Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1030s -
max time network
1023s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
08/09/2024, 20:04
Static task
static1
Behavioral task
behavioral1
Sample
Bootstrapper.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Bootstrapper.exe
Resource
win10v2004-20240802-en
General
-
Target
Bootstrapper.exe
-
Size
796KB
-
MD5
5f16b82a8b62d4cc9d6ce02f44e34109
-
SHA1
be96254773cba2c6f0b88e51319802b1c6394beb
-
SHA256
1621a516abb8ecf9459c9dec83f7fb9beb07af1f79511dfe0b3c622297ffa940
-
SHA512
956d983c7f076b176bfd1952e691e2d363c332dba317645ce991c9bb2f4ddd89771f0d035cbb70ab420b9dd906b3a6d0aecc6c8243ba6a4ac70979cebb00986b
-
SSDEEP
3072:nTaFZMwaCyYwC+M2FEv80IZOA/CyYwC+M2FEv80IZOAu80IZOA4:lhY7X2Kvh4hY7X2Kvhlh
Malware Config
Extracted
lumma
https://tenntysjuxmz.shop/api
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2828 powershell.exe 4276 powershell.exe 2952 powershell.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 6 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation Bootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation soles.tmp Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation AutoIt3.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BootstrapperV1.16.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation BootstrapperV1.18.exe Key value queried \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 27 IoCs
pid Process 904 soles.exe 2128 soles.tmp 4420 soles.exe 3508 soles.tmp 4492 AutoIt3.exe 212 AutoIt3.exe 4384 BootstrapperV1.16.exe 2392 BootstrapperV1.18.exe 5004 RobloxPlayerInstaller.exe 916 MicrosoftEdgeWebview2Setup.exe 4400 MicrosoftEdgeUpdate.exe 4180 MicrosoftEdgeUpdate.exe 3000 MicrosoftEdgeUpdate.exe 448 MicrosoftEdgeUpdateComRegisterShell64.exe 1548 MicrosoftEdgeUpdateComRegisterShell64.exe 3444 MicrosoftEdgeUpdateComRegisterShell64.exe 3752 MicrosoftEdgeUpdate.exe 4336 MicrosoftEdgeUpdate.exe 5020 MicrosoftEdgeUpdate.exe 2312 MicrosoftEdgeUpdate.exe 4280 MicrosoftEdge_X64_128.0.2739.67.exe 3140 setup.exe 3436 setup.exe 1896 MicrosoftEdgeUpdate.exe 3200 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4764 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 32 IoCs
pid Process 2128 soles.tmp 3508 soles.tmp 2452 MsiExec.exe 2452 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4504 MsiExec.exe 4304 MsiExec.exe 4304 MsiExec.exe 4304 MsiExec.exe 2452 MsiExec.exe 4400 MicrosoftEdgeUpdate.exe 4180 MicrosoftEdgeUpdate.exe 3000 MicrosoftEdgeUpdate.exe 448 MicrosoftEdgeUpdateComRegisterShell64.exe 3000 MicrosoftEdgeUpdate.exe 1548 MicrosoftEdgeUpdateComRegisterShell64.exe 3000 MicrosoftEdgeUpdate.exe 3444 MicrosoftEdgeUpdateComRegisterShell64.exe 3000 MicrosoftEdgeUpdate.exe 3752 MicrosoftEdgeUpdate.exe 4336 MicrosoftEdgeUpdate.exe 5020 MicrosoftEdgeUpdate.exe 5020 MicrosoftEdgeUpdate.exe 4336 MicrosoftEdgeUpdate.exe 2312 MicrosoftEdgeUpdate.exe 1896 MicrosoftEdgeUpdate.exe 3200 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4764 MicrosoftEdgeUpdate.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 97 3568 msiexec.exe 99 3568 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerInstaller.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
flow ioc 80 pastebin.com 81 pastebin.com 87 pastebin.com 18 raw.githubusercontent.com 19 raw.githubusercontent.com 75 raw.githubusercontent.com -
Checks system information in the registry 2 TTPs 10 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Enumerates processes with tasklist 1 TTPs 6 IoCs
pid Process 3948 tasklist.exe 4504 tasklist.exe 3860 tasklist.exe 4724 tasklist.exe 3132 tasklist.exe 3520 tasklist.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 3200 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs
pid Process 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 3200 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 212 set thread context of 2564 212 AutoIt3.exe 135 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\Trust Protection Lists\Mu\Entities setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\ExtraContent\textures\ui\LuaChat\graphic\gr-indicator-online-10x10.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\MaterialGenerator\Materials\Slate.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\Settings\Radial\BottomSelected.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\prefs_enclave_x64.dll setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\unique-filename\LICENSE msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\string.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\man\man5\npm-json.5 msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\AnimationEditor\ic-checkbox-off.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\Controls\DesignSystem\Thumbstick1Vertical.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\ExtraContent\textures\ui\LuaApp\graphic\EducationalBackground.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\VoiceChat\RedSpeakerDark\[email protected] RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\msedge_elf.dll setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\bin-links\lib\bin-target.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\gyp\CONTRIBUTING.md msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\Locales\sl.pak setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\fonts\families\PressStart2P.json RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\types\signature.d.ts msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\tlog\types\__generated__\hashedrekord.js msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\Settings\Slider\More.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\ExtraContent\textures\ui\LuaApp\icons\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\ExtraContent\textures\ui\LuaChat\graphic\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\spdx-correct\package.json msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\configs\CrossExpVoicePatchConfig\CrossExpVoicePatchConfig.json RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\Controls\DesignSystem\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\d3dcompiler_47.dll setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\Debugger\Breakpoints\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\VoiceChat\New\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\identity_proxy\win11\identity_helper.Sparse.Canary.msix setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\CHANGELOG.md msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\ExtraContent\textures\ui\InGameMenu\TouchControls\unequip_item.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\pnpx.ps1 msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\ExtraContent\textures\ui\LuaChat\graphic\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\StudioSharedUI\arrowSpritesheet.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.67\Trust Protection Lists\Mu\CompatExceptions setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\DeveloperStorybook\ToolbarIcon.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\VoiceChat\RedSpeakerDark\Unmuted20.png RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\postcss-selector-parser\dist\selectors\pseudo.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\sigstore\dist\util\index.d.ts msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\AnimationEditor\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\traildot.png RobloxPlayerInstaller.exe File opened for modification C:\Program Files\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\128.0.2739.67\Locales\lv.pak setup.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\node-gyp\node_modules\gauge\lib\process.js msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\PlatformContent\pc\textures\sky\indoor512_bk.tex RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\MaterialGenerator\Materials\Rock.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\NetworkPause\no connection.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\Locales\is.pak setup.exe File created C:\Program Files\nodejs\node_modules\corepack\package.json msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD9FF.tmp\msedgeupdateres_th.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\Vehicle\[email protected] RobloxPlayerInstaller.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\128.0.2739.67\edge_feedback\mf_trace.wprp setup.exe File created C:\Program Files\nodejs\node_modules\npm\man\man1\npx.1 msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\node_modules\npm-audit-report\lib\reporters\json.js msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUD9FF.tmp\msedgeupdateres_nl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\nodejs\node_modules\npm\lib\utils\is-windows.js msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\lib\base-command.js msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\ui\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected] RobloxPlayerInstaller.exe File created C:\Program Files\nodejs\node_modules\corepack\shims\nodewin\npm msiexec.exe File created C:\Program Files\nodejs\node_modules\npm\docs\content\commands\npm.md msiexec.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\TerrainTools\mt_smooth.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\TextureViewer\refresh_dark_theme.png RobloxPlayerInstaller.exe File created C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\content\textures\StudioToolbox\Voting\thumbs-up-filled.png RobloxPlayerInstaller.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\Windows\Installer\e5e45e4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8556.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI5A4A.tmp msiexec.exe File created C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC} msiexec.exe File opened for modification C:\Windows\Installer\MSI8266.tmp msiexec.exe File opened for modification C:\Windows\Installer\{EFA235B5-C6A1-42E6-9BC9-02A8D56F1CDC}\NodeIcon msiexec.exe File created C:\Windows\Installer\e5e45e0.msi msiexec.exe File opened for modification C:\Windows\Installer\e5e45e0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4825.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FE6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5229.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5249.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5A1A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8217.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8370.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI47E4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4814.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 27 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soles.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeWebview2Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soles.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language soles.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RobloxPlayerInstaller.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wevtutil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 528 cmd.exe 1632 PING.EXE 3752 MicrosoftEdgeUpdate.exe 2312 MicrosoftEdgeUpdate.exe 1896 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString AutoIt3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AutoIt3.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxPlayerInstaller.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxPlayerInstaller.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" RobloxPlayerInstaller.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerInstaller.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerInstaller.exe -
Modifies data under HKEY_USERS 46 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133703007951313666" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\PROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ELEVATION MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5B532AFE1A6C6E24B99C208A5DF6C1CD\EnvironmentPathNpmModules = "EnvironmentPath" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox\shell\open RobloxPlayerInstaller.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreMachineClass.1\CLSID\ = "{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\PROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ = "IPolicyStatus3" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F} MicrosoftEdgeUpdateComRegisterShell64.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1632 PING.EXE -
Suspicious behavior: EnumeratesProcesses 34 IoCs
pid Process 4276 powershell.exe 2828 powershell.exe 2952 powershell.exe 4276 powershell.exe 2828 powershell.exe 2952 powershell.exe 3508 soles.tmp 3508 soles.tmp 2392 BootstrapperV1.18.exe 2392 BootstrapperV1.18.exe 3568 msiexec.exe 3568 msiexec.exe 5044 chrome.exe 5044 chrome.exe 5004 RobloxPlayerInstaller.exe 5004 RobloxPlayerInstaller.exe 3200 msedge.exe 3200 msedge.exe 4948 msedge.exe 4948 msedge.exe 1512 identity_helper.exe 1512 identity_helper.exe 4400 MicrosoftEdgeUpdate.exe 4400 MicrosoftEdgeUpdate.exe 4400 MicrosoftEdgeUpdate.exe 4400 MicrosoftEdgeUpdate.exe 4400 MicrosoftEdgeUpdate.exe 4400 MicrosoftEdgeUpdate.exe 3200 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe 4764 MicrosoftEdgeUpdate.exe 4764 MicrosoftEdgeUpdate.exe 4764 MicrosoftEdgeUpdate.exe 4764 MicrosoftEdgeUpdate.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
pid Process 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 4276 powershell.exe Token: SeDebugPrivilege 2952 powershell.exe Token: SeDebugPrivilege 3452 Bootstrapper.exe Token: SeDebugPrivilege 4504 tasklist.exe Token: SeDebugPrivilege 3860 tasklist.exe Token: SeDebugPrivilege 4724 tasklist.exe Token: SeDebugPrivilege 3132 tasklist.exe Token: SeDebugPrivilege 3520 tasklist.exe Token: SeDebugPrivilege 3948 tasklist.exe Token: SeDebugPrivilege 4384 BootstrapperV1.16.exe Token: SeDebugPrivilege 2392 BootstrapperV1.18.exe Token: SeShutdownPrivilege 3768 msiexec.exe Token: SeIncreaseQuotaPrivilege 3768 msiexec.exe Token: SeSecurityPrivilege 3568 msiexec.exe Token: SeCreateTokenPrivilege 3768 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3768 msiexec.exe Token: SeLockMemoryPrivilege 3768 msiexec.exe Token: SeIncreaseQuotaPrivilege 3768 msiexec.exe Token: SeMachineAccountPrivilege 3768 msiexec.exe Token: SeTcbPrivilege 3768 msiexec.exe Token: SeSecurityPrivilege 3768 msiexec.exe Token: SeTakeOwnershipPrivilege 3768 msiexec.exe Token: SeLoadDriverPrivilege 3768 msiexec.exe Token: SeSystemProfilePrivilege 3768 msiexec.exe Token: SeSystemtimePrivilege 3768 msiexec.exe Token: SeProfSingleProcessPrivilege 3768 msiexec.exe Token: SeIncBasePriorityPrivilege 3768 msiexec.exe Token: SeCreatePagefilePrivilege 3768 msiexec.exe Token: SeCreatePermanentPrivilege 3768 msiexec.exe Token: SeBackupPrivilege 3768 msiexec.exe Token: SeRestorePrivilege 3768 msiexec.exe Token: SeShutdownPrivilege 3768 msiexec.exe Token: SeDebugPrivilege 3768 msiexec.exe Token: SeAuditPrivilege 3768 msiexec.exe Token: SeSystemEnvironmentPrivilege 3768 msiexec.exe Token: SeChangeNotifyPrivilege 3768 msiexec.exe Token: SeRemoteShutdownPrivilege 3768 msiexec.exe Token: SeUndockPrivilege 3768 msiexec.exe Token: SeSyncAgentPrivilege 3768 msiexec.exe Token: SeEnableDelegationPrivilege 3768 msiexec.exe Token: SeManageVolumePrivilege 3768 msiexec.exe Token: SeImpersonatePrivilege 3768 msiexec.exe Token: SeCreateGlobalPrivilege 3768 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeRestorePrivilege 3568 msiexec.exe Token: SeTakeOwnershipPrivilege 3568 msiexec.exe Token: SeShutdownPrivilege 5044 chrome.exe Token: SeCreatePagefilePrivilege 5044 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3508 soles.tmp 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of SendNotifyMessage 48 IoCs
pid Process 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 5044 chrome.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 3200 RobloxPlayerBeta.exe 4700 RobloxPlayerBeta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3452 wrote to memory of 4276 3452 Bootstrapper.exe 86 PID 3452 wrote to memory of 4276 3452 Bootstrapper.exe 86 PID 3452 wrote to memory of 4276 3452 Bootstrapper.exe 86 PID 3452 wrote to memory of 2952 3452 Bootstrapper.exe 87 PID 3452 wrote to memory of 2952 3452 Bootstrapper.exe 87 PID 3452 wrote to memory of 2952 3452 Bootstrapper.exe 87 PID 3452 wrote to memory of 2828 3452 Bootstrapper.exe 88 PID 3452 wrote to memory of 2828 3452 Bootstrapper.exe 88 PID 3452 wrote to memory of 2828 3452 Bootstrapper.exe 88 PID 3452 wrote to memory of 904 3452 Bootstrapper.exe 97 PID 3452 wrote to memory of 904 3452 Bootstrapper.exe 97 PID 3452 wrote to memory of 904 3452 Bootstrapper.exe 97 PID 904 wrote to memory of 2128 904 soles.exe 98 PID 904 wrote to memory of 2128 904 soles.exe 98 PID 904 wrote to memory of 2128 904 soles.exe 98 PID 2128 wrote to memory of 4420 2128 soles.tmp 99 PID 2128 wrote to memory of 4420 2128 soles.tmp 99 PID 2128 wrote to memory of 4420 2128 soles.tmp 99 PID 4420 wrote to memory of 3508 4420 soles.exe 100 PID 4420 wrote to memory of 3508 4420 soles.exe 100 PID 4420 wrote to memory of 3508 4420 soles.exe 100 PID 3508 wrote to memory of 3696 3508 soles.tmp 101 PID 3508 wrote to memory of 3696 3508 soles.tmp 101 PID 3696 wrote to memory of 4504 3696 cmd.exe 103 PID 3696 wrote to memory of 4504 3696 cmd.exe 103 PID 3696 wrote to memory of 1496 3696 cmd.exe 104 PID 3696 wrote to memory of 1496 3696 cmd.exe 104 PID 3508 wrote to memory of 1972 3508 soles.tmp 105 PID 3508 wrote to memory of 1972 3508 soles.tmp 105 PID 1972 wrote to memory of 3860 1972 cmd.exe 107 PID 1972 wrote to memory of 3860 1972 cmd.exe 107 PID 1972 wrote to memory of 208 1972 cmd.exe 108 PID 1972 wrote to memory of 208 1972 cmd.exe 108 PID 3508 wrote to memory of 732 3508 soles.tmp 109 PID 3508 wrote to memory of 732 3508 soles.tmp 109 PID 732 wrote to memory of 4724 732 cmd.exe 111 PID 732 wrote to memory of 4724 732 cmd.exe 111 PID 732 wrote to memory of 3268 732 cmd.exe 112 PID 732 wrote to memory of 3268 732 cmd.exe 112 PID 3508 wrote to memory of 3960 3508 soles.tmp 113 PID 3508 wrote to memory of 3960 3508 soles.tmp 113 PID 3960 wrote to memory of 3132 3960 cmd.exe 115 PID 3960 wrote to memory of 3132 3960 cmd.exe 115 PID 3960 wrote to memory of 4380 3960 cmd.exe 116 PID 3960 wrote to memory of 4380 3960 cmd.exe 116 PID 3508 wrote to memory of 4360 3508 soles.tmp 117 PID 3508 wrote to memory of 4360 3508 soles.tmp 117 PID 4360 wrote to memory of 3520 4360 cmd.exe 119 PID 4360 wrote to memory of 3520 4360 cmd.exe 119 PID 4360 wrote to memory of 5088 4360 cmd.exe 120 PID 4360 wrote to memory of 5088 4360 cmd.exe 120 PID 3508 wrote to memory of 4452 3508 soles.tmp 121 PID 3508 wrote to memory of 4452 3508 soles.tmp 121 PID 4452 wrote to memory of 3948 4452 cmd.exe 124 PID 4452 wrote to memory of 3948 4452 cmd.exe 124 PID 4452 wrote to memory of 2288 4452 cmd.exe 125 PID 4452 wrote to memory of 2288 4452 cmd.exe 125 PID 3508 wrote to memory of 4492 3508 soles.tmp 126 PID 3508 wrote to memory of 4492 3508 soles.tmp 126 PID 3508 wrote to memory of 4492 3508 soles.tmp 126 PID 4492 wrote to memory of 528 4492 AutoIt3.exe 130 PID 4492 wrote to memory of 528 4492 AutoIt3.exe 130 PID 4492 wrote to memory of 528 4492 AutoIt3.exe 130 PID 528 wrote to memory of 1632 528 cmd.exe 132
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Bootstrapper.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Sola'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4276
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Users'"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828
-
-
C:\Sola\soles.exe"C:\Sola\soles.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Users\Admin\AppData\Local\Temp\is-B19E9.tmp\soles.tmp"C:\Users\Admin\AppData\Local\Temp\is-B19E9.tmp\soles.tmp" /SL5="$9029E,10256339,804864,C:\Sola\soles.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Sola\soles.exe"C:\Sola\soles.exe" /VERYSILENT /NORESTART4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Users\Admin\AppData\Local\Temp\is-JKPJM.tmp\soles.tmp"C:\Users\Admin\AppData\Local\Temp\is-JKPJM.tmp\soles.tmp" /SL5="$A029E,10256339,804864,C:\Sola\soles.exe" /VERYSILENT /NORESTART5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4504
-
-
C:\Windows\system32\find.exefind /I "wrsa.exe"7⤵PID:1496
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
-
C:\Windows\system32\find.exefind /I "opssvc.exe"7⤵PID:208
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\system32\find.exefind /I "avastui.exe"7⤵PID:3268
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3132
-
-
C:\Windows\system32\find.exefind /I "avgui.exe"7⤵PID:4380
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\system32\find.exefind /I "nswscsvc.exe"7⤵PID:5088
-
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Windows\system32\tasklist.exetasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH7⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
-
C:\Windows\system32\find.exefind /I "sophoshealth.exe"7⤵PID:2288
-
-
-
C:\Users\Admin\AppData\Local\nuclear\AutoIt3.exe"C:\Users\Admin\AppData\Local\nuclear\\AutoIt3.exe" "C:\Users\Admin\AppData\Local\nuclear\\braise.a3x"6⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4492 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 5 127.0.0.1 >nul && AutoIt3.exe C:\ProgramData\\1t1TEdu2Z.a3x && del C:\ProgramData\\1t1TEdu2Z.a3x7⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.18⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1632
-
-
C:\Users\Admin\AppData\Local\nuclear\AutoIt3.exeAutoIt3.exe C:\ProgramData\\1t1TEdu2Z.a3x8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:212 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe9⤵
- System Location Discovery: System Language Discovery
PID:2564
-
-
-
-
-
-
-
-
-
C:\Users\Public\Desktop\BootstrapperV1.16.exe"C:\Users\Public\Desktop\BootstrapperV1.16.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4384 -
C:\Users\Public\Desktop\BootstrapperV1.18.exe"C:\Users\Public\Desktop\BootstrapperV1.18.exe" --oldBootstrapper "C:\Users\Public\Desktop\BootstrapperV1.16.exe" --isUpdate true2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2392 -
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\node-v18.16.0-x64.msi" /qn3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568 -
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding BFC987113D748D89E808226C7A427FC92⤵
- Loads dropped DLL
PID:2452
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C48B636882DAE677D763031DE0B369532⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4504
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 101D282E4FD0E4FC6C4C076033B14231 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4304 -
C:\Windows\SysWOW64\wevtutil.exe"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man"3⤵
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\System32\wevtutil.exe"wevtutil.exe" im "C:\Program Files\nodejs\node_etw_provider.man" /fromwow644⤵PID:4468
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5044 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9079ecc40,0x7ff9079ecc4c,0x7ff9079ecc582⤵PID:968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1860 /prefetch:22⤵PID:2156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2080 /prefetch:32⤵PID:3952
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1904 /prefetch:82⤵PID:2012
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3168 /prefetch:12⤵PID:4612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:4068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4572,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:2688
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4824,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4832 /prefetch:82⤵PID:1548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4884 /prefetch:82⤵PID:4860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4804,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4424 /prefetch:12⤵PID:548
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3708,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=864 /prefetch:12⤵PID:392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5332,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5352 /prefetch:82⤵PID:2128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5340,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3312,i,11767897453319148144,3309130710399386932,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5388 /prefetch:82⤵PID:1052
-
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5004 -
C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exe /silent /install3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:916 -
C:\Program Files (x86)\Microsoft\Temp\EUD9FF.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUD9FF.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4400 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4180
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3000 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:448
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3444
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjI3MEZCQzktNkFBRC00MEJCLTgyMzctRjY5NjJFMkJFNTEwfSIgdXNlcmlkPSJ7REI4OURENzgtOEMwQS00OTQ5LTg0QkUtMEFBM0VDMDBFMEYyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszNzE1NjE2Qy01RUZELTREODctODNBMS1CMzRBMEY4RTJFMzR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTUxMzY4NjQzIiBpbnN0YWxsX3RpbWVfbXM9IjU5MiIvPjwvYXBwPjwvcmVxdWVzdD45⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3752
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{6270FBC9-6AAD-40BB-8237-F6962E2BE510}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4336
-
-
-
-
C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\RobloxPlayerBeta.exe" -app -isInstallerLaunch -clientLaunchTimeEpochMs 03⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:3200
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:1868
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4524
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:1876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff91c4a46f8,0x7ff91c4a4708,0x7ff91c4a47182⤵PID:1180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵PID:3324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3200
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:2392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:12⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:1544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:12⤵PID:4180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:12⤵PID:976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:82⤵PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,9524517644920914299,12982217138666589401,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2780
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4316
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5020 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjI3MEZCQzktNkFBRC00MEJCLTgyMzctRjY5NjJFMkJFNTEwfSIgdXNlcmlkPSJ7REI4OURENzgtOEMwQS00OTQ5LTg0QkUtMEFBM0VDMDBFMEYyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins3OTBEOUIzRC0xN0VGLTRBRjYtQjI4MS04QzU4QjYwNTRCN0R9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTU2NDg4NDYzIi8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2312
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\MicrosoftEdge_X64_128.0.2739.67.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\MicrosoftEdge_X64_128.0.2739.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4280 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\EDGEMITMP_9AE40.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\EDGEMITMP_9AE40.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\MicrosoftEdge_X64_128.0.2739.67.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3140 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\EDGEMITMP_9AE40.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\EDGEMITMP_9AE40.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=128.0.6613.120 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D64E4BCB-6FC3-4E10-A308-123239275B74}\EDGEMITMP_9AE40.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=128.0.2739.67 --initial-client-data=0x22c,0x230,0x234,0x210,0x238,0x7ff664aa16d8,0x7ff664aa16e4,0x7ff664aa16f04⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3436
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NjI3MEZCQzktNkFBRC00MEJCLTgyMzctRjY5NjJFMkJFNTEwfSIgdXNlcmlkPSJ7REI4OURENzgtOEMwQS00OTQ5LTg0QkUtMEFBM0VDMDBFMEYyfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins5QkI0RjYzQS1FODQxLTQ0MkYtOTg3Ni02MkJCRUUyNUE0OTZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI4LjAuMjczOS42NyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIxNjg0OTg2MTciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjE2ODY4ODQzNiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0MTcxMTI4NDAwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy9lY2IzNTFmOC01ZDM0LTRlYzgtYWZhYi04YTNlNTgwNzIyZDM_UDE9MTcyNjQzMjI4OSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1kZ0pIVHRJcmFTYkp5VWRCWVclMmJPRE1xakFrVnB1WHpPMzFpOWlqWlAlMmJaOGNKNHVKb2pLRmZsRzF4ZzZmbzJJNWxiNkxTcTJBdURkTTV3WmtxYjkyNVElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzM3NTY1MTIiIHRvdGFsPSIxNzM3NTY1MTIiIGRvd25sb2FkX3RpbWVfbXM9IjE5MzgyMiIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0MTcxMjE4NDU2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTQxODQ5Mjg0NzEiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjE0NjI3MDE4NTE2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNzU0IiBkb3dubG9hZF90aW1lX21zPSIyMDAyNDYiIGRvd25sb2FkZWQ9IjE3Mzc1NjUxMiIgdG90YWw9IjE3Mzc1NjUxMiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNDQyMDciLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1896
-
-
C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-a0ba2708f6fc499b\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:4700
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4764
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Discovery
Browser Information Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
6Remote System Discovery
1System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD562f723076e9f81292d13bc3c1d861955
SHA1d5ad9ab96db912f2b1108d8fa69ece20d28126a5
SHA256a9c6a22e5323ecbd179301877b95fcdaa933379e610f05f150e6a7b077e39055
SHA512781bb4706e70ec12a9ba46b48e5639975a9a7e994d3599c17fa6b00eb0705c03583e3a233130b3b970b1ffe348dbba04c237cc0f649bdf266d48f489e46d4625
-
Filesize
6.6MB
MD516dd69461337762007690317e733734d
SHA1235528177001b7b413ae7f1af448d9867b4045ae
SHA256e3a007015a353cea188804336cec71c961c7dbd3c89cd588818114ba66c806e3
SHA512ed60676bdda50480d655cb1cb7edcf7d25355b9d40ec3b3906995d53a9860b259c77974d6f12e49e01e95997cc8d7ffdb4b441f4dab1992de11ee269f262f701
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
5.5MB
MD5f9d1a553612f8203a5c246abffe99a18
SHA1f82e4c089d3e702049eb354bdc935f6012394c26
SHA25671f1dd2c68ec5d8e199004d99b807b079a257352987663d544c83b1dc34d0a28
SHA512ba6d05d4da639a0b009d8146958c60b860ee043a8372a30796fb2169d2ceba13fbf0a4caf0a6120d3f28f58d7abbaa259591e85970a5a56940c8a01c2e313da8
-
Filesize
280B
MD59dbc2ca83cfaaa52540478601e9bc8d3
SHA16f179fd1a7949125a3703effe3067eceaa13d511
SHA256e09f12b7ddfdadbf2857b3d9406040a380d71dcbf26530bd37fdd5c155c78032
SHA51233e5a1c2580be1af788b485bccc947bf8c164b98afb498b7bfa0b1433a4df7bc9fe411eb5c4aa0030396f119d679b7dd4b8be20d73ce2f960d3a51c4a978e4f6
-
Filesize
10KB
MD51d51e18a7247f47245b0751f16119498
SHA178f5d95dd07c0fcee43c6d4feab12d802d194d95
SHA2561975aa34c1050b8364491394cebf6e668e2337c3107712e3eeca311262c7c46f
SHA5121eccbe4ddae3d941b36616a202e5bd1b21d8e181810430a1c390513060ae9e3f12cd23f5b66ae0630fd6496b3139e2cc313381b5506465040e5a7a3543444e76
-
Filesize
8KB
MD5d3bc164e23e694c644e0b1ce3e3f9910
SHA11849f8b1326111b5d4d93febc2bafb3856e601bb
SHA2561185aaa5af804c6bc6925f5202e68bb2254016509847cd382a015907440d86b4
SHA51291ebff613f4c35c625bb9b450726167fb77b035666ed635acf75ca992c4846d952655a2513b4ecb8ca6f19640d57555f2a4af3538b676c3bd2ea1094c4992854
-
Filesize
818B
MD52916d8b51a5cc0a350d64389bc07aef6
SHA1c9d5ac416c1dd7945651bee712dbed4d158d09e1
SHA256733dcbf5b1c95dc765b76db969b998ce0cbb26f01be2e55e7bccd6c7af29cb04
SHA512508c5d1842968c478e6b42b94e04e0b53a342dfaf52d55882fdcfe02c98186e9701983ab5e9726259fba8336282e20126c70d04fc57964027586a40e96c56b74
-
Filesize
1KB
MD55ad87d95c13094fa67f25442ff521efd
SHA101f1438a98e1b796e05a74131e6bb9d66c9e8542
SHA25667292c32894c8ac99db06ffa1cb8e9a5171ef988120723ebe673bf76712260ec
SHA5127187720ccd335a10c9698f8493d6caa2d404e7b21731009de5f0da51ad5b9604645fbf4bc640aa94513b9eb372aa6a31df2467198989234bc2afbce87f76fbc3
-
Filesize
754B
MD5d2cf52aa43e18fdc87562d4c1303f46a
SHA158fb4a65fffb438630351e7cafd322579817e5e1
SHA25645e433413760dc3ae8169be5ed9c2c77adc31ad4d1bc5a28939576df240f29a0
SHA51254e33d7998b5e9ba76b2c852b4d0493ebb1b1ee3db777c97e6606655325ff66124a0c0857ca4d62de96350dbaee8d20604ec22b0edc17b472086da4babbbcb16
-
Filesize
771B
MD5e9dc66f98e5f7ff720bf603fff36ebc5
SHA1f2b428eead844c4bf39ca0d0cf61f6b10aeeb93b
SHA256b49c8d25a8b57fa92b2902d09c4b8a809157ee32fc10d17b7dbb43c4a8038f79
SHA5128027d65e1556511c884cb80d3c1b846fc9d321f3f83002664ad3805c4dee8e6b0eaf1db81c459153977bdbde9e760b0184ba6572f68d78c37bff617646bcfc3b
-
Filesize
730B
MD5072ac9ab0c4667f8f876becedfe10ee0
SHA10227492dcdc7fb8de1d14f9d3421c333230cf8fe
SHA2562ef361317adeda98117f14c5110182c28eae233af1f7050c83d4396961d14013
SHA512f38fd6506bd9795bb27d31f1ce38b08c9e6f1689c34fca90e9e1d5194fa064d1f34a9c51d15941506ebbbcd6d4193055e9664892521b7e39ebcd61c3b6f25013
-
C:\Program Files\nodejs\node_modules\npm\node_modules\minipass-pipeline\node_modules\minipass\package.json
Filesize1KB
MD5d116a360376e31950428ed26eae9ffd4
SHA1192b8e06fb4e1f97e5c5c7bf62a9bff7704c198b
SHA256c3052bd85910be313e38ad355528d527b565e70ef15a784db3279649eee2ded5
SHA5125221c7648f4299234a4637c47d3f1eb5e147014704913bc6fdad91b9b6a6ccc109bced63376b82b046bb5cad708464c76fb452365b76dbf53161914acf8fb11a
-
Filesize
802B
MD5d7c8fab641cd22d2cd30d2999cc77040
SHA1d293601583b1454ad5415260e4378217d569538e
SHA25604400db77d925de5b0264f6db5b44fe6f8b94f9419ad3473caaa8065c525c0be
SHA512278ff929904be0c19ee5fb836f205e3e5b3e7cec3d26dd42bbf1e7e0ca891bf9c42d2b28fce3741ae92e4a924baf7490c7c6c59284127081015a82e2653e0764
-
Filesize
16KB
MD5bc0c0eeede037aa152345ab1f9774e92
SHA156e0f71900f0ef8294e46757ec14c0c11ed31d4e
SHA2567a395802fbe01bb3dc8d09586e0864f255874bf897378e546444fbaec29f54c5
SHA5125f31251825554bf9ed99eda282fa1973fcec4a078796a10757f4fb5592f2783c4ebdd00bdf0d7ed30f82f54a7668446a372039e9d4589db52a75060ca82186b3
-
Filesize
780B
MD5b020de8f88eacc104c21d6e6cacc636d
SHA120b35e641e3a5ea25f012e13d69fab37e3d68d6b
SHA2563f24d692d165989cd9a00fe35ca15a2bc6859e3361fa42aa20babd435f2e4706
SHA5124220617e29dd755ad592295bc074d6bc14d44a1feeed5101129669f3ecf0e34eaa4c7c96bbc83da7352631fa262baab45d4a370dad7dabec52b66f1720c28e38
-
Filesize
763B
MD57428aa9f83c500c4a434f8848ee23851
SHA1166b3e1c1b7d7cb7b070108876492529f546219f
SHA2561fccd0ad2e7e0e31ddfadeaf0660d7318947b425324645aa85afd7227cab52d7
SHA512c7f01de85f0660560206784cdf159b2bdc5f1bc87131f5a8edf384eba47a113005491520b0a25d3cc425985b5def7b189e18ff76d7d562c434dc5d8c82e90cce
-
C:\Program Files\nodejs\node_modules\npm\node_modules\tar\node_modules\fs-minipass\node_modules\minipass\index.d.ts
Filesize4KB
MD5f0bd53316e08991d94586331f9c11d97
SHA1f5a7a6dc0da46c3e077764cfb3e928c4a75d383e
SHA256dd3eda3596af30eda88b4c6c2156d3af6e7fa221f39c46e492c5e9fb697e2fef
SHA512fd6affbaed67d09cf45478f38e92b8ca6c27650a232cbbeaff36e4f7554fb731ae44cf732378641312e98221539e3d8fabe80a7814e4f425026202de44eb5839
-
Filesize
771B
MD51d7c74bcd1904d125f6aff37749dc069
SHA121e6dfe0fffc2f3ec97594aa261929a3ea9cf2ab
SHA25624b8d53712087b867030d18f2bd6d1a72c78f9fb4dee0ce025374da25e4443b9
SHA512b5ac03addd29ba82fc05eea8d8d09e0f2fa9814d0dd619c2f7b209a67d95b538c3c2ff70408641ef3704f6a14e710e56f4bf57c2bb3f8957ba164f28ee591778
-
Filesize
59KB
MD5dd026799d49ede89527aa8e49fd2c8c1
SHA1f136773f52b592523646e138d42fd51dea48a013
SHA2566986ee194eb936ac455b1c62ed6b80b6acf0fdf9521b9ada125a591df39b59e0
SHA51286258f2fc5e9f8dbd7eb91efe1e6b04bd266e5a829628792cc4fe76f6dc44f6c02bfc2b1941cba3c35b3e55cc493cc51e46780be8a16650ce1e0b7a76ec1d7e3
-
Filesize
168B
MD5db7dbbc86e432573e54dedbcc02cb4a1
SHA1cff9cfb98cff2d86b35dc680b405e8036bbbda47
SHA2567cf8a9c96f9016132be81fd89f9573566b7dc70244a28eb59d573c2fdba1def9
SHA5128f35f2e7dac250c66b209acecab836d3ecf244857b81bacebc214f0956ec108585990f23ff3f741678e371b0bee78dd50029d0af257a3bb6ab3b43df1e39f2ec
-
Filesize
133B
MD535b86e177ab52108bd9fed7425a9e34a
SHA176a1f47a10e3ab829f676838147875d75022c70c
SHA256afaa6c6335bd3db79e46fb9d4d54d893cee9288e6bb4738294806a9751657319
SHA5123c8047c94b789c8496af3c2502896cef2d348ee31618893b9b71244af667ec291dcb9b840f869eb984624660086db0c848d1846aa601893e6f9955e56da19f62
-
Filesize
10.7MB
MD56ae74315bdb5b5f757005d23967bcf73
SHA1834c5b96f91e9349ae91ed4cd5cc8897f58a3fdb
SHA25666397977e36190a9f7ca77e93bfceb8e731838e5ce824bcd22222339b007891d
SHA512bf54808fd4ad33d0929868c90fc7b8cf0e9a9ab5c8507d9de676966143b8a9556dadd7ffd7365f3bbc7065ef98b0f75c78267558824df8bea4a358ef52973b77
-
Filesize
649B
MD58a0cb68f6bbea81489ebe3a68035be76
SHA1a347c6db92c300f7bdf131343b846503f0d8dd17
SHA2565d7f65b3d4c2eb14a29fb17d72ead9c45f828cfb0f65d33ffd5b3f18ab3ca433
SHA51286c1ec170153a10a5133271bc0c6e21e4840e4a5ba03107e06826e01e0433c5a16e082de2054defc24f7a5d55a1c64ade8b7241547fc4beb6b01ddc85526815e
-
Filesize
212KB
MD508ec57068db9971e917b9046f90d0e49
SHA128b80d73a861f88735d89e301fa98f2ae502e94b
SHA2567a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1
SHA512b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf
-
Filesize
2KB
MD56c775d4a12ec33acbcdd77fae829666b
SHA1efa02fe3f503d7c1dc16ce42d0fbcf54deb2240c
SHA2561eef9e3ecb63857243d23abe7239f6ebc7bc23f71382f0fc047f1d6658b9daee
SHA5129ffbe1f52403d596e650263016d1595bcd0a6f456a49851c98ce12e06042efb184f79fa6d2f12101b2e73fb4c510988b3b9f7c31a473afb139f4972a3bac76eb
-
Filesize
216B
MD553b1e2e69d106166b7d0e65beb490511
SHA102b971eaa0166e7dcb430a81781e738ce2442b69
SHA25676b20511b0dc20f3dd357e072a4ff0f0f8f1cd2a140067f8520371fc15eb4492
SHA512caca2829e138435135835b2c27b210fc19915d21be5c51566314b495a516d16e404cf0bedf3e650425d4d5efefb7d598aadcb4be55b456f9d60a65a68bad72cb
-
Filesize
264KB
MD5dac35b8b8cd2f72393bc29999e4bd406
SHA1faf3bc89e37fee423bf0ab8df63ff1a9e78810b9
SHA25697128eb9785118b532061b14dd28dd743464beb4dae31e67482dd2cc7918e4c3
SHA51220335bd2645345bf642eab77b5fd36f4c75b65487b16a013b229d95bb135b6f0a34556c7947b86b26a5c00b8c761d1189ace02b2a3807fd9e68a22dc7a30da14
-
Filesize
1KB
MD5d5e233b2d30f4478e8a3cbd9e0617a0c
SHA15272d2584b8746a7cfa087c502b882a62a7c8877
SHA256b386ff7163a110073f50195daa731d272a809b2fdf185fad8801914314623df2
SHA5129001b9eae45ae6b921317619f1ad7dd50b2333f009cc7d32e49237e8914fb0562029b7a3468d0411a87aadc03c245ffebcc95d876fe1fb5637eb08925213abc7
-
Filesize
4KB
MD5829b273fb41dc02fdbaf77cbb96f0c2a
SHA1c1d2a133e4d20a4c96fc0cac19f8ee188abada8c
SHA256cc67c6a57b8c6041e11716feb50b98d4f8f0eb93bbd4e9c578e6dc89f8f3668d
SHA512ab73c5266874a937539bd954a3c8722be897bffc9ed77ee67330f49e5340228fc6ef74c5503e912d83587222270df80084dc671008e6792cc8b536c01136cafc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
692B
MD5dfb66dc6d70b88cdb5b7ca440facbe74
SHA1cf1bf03b2b1573c44ec3f88bbe491bb91594c7b4
SHA25689f39f4f9f71084ce80a6010e0d7a1cc0de9a21839cf8db2035c7bb9932b5125
SHA51257490f513b6ea35e78fc6069ec994aeda2863d4b1f1fe0814cb1ec0714e280d217c122e4d6a4e7fb82f80254a30d8047dd12ddb4adaf8cd10746d40890f422b7
-
Filesize
1KB
MD58f0a9cdb381eac60272dae5f4f6e08f6
SHA1d3e33e0e511a9ebac3e57a6d852cc3d9620db318
SHA256793c30f7358f22e879247cf4f01c98801c8b5a22f4bdc7f6b827a3761a5bdbf7
SHA512edffca8da0b7e368b822325d2873b3654aeab5a76a03d1465a33a11af4de1d46929c4f5e035b5a2e6a35478443d4c8749c162e04a083d980a714a01c3b73ddd4
-
Filesize
356B
MD57a07168e94e58fdce93ef293e508dc68
SHA1176eb41365eaeb8d0c862bfa51fbe7a757c3fa5b
SHA256a9d50b567027bb4706da5c0493ea7bcf6bf1b2cb1c2f9279b635393d576231cd
SHA5127179f75861718f5e98b9b83e01b26dc03acba0f53555c1cdb4a7b9b43ffaffe3784296d9196b2f298897f332528e9cb9ceef832dd83c9cc62acd88bc213aac2a
-
Filesize
356B
MD5a211ec2028aed819dee7bae688d6c8a1
SHA1f45626f956ef2cd0693231bbd8b1fc5b5170d5cd
SHA256f74e4b011f2ff59b8a184ad48f3a363dbcbd1f3c023c00ab5420f8336539001c
SHA5121614296a7cb32e738fedeca0769f0f1dff4d9d5ba9e010aa3c2480c0c49849c85cac132cbd21ba646d6caad3ec75df2bf113b438dab76d2a064721437c0cade0
-
Filesize
9KB
MD5eef19f651d8e161459cbddea04795326
SHA16e2e2a993f0a528cd7feca67e932825710ef38bd
SHA256d3d0fdc03de9feb35e702f6b53b7ff7e72a913a1e9ade67899a92734f829ee9b
SHA512e27e988f8308c342d28161b7f5e4a15b4dfcf1b9b4d73891d7f32d98b0780b7170b1d3f28d878cbb6245200bb0f265dbf0a1cb643f7a569a45868e9a6f5e652c
-
Filesize
9KB
MD53e3081f96c5417a31656b7de31ddcbd1
SHA14790147daba3a555c3998cf411f6515376fa5d9c
SHA256c6a15d9f2ee93ba9b051b016fad41164cfeff8e81460e71071cbb43eaeb168b1
SHA512d4733f6d39e0baf179e20daf097b322253a5be755672af685490b507da9fcb779ef9c81438ac76629e743862a231de8756c3171aa8a2a602965452f1b52ce2b4
-
Filesize
9KB
MD57e5794e2c2b8c7edb629b7de47d529c3
SHA18311846f2589a7d69caa99b1448464d5094c2cae
SHA25600f54353415035ab4b865da2344b957cd1e011434e788dd14aa552f293cc4495
SHA51211040c3b49be5013d6b294f94b9f1c4b7c9c362655e28a621b4764483e0d80977f2359bb02212e31ecd9770bec51f2e056f68a90279626a7c62253c6af8da85a
-
Filesize
9KB
MD52586389fb13d155d7f844134d6fae3d9
SHA16ecc09846b634bf0d7119936399275c572329aa0
SHA256c9d3f96649e4faffa81a264de1b27ad5163d8572bdf0c50a24dd12030c3c17cf
SHA5120688fd85a65c370e275e9394cf1186646dd71a881dad1c1356be0a174bf34f4ec6b5b1cc17a420ebe7e63b61c1bfd6861fee998d80b667cd0ba830236ad9a644
-
Filesize
10KB
MD51f1010ce5df997a4f4e44b30ff9fa5f5
SHA1ac638c0cee425678af2235c54ea9abab71e4d512
SHA25633a4dcb9f5c3d9eedae98b2c6dec21f6458c204a47d477335e34a31421600064
SHA512433862739351b0f555637e66cf9bae73243894f2bfe0ceec1516d678d4d0c570e7fb05d890fbb20ff8fcb5563398f4c24b383c0b870a668e74a4e0007964e9b1
-
Filesize
10KB
MD51a4a7c5e143283f6a746363ef0b0aca9
SHA1adc34459d1b76d0921eab5ed015fdf1be92d77ce
SHA25697f917083d263457222252ac7fe7b27618f4e8d0745c418d8ea44f2fa41af67f
SHA512d1617090c4139b9534f553009b4335573642b8283c52ce6e3639b6f2eca7e1ddeadbce15e417536a3862a2fc89c0ce4b1ca565a94e1e5608e9b09deed4bf415a
-
Filesize
9KB
MD5616affa66525ae1fcfa4753b4d92c543
SHA16de5e77006bfede2f5e8ce0feedd21ea556720ff
SHA256d6680015265c7f95de704f4f96e857c6b18b4d03a992fc7da9c612bd389edec5
SHA512eacb56e86cc6fe6be2778549a2b065ec02e4a3ad9a5cdc0683a071c11d8e34634f65dd3e1ceaf0ffad30e903dfd65a479e3242049a565728183dceef77e67706
-
Filesize
9KB
MD586e81cb986289dcb4a8e0fd65d5ca374
SHA11c4f007c3913ecac7d730a8a312d331cda26a81e
SHA256982cab2a357c8f08ee6e9b707ad47fecbb9d0a81c39e6c6c6999233f93b533a3
SHA512fb0dcc391b63c2bfde5525bb19b9c36da8fd6e0b836ca04d591772ec49dde7f86d2fd79738d4ffc99d1773eef1c654f561b1f330bf4c7b419cc28a8a9c363c60
-
Filesize
15KB
MD5be9ec09356952f3fb3a565ff86b25e46
SHA1b3254cfe8a0d5d0835a63586191ab9af31c56803
SHA256068b006d8b8a25427871d2e764db4bf0646856cf0afdf33fab163520e4b19670
SHA5121ab98c25c8794ec627e26901d4d7bf69736344115b767932cf4ebfc804d720889d812af81931aee99d091cafa64ce97bcd1ec52c0abf67d99018a1e45ae7395a
-
Filesize
205KB
MD54e48be555ba5f8d5693c70b98f244548
SHA1dedadee4395a246a3a274017c75c4ab39a942617
SHA256374f5f688d3dfd5d74cab7ed832c61fe391967ca75ec2e14681cb0fb0d9cfc79
SHA512e8c8fe165285ff4995802080a98b81592c0f7a7c0325b8667d9787a704e77c3056233ad3dbed0618f45f26ad4f57af1dda6fe9b703f479b6c70374cd24aaa9bb
-
Filesize
205KB
MD54a26aeb44d044d93f1f7651a468b86c4
SHA1c0ddc66cb8d210d100996a1ae763c62e6ff033a7
SHA25687989f174e4a99a92685dc35c003d41dccdead6dcc49dda8ccbbd2c5ec638f32
SHA512909a55c8d444db845ff0fb09596696f1ecbfbc1cda63574fa40776ab8cd39bc15654eadeeab5aa09ce104fa4a68dc862a558538b1e339f967b7f6c008925fa32
-
Filesize
205KB
MD555fb2651f645159c820ea4cedd1bca83
SHA1a3f2e487437d31f6727d692b8e4bbc7eebe0e56d
SHA256178e82b202c63e46af40bf922b5938e4a21e46fdc2b48f716ad0199773787468
SHA51226143fc93f0de9316beacf2903bb46d87f88726c2bb975e651ec19daf1ab06ac1fbd4f7977f84b8cdda95cfb017622f29009ce4d37f9c6e343f76a103fb74eea
-
Filesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
5KB
MD527bd31314fa096e19fd3d2707e349a1a
SHA1c202e979d4c963af5ded947b1580f67690bf7ba6
SHA256777fe50d44af56eebff06b2a31cc50e6f89e1ea90b04280438482158d4980af5
SHA512b480c5c5f05254505c7b3388e0c201419a2077c18e3f35d49f159eada54a55dec1bd954431ff089dfd6c1bfbbf8b8f3975ddedad1d1fda8c27adf4efb6b9d240
-
Filesize
6KB
MD567696616948acadffb819434eb1b55af
SHA1d85684604ff04e55e8b507a405286ac82f3401a3
SHA256fe17b9c1aad63b6759d150dc5a3dae018296985ec467e261e2672525a2353f01
SHA5122a9ce849d13374c3158e30e8d0189d2653e1a05f07018f4665ae9bdc088316cbc6b027e8e4c668445e350f3bc67805559c4721e4836dd95a158e73eb57d55395
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5be97432e1dd76221e12bf15fb100b8b2
SHA13a25d7ba8389d1284b30bd3975fcfd23ea95173d
SHA2562f9ae1834b0adfea709528a4ffd6e9fadfe25f0bd38b25efaeed8480ba621821
SHA512d93b527fe8cadeedc7e6635820174a8faef6918fc184d2725d5aa73d928fe8d8f244596562fae9e6e3956a6029f36e0c96859556bd13c8eb7b8ce7d84dca682e
-
Filesize
18KB
MD5ab675c1e5b8e75c065ec4cc9c46e6201
SHA1533fb0be43b859d90b7cfda60483d2e618781b76
SHA256db4583b65a7f8e63c259585a767291d9f314bd5f3550a47fb745ba90bcaed629
SHA512f84f50564efd601a34d147b8f640f79107d42da60e7bb889ae6c26aa99f02e11d7d36bf7bf77037f05e5e63b36f9896ec241ccc7d90122cd82141d716dd75250
-
Filesize
18KB
MD51748e2b59be90c807c57c2ad89362402
SHA180565604e2183b2693ccac7956ae7853dc6ee808
SHA25678315199bd3f84c2c15c9ef09bb23728166717fd5aec17bd62883cc38bfc1ef4
SHA51293f4a227ddf6e27cea4b0e0115b03eff78ebed01e5e53363239b781d90ec8ead0bd581afb500b8dfb441032d4822513deb29cabdad948f9d4101471679ca346d
-
Filesize
5.9MB
MD5cd5f771f931eb83fc97c1a25f75dda04
SHA1b31969a060a7e46a05a1e72e25fb17f560994edc
SHA256381a97012b0e35eacadf2db921a5934f3b33bdab2957780519f12f9039cd3d59
SHA5125120ebb62eb18de91b0bb815f53514b7b1991184b1530e14a9e894366a4eaceb7e501698c53a1fbbc55f8e211e94bf3a565e48fb71cc6452795e47ba62c42a77
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
3.1MB
MD592a8f182782b7676afc20be2333e7677
SHA182d7e177cb3e40add5d01b68f5ae13264afb2df8
SHA256326db8668e61efa37036e9e7e6934b565e4d4af0454c9c3e6a9799191edabbbc
SHA512afedb24077040b81ab761450d4bc1c680862c77291d5c5f9542e5c8cb52d3b0807d3bae02433c3362f88f8bcb5f84dd44d840546f24612e63f35204c2ae69716
-
Filesize
30.1MB
MD50e4e9aa41d24221b29b19ba96c1a64d0
SHA1231ade3d5a586c0eb4441c8dbfe9007dc26b2872
SHA2565bfb6f3ab89e198539408f7e0e8ec0b0bd5efe8898573ec05b381228efb45a5d
SHA512e6f27aecead72dffecbeaad46ebdf4b1fd3dbcddd1f6076ba183b654e4e32d30f7af1236bf2e04459186e993356fe2041840671be73612c8afed985c2c608913
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
60KB
MD58e1a70b54af4c2bcc655f944bb833453
SHA1e3364c0bc8bc33dced566816061ce84ca06f0fb4
SHA2568e7a44ea4294d797392441f86aa2090041040c83938ff585bec1f8ccb3b20b29
SHA512f81c34bfd738d7d7ba04a35db243c24b2c980576a756d174ab916710ed06c3f2c09f1a92866d89a6985fd6c874fbb97091e4ab188452173e1e0ff60a1b2416e4
-
Filesize
476KB
MD510e368548939707ba299e05a5a285f7a
SHA10c190ced4b2746d72bed6240fc4414c4a0b22add
SHA25614458c1c57a94145e00116826e6c60e0646a9b62799ecd966b81d957b25dfc90
SHA5121cd819c5a83c7965a8998678ab6675673f881df5cfbe7b10b24b0963954d5e85da42e7507e6fdc1d6b68175063ba600a803a56e50e6aca4a949ede4059fdbcb8
-
Filesize
103B
MD55aa26de003aeebae624a08de919c52b5
SHA1ff1a4dd7673a6b604324e1363738658cc4d565c0
SHA256335052f362ac50a1d52e8268ebc4323f59644ef7988cb29ea485d57745667bd2
SHA51243220140c68668fd309ce343c06e22910dbe6b74818a9a0f07da052cd8d6020524311c6c00201fc3bceb6f18743ba07ae65e2d4900dd79fab7218bef5caf192c
-
Filesize
5.6MB
MD558de8886e5f8771990ddfc3d09eeec16
SHA1daf4387bab065c8a6dbff50a0c9f7beec6f40747
SHA256b6a2553a504032002396ffd960725d5514e3aa1e81185620cd03e1481e9b6ce1
SHA512e90c661051b2c8298abeae2d6a070a1547912d6cf3bb4892e30a583e5f906b043768934a85c76c45482c3326d93bc1090df3d4616824a7173fd2f061d81a2be3
-
Filesize
796KB
MD576639ab92661f5c384302899934051ab
SHA19b33828f8ad3a686ff02b1a4569b8ae38128caed
SHA2566bb9ad960bcc9010db1b9918369bdfc4558f19287b5b6562079c610a28320178
SHA512928e4374c087070f8a6786f9082f05a866751ea877edf9afa23f6941dfc4d6762e1688bbb135788d6286ec324fa117fc60b46fed2f6e3a4ab059465a00f2ebee
-
Filesize
971KB
MD52458f330cda521460cc077238ab01b25
SHA113312b4dffbdda09da2f1848cc713bbe781c5543
SHA256dc67b264b90e29cf5cffed4453de4567398faa7f3bf18e69e84033c5b33ab05c
SHA5128f027ebd96901f5a22aad34191244b1786dfb66843cbe05a8470d930415d85d86430267da09e7f1a69b8011b170d229e7fb25ecf0bf7d9209d7b910b2cbab48b
-
Filesize
122KB
MD59fe9b0ecaea0324ad99036a91db03ebb
SHA1144068c64ec06fc08eadfcca0a014a44b95bb908
SHA256e2cce64916e405976a1d0c522b44527d12b1cba19de25da62121cf5f41d184c9
SHA512906641a73d69a841218ae90b83714a05af3537eec8ad1d761f58ac365cf005bdd74ad88f71c4437aaa126ac74fa46bcad424d17c746ab197eec2caa1bd838176
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
297KB
MD57a86ce1a899262dd3c1df656bff3fb2c
SHA133dcbe66c0dc0a16bab852ed0a6ef71c2d9e0541
SHA256b8f2d0909d7c2934285a8be010d37c0609c7854a36562cbfcbce547f4f4c7b0c
SHA512421e8195c47381de4b3125ab6719eec9be7acd2c97ce9247f4b70a309d32377917c9686b245864e914448fe53df2694d5ee5f327838d029989ba7acafda302ec