Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03/11/2024, 21:02
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://wearedevs.com
Resource
win10v2004-20241007-en
General
-
Target
http://wearedevs.com
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
flow pid Process 234 3336 powershell.exe 236 3336 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
pid Process 3336 powershell.exe 3336 powershell.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation setup.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 14 IoCs
pid Process 4908 MicrosoftEdgeWebview2Setup.exe 2580 MicrosoftEdgeUpdate.exe 6056 MicrosoftEdgeUpdate.exe 5280 MicrosoftEdgeUpdate.exe 6140 MicrosoftEdgeUpdateComRegisterShell64.exe 4916 MicrosoftEdgeUpdateComRegisterShell64.exe 3604 MicrosoftEdgeUpdateComRegisterShell64.exe 4116 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 5784 MicrosoftEdgeUpdate.exe 4656 MicrosoftEdgeUpdate.exe 4600 MicrosoftEdge_X64_130.0.2849.56.exe 4840 setup.exe 632 setup.exe -
Loads dropped DLL 16 IoCs
pid Process 3192 MsiExec.exe 2580 MicrosoftEdgeUpdate.exe 6056 MicrosoftEdgeUpdate.exe 5280 MicrosoftEdgeUpdate.exe 6140 MicrosoftEdgeUpdateComRegisterShell64.exe 5280 MicrosoftEdgeUpdate.exe 4916 MicrosoftEdgeUpdateComRegisterShell64.exe 5280 MicrosoftEdgeUpdate.exe 3604 MicrosoftEdgeUpdateComRegisterShell64.exe 5280 MicrosoftEdgeUpdate.exe 4116 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 5784 MicrosoftEdgeUpdate.exe 5784 MicrosoftEdgeUpdate.exe 1044 MicrosoftEdgeUpdate.exe 4656 MicrosoftEdgeUpdate.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Checks system information in the registry 2 TTPs 8 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Trust Protection Lists\Sigma\Content setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\gu.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Locales\qu.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\learning_tools.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\mr.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\msvcp140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\libGLESv2.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Locales\sl.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\edge_feedback\camera_mf_trace.wprp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\fi.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\ka.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Trust Protection Lists\Sigma\Cryptomining setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Trust Protection Lists\Mu\Advertising setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\eu.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\he.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Trust Protection Lists\manifest.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\cy.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\identity_proxy\resources.pri setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\msedgeupdateres_ne.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\msedgeupdateres_tt.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Trust Protection Lists\Mu\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\vccorlib140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Locales\ca.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\msedge_wer.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\notification_helper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\gd.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\vk_swiftshader_icd.json setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\kok.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\te.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\psmachine_arm64.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\msedge.dll.sig setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\pwahelper.exe setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\zh-CN.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source4840_1166244656\MSEDGE.7z setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\BHO\ie_to_edge_bho_64.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\EBWebView\x64\EmbeddedBrowserWebView.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\mr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Trust Protection Lists\Sigma\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Trust Protection Lists\Mu\TransparentAdvertisers setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Locales\fil.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Locales\or.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\msedgeupdateres_ka.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\VisualElements\SmallLogoDev.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\identity_proxy\win11\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\resources.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\onnxruntime.dll setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\msedgeupdateres_es.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\msedgeupdateres_th.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\BHO\ie_to_edge_bho.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\concrt140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\ms.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\130.0.2849.56\Locales\lo.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\msedgeupdateres_nl.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\130.0.2849.56.manifest setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\az.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\ca.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\identity_proxy\beta.identity_helper.exe.manifest setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\Locales\az.pak setup.exe File created C:\Program Files (x86)\DLL Injector\resources\x64_DLL_Injector.exe msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\msedgeupdateres_sv.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\130.0.2849.56\dual_engine_adapter_x64.dll setup.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File created C:\Windows\Installer\e587f8d.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI826A.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{B49406D8-4171-4801-8E93-CD18B90BD12B} msiexec.exe File created C:\Windows\Installer\{B49406D8-4171-4801-8E93-CD18B90BD12B}\ProductIcon msiexec.exe File opened for modification C:\Windows\Installer\{B49406D8-4171-4801-8E93-CD18B90BD12B}\ProductIcon msiexec.exe File created C:\Windows\Installer\e587f8b.msi msiexec.exe File opened for modification C:\Windows\Installer\e587f8b.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeWebview2Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4116 MicrosoftEdgeUpdate.exe 4656 MicrosoftEdgeUpdate.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133751413957546007" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ = "Microsoft Edge Update Core Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation\Enabled = "1" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\ProgID\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B019EEF0-C45E-464D-81C8-23283376FB2C}\InProcServer32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D15A374-D691-4A48-8CF3-F162414FF70F} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.25\\msedgeupdate.dll,-1004" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D60494B17141084E839DC819BB01DB2\ShortcutsFeature = "MainProgram" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC} MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B019EEF0-C45E-464D-81C8-23283376FB2C} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D60494B17141084E839DC819BB01DB2\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.25\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.25\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32\ = "{B019EEF0-C45E-464D-81C8-23283376FB2C}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8} MicrosoftEdgeUpdate.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 5996 msiexec.exe 5996 msiexec.exe 3336 powershell.exe 3336 powershell.exe 3336 powershell.exe 2580 MicrosoftEdgeUpdate.exe 2580 MicrosoftEdgeUpdate.exe 5976 chrome.exe 5976 chrome.exe 5976 chrome.exe 5976 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 4004 chrome.exe Token: SeCreatePagefilePrivilege 4004 chrome.exe Token: SeShutdownPrivilege 5868 msiexec.exe Token: SeIncreaseQuotaPrivilege 5868 msiexec.exe Token: SeSecurityPrivilege 5996 msiexec.exe Token: SeCreateTokenPrivilege 5868 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5868 msiexec.exe Token: SeLockMemoryPrivilege 5868 msiexec.exe Token: SeIncreaseQuotaPrivilege 5868 msiexec.exe Token: SeMachineAccountPrivilege 5868 msiexec.exe Token: SeTcbPrivilege 5868 msiexec.exe Token: SeSecurityPrivilege 5868 msiexec.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 5868 msiexec.exe 5868 msiexec.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe 4004 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4004 wrote to memory of 4500 4004 chrome.exe 84 PID 4004 wrote to memory of 4500 4004 chrome.exe 84 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 2140 4004 chrome.exe 85 PID 4004 wrote to memory of 3312 4004 chrome.exe 86 PID 4004 wrote to memory of 3312 4004 chrome.exe 86 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 PID 4004 wrote to memory of 3220 4004 chrome.exe 87 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://wearedevs.com1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0x8c,0x104,0x7ff99b7acc40,0x7ff99b7acc4c,0x7ff99b7acc582⤵PID:4500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2056,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2052 /prefetch:22⤵PID:2140
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1976,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2096 /prefetch:32⤵PID:3312
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2264 /prefetch:82⤵PID:3220
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3012,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3036 /prefetch:12⤵PID:2380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2992,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:5076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=2996,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4480 /prefetch:12⤵PID:4972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:82⤵PID:752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3472,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3420 /prefetch:12⤵PID:2136
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4840,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3764 /prefetch:12⤵PID:5020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3480,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5208,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:12⤵PID:2832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5364,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5396 /prefetch:12⤵PID:2340
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5540,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:12⤵PID:2680
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5760,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6196 /prefetch:12⤵PID:3736
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3992,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5980 /prefetