHA512
f0eeedd9e669f8a246d4f0327223efc669b2fed83889e1779a5f5ba1fd85722e00659bd2b2b208225b789e396351c00055920bdd60dc9ebf1907dd1a1ea97720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fd88e12f18cb473aed33bbe3cb4685c7

SHA1
17ae83de1081c13dd6f597758ff8575b5fe87a23

SHA256
26fbf06ff9e928aee25fab944f08e8e7fa18b944330720b97f44c5de6478ef30

SHA512
ef0d633139e5487293f372ac162437cea7583e1ab9b048bebea53afb8548c0d429b73298c7e3c41ca6eee13c28e58dfc0fbae9856ef8c9c67ce314e4733f72fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
310KB

MD5
beded758cf2a7b3568e26202f0036e94

SHA1
dbe9abc911c2ab14fe4e3335d491a9d4511cbb99

SHA256
eaeaf07caf25ab4dac2755aa1a1f8d65acd5822fb1c7a700cfb8f8fc374fe268

SHA512
9680baa377e6cf107ad36108fc995ec330dc24a62214fc00337a2817f1bed3282062eaab14b9f9cd0efe64324872b60817b686a1336161644a747505412f7a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\p6d9oj1\imagestore.dat

Filesize
4KB

MD5
bd33ed6e18a2f3c4b4ecf1fca894380a

SHA1
68faa6c4e62db5763cfea19b08c7c8e8610c44e9

SHA256
c8cf4260420b69854ec606b0c627b6dfbf65907554224108cc42ebcc43ab1682

SHA512
2f3d33b676c4ff29cf97c2b2f4f9efa54f5f423b0ce1cc2aa2f523a5b95d93545247221b7eff7ae7dc219d061f117918e5a4e33746424a18c70c1afbb4c1721c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\p6d9oj1\imagestore.dat

Filesize
8KB

MD5
83f0b6032fc3801600ad63ca0ca52731

SHA1
75fb807902c97d5357fdb2da981e73ac44f3d6e3

SHA256
e1a3c7a4f23840d20c3e3f2c6aa8547dd6ede1a56992101ba6daaee649db2abc

SHA512
da0a9f75b5ec14c13a5f682c8ba6e18295dfe48eb07678af8ab8ef4a9f624e9595b807ce3869aa09c8aaeb5a81462664443174a0e4779bbaf9e8b16e6c5b8283

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JQ7VMQEC\favicon-white-bg-gra-mg[1].ico

Filesize
4KB

MD5
1b2e930dc951afa4ba383c3de3a0acff

SHA1
6161c6bc8a5f6749cd2214b1b8a7e6e0076aba8d

SHA256
7fbaf1ec043e86d88cfd6d8058f27c4a5de4d48a887ecfe04a3ff389a39da62d

SHA512
d63014030e78f429f3abd14408c826ff32c7f75117c9d6493544f3ed69e775b75a6bac684fc602318e03c1dbad85fad6660a88fe627dbb1749e973a87d428ae9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nndpnsl0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
927d7b7fdc6b8d57f6fac999f96d0040

SHA1
bc90bfaba7a1f2afe3f2e45353a7ac4133edb558

SHA256
8a8e5716cfddcfd950e6c2cb742868637cf5ab75aa85ebaa2126f5ba7324e61d

SHA512
949f25bff801ef57910b632c16b4e6ab69708d85297052e66e1242fe93f82fec712af7e6cda0aa2cfd8778b4a21a3199c98f44f82c41f68a4b852caa29fd9c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab73AD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar74F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AN5L7KMM.txt

Filesize
881B

MD5
9938393a86bdbbf5d81e3b6b52087d74

SHA1
399e5114eabe68ca1c37e4d0efddf53c8adf5ca6

SHA256
a2d551760091f15f894b555013b1b15dfec1ff61e889d23fdd58c0e4275dc4a7

SHA512
a2d77572ee06ff83ced95e91ec87cce197094415b763cd8dac42438066e1768ff23d67864f9e22b48acd6ddab53054e75cdcd081ce8fd97e8a68753179a80547

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XGZJ337G.txt

Filesize
960B

MD5
483bf40f8218395232194b3bde783d72

SHA1
e88300155f420b0c122db2cec427dc9cc1f2fb55

SHA256
5b8d1662c44b14ba6f1eaf7fb7da3c54c36cf038365a955c5473ba555e36d94a

SHA512
8b7212a72dbad63b639f74b8afe8136056cc880d405034d5da1893f384fb3590fea45c2f32be717455ce890e7abd8037c27185b59722e13c384d6e2d1c054a68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
18afd465da07085c77e4daf889bdfa4f

SHA1
c1209352db929456750fb7b09b22902da7ee9a24

SHA256
75a4d5a72bdd440ad2ccc0790aa2d12a2b4dfa92ce4048f0462e2dac5ca191bf

SHA512
82ee00d7d122140d45c37d0f57dff7260346a3e6f3409f43d5b30f5610ce1d4aefbe8c8b5ce34c34841b030733f96056475ef2a72a206dc3cb22954719d396bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\194f7d1f-57ba-4192-9ca2-e11cc318d30d

Filesize
11KB

MD5
f4f12b72c1c2450049aba081f4fa2620

SHA1
a1328bbfb2c05b8584288f7b8ff5e467f04bdbf2

SHA256
82ae29bae755f1cb41d4b18515e9d7295dade5e449a3bdd79ebacf63fdb8f426

SHA512
875b0d5074ac83b08d7bd764cfedf7977ba04cfd1b59b9047b74354f23971f9e6feca0bc8430097440c45054bc67be22e448dd6192345b0eca49b10ddb8bba46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\datareporting\glean\pending_pings\b3b8f274-6fa2-45d3-821a-2c8a8a548332

Filesize
745B

MD5
5f953609656d8b7b4016a4d4e5083f13

SHA1
25dee6bb0371d1980a090b1b040e362d9ed613b7

SHA256
f2cbbf3a84d1bd8be69667b497db6dc4ec11a6399b0f451bebbc0da6e6005de4

SHA512
6df67591626590a0a3431d7faecbcb73e464d849e98218a347b2d1500e19b5bd577618bd23079605627110cccc3c9f1239ba423f25489d6ad327b63226975368

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

Filesize
6KB

MD5
0dc86605cbd437baf9bde920bc639bbc

SHA1
f974096d6601257ecb7c05e67a061faf141a55c4

SHA256
7f02411319ba5e9394a6829f090b3e14ecc3752082bdbcd1541e1f83a587d2ec

SHA512
83f26a90d518906ea19c71b853f383dcef9be1ea2aef2a8a418ec05ea2bd5e13e56f7f615f6ec81af6112aeeab81ab5cc426be23ab3ffd09427fbd8eb721ebfd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs-1.js

Filesize
6KB

MD5
8a075651b7533fcd48d610f415d44630

SHA1
56836cf40b78c638f5b04b6b4aec942e76e8e310

SHA256
3a78cdbb97b553bed6c71923b49c780c0285f7c687a10a6aa1fd0580080c47a4

SHA512
f263f0468290f94b92ee1edb13a0ef0a8ce984191c2d51c0c645266cfb4f61cf918de31c9addbd268c0a9d2ed70cad95539accd7f0dc5da9be3432caf67f95be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\prefs.js

Filesize
6KB

MD5
b28b76e4c8f4e65963877c9d07837d6f

SHA1
d5c725b9dbd53640dd5920b2ae15a6ce2e2d7f01

SHA256
2ba742ac910f1315279a714a3def80aa3c67e5d649f0e06bc94dec7934fefe01

SHA512
db619be3648e6daa5700d2da645666cff5dd389fa246c109977fc8eb5da0df0eaa06a154525c481826ebc4cb5bfa1859fef3346b68e9db4c58a03c96111fdf46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
bceeb761fcc581cf3d25868b346fba10

SHA1
4ce4604c336188accfd860087de5d085ea959d85

SHA256
be4c08b842a8c163de8c1ddea8a623fe10ff62f4239716920705301b3f4bd2a0

SHA512
517bfe1e9c2016f59a39bd6a0841f7355f6bbdadf27842965f63f475881492e2cb30c11fd498dac43ff000a9864c721b794dbb0732d825bc6933df3d8944c5ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
948B

MD5
c35cf3c3ab1e538650c5157cc3670d62

SHA1
ad74a764cac527ad677c623736d8f8d697d0a82a

SHA256
c2eaf91af7c52196b6da3993b2828f1637f15cb6305a382060af995b770dab47

SHA512
959b02588b37803503c37c2c105033c6be250aaee0ed9271e5aa0aca5da90b626087121d05e8ea8a1c6328f9dd8b1a327bbbf9e7c4d89dcd9413c3956de04c34

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nndpnsl0.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
4a7e4f303cbbf3727f55ff0352c02c39

SHA1
4ed76ef4d25a4015e0c9b5977e643192ff2e0462

SHA256
348c9868affa17eca8c2df53fbb58505da39cea87e1a551c086c2c0edf3e8ebc

SHA512
a08853ab93db0633ef2a1913bb571c61c03dbb35bec5c4464084cee6d5a926cbc16ec169d7d6dc705c636525ea85c7b3f4aa48248eaf678152e160f97cdb2aed

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
49faa9dd4dd623bedbc6179f7fa62ae2

SHA1
f236f7c0711e8c3b2fbaecbb12095c4301dcede5

SHA256
e97c162f153fdc2b725155b23d813beea2f661931f0e20b489f4f170e8a6fc75

SHA512
f42cf5855ec7d78ce27ade755171c08bd8fa3281da84f7bdaf840c9186863e3e64cb09c5d9228af2969c6d0e48641622513af0ff20db6d2ef0008fb8f80a8f4e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
871c0dfc81219deb668fe05a1c1133e3

SHA1
7c1fae7c2984a0a88a9f1b7f6e2d85093f592a6f

SHA256
bc23f0bf556e954a2ebfe69044707336bc86b08cd4cfddde396f31f72776ec0e

SHA512
fe9516ffbb879c777e4d6197b7f011caa77b6d5553e8bc9143c50074b2044caf6311bf3c1cba1cce2083e85768d86c752ac2c84d60e6c75350eea6525cbf0ea6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca18262f8e1997034f23ce32a3bfa7c4

SHA1
0beda8d1c3026d5097e7de3780bdbc5b347168a8

SHA256
923ca4ac1c39feb313036a4ea48045259db2809fec6f51b8d64aebef2206e334

SHA512
0e3869207f2fc479f6b57ee914f9b0d5f38b3fea3563079079fc56ad7d4ab6c9977a21745785cb5ae9f00305a136c3aef7132fafa4bdc802225fe723fcf48396

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3734feeed310e210f04bbadb06fdacaf

SHA1
9004e5464c05fc14ae71b02919167bf672193373

SHA256
7273d672d7f34936fa88da104e7e1266c6ee9e73886ca0f9b3bcd090e1c7cacb

SHA512
afd910d6e545c8a5ec7d7fbb31cdc7a15ea882358646c334dcf50763c4a9bcade8a3796996e5361dde6bddeac7579f6775ece12340118c202459d18427126583

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29e6bee933c3b2db2c515eb5d0e4bb09

SHA1
d9764f8fc6fe58915009729d637720fa6aa549a4

SHA256
dcbf158318de3840d2d10ffb845aa487e8278cd59519927e23b52dc90c7abbab

SHA512
9225112c3491f5548d79ea85b03b8fefd2e0531d9ed5252098b19e64284d918ae70869a91afe13036e5553c7241a0b0e255faf9653de6fa02d77d25cae3855ee

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b69adec5fa4dd245d085708cec76b9e

SHA1
d5c85e6f5a752e0fbec9ea87538b267bbbfcde81

SHA256
0c13b46fb2acd7fbd51fc29678c367a588a8f1cd7a1fd68a9fc9f137b56e8828

SHA512
d40084e09f003311f29baddcee4047bd4f1b62c496835e630e02ef6dd8a4014cb18c9cd9e5b9a38a6488f329d1a9f9550f3c3add189cd60c6628b93d94745e08

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ef949354a5457573356c6a7fd2e1176

SHA1
9d8b6d69907c562eb9139d2df6eef63d14854cb5

SHA256
c4938e148b2cbdf0ef561b15aa5ed2119cf5fd387845883f75cf6a07973d2dd8

SHA512
58e345b6f06dd6b929cff7e0816d4e886ad20ab4dba02c7122191a28f5fb5caf8fcd87e25ead2b1e27bc0682d11292254c49bf89aaff5d01cbefb473910499e8

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc16e2e845cf6466ea035a84333317a4

SHA1
947f617db93fcbc082dd8ce9a7edcaf4bbf2751c

SHA256
7d7e3c208ff17fcb4621cab093d9449318615d507908400a690a094585f88094

SHA512
dbd7d82d62d2018d57d97333705aee2b005dc058497f8bd80f56e1853a63617d0b0047faab2a44c62612781b5ce39d01b64e3322da746833cf77839f6700b412

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77b83e4abb5b3eb5da9edd5dc2dcf044

SHA1
b640d31f3a2ff5a62d43ca3dfc8cbeededda6df2

SHA256
7600482106d5ccdf27ab8b129aa40881b6cb816eabf5443de18e589b411157e0

SHA512
2c9fcf907bcca16724974f0b11f87b7d2fbcce7b9025432fd0052a9579ee7da5a05f702982c5e5751706e4e77f7fe5d703e052c03452f5c3c9a7cb2d82990a2d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e05e9ab822b9ffdd94a75a75d19b3618

SHA1
2595f3f311af64585a2abf6757b8dfe1471805a1

SHA256
8ad3a5ac8dcba6026c8fdd70fa9d2d1e28db017b253d69acd9bbda3785f8b5c6

SHA512
0a6de824328c1751fa7bf279c44bbe0f3400865135b65db0245791110155723d8674ae0962fb3b6e9918cc73860b5774cf0e0edba45daaecdeb46cc5b7837f53

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7ca49295d7cf3eac3d8072ae6e0dca8

SHA1
39579c9d662c8d1a08f6534230a7f4ac1cd5f23c

SHA256
62b3d0230ec3adc575384d0d3d1fb07ff97429bb41351438ee3f3b4f042f3d5b

SHA512
b295779842640605fa1f3219017f6aecf777112f6626a3bd5e1aba24e9afa7b28e40a9531b1884fa434a7622df1fdc70db9a24740c4fd8cdbb13b4bbe28872ed

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4391053dfb95b3bdf11fd760b5b593b7

SHA1
a848795e868be8a3aa494867af32c84a08dba4d5

SHA256
6d3c92059a971e904e6054f07d4fbfe012d0b59e77d0d94b09dd1c06bd6ed15a

SHA512
baa0329bf7d44e90c78cb7731a164a399a68c04a1ee946e49f1ff6ef64cb23ec3ad4d2064e0cba6f143c32c2d82d65f96f77fc67df941841347283cbd17ae3d3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d258dd58fe4fcadfd7b9f61361f538ca

SHA1
6c71b8100d09b5ba22ca23fe895be0cc916732ed

SHA256
0a1ce43945f9016787b6edd2d3ba4385607eedb2fd5febd0b8b6e7607f0a3310

SHA512
e47e0af448f29f2cb8f072d8961568def019513f912ca04b03e09648e8895d01b8d40f6ebfc31953403c92ba749c054a7be8fa3d13c51a05decde1151978d16e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
cf9d333162bbefc6f2651017ef3e1ab2

SHA1
806a4b067e056a1ed07a48e718853c589c511043

SHA256
e1de80c08c2a15d1cfac022f6ee54685e275f3f1eba2a7f2d1a562395a470f64

SHA512
dbd1b3b672e8402925ccbc8f6f33cb19ba74725871637f1ebb87ae1743030cafc1133243ebea62c93764dbfff8734eadfe8f0293912301ce22f99ec1a62d398c

Download Submit
\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
4dc57ab56e37cd05e81f0d8aaafc5179

SHA1
494a90728d7680f979b0ad87f09b5b58f16d1cd5

SHA256
87c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718

SHA512
320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b

Download Submit
\Program Files (x86)\Microsoft\Temp\EU1FD0.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
4a1e3cf488e998ef4d22ac25ccc520a5

SHA1
dc568a6e3c9465474ef0d761581c733b3371b1cd

SHA256
9afbbe2a591250b80499f0bf02715f02dbcd5a80088e129b1f670f1a3167a011

SHA512
ce3bffb6568ff2ef83ef7c89fd668f6b5972f1484ce3fbd5597dcac0eaec851d5705ed17a5280dd08cd9812d6faec58a5561217b897c9209566545db2f3e1245

Download Submit
\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
5.5MB

MD5
24591f85e9569269a3b822d0da2e0626

SHA1
62641ade4943b93983b4e59ffd6ee4dcbd77c17e

SHA256
d29bcf294dd77568fd173adac8c705d991482d645127baccb7efca20f560a5a2

SHA512
d0bfe43ece2c598a12fe7d3f2cd12e0685b639aec0fc7a1bbdf0829b886c22208e4236500d8e6540d7faef1514769b87bbdc666602c5548649e50aa61f2077de

Download Submit
\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe

Filesize
1.5MB

MD5
610b1b60dc8729bad759c92f82ee2804

SHA1
9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552

SHA256
921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08

SHA512
0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4

Download Submit
memory/1152-6164-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/1152-6628-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/1152-5902-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/2756-6134-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/2756-5899-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/2756-6625-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3184-6637-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3184-5900-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6645-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6653-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6665-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6669-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-5901-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6673-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6677-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6634-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6657-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6661-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6649-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3396-6638-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3968-5753-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3968-6647-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3968-6659-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3968-6671-0x00000000714F0000-0x0000000071700000-memory.dmp

Filesize
2.1MB

Download
memory/3968-5752-0x0000000000DD0000-0x0000000000E05000-memory.dmp

Filesize
212KB

Download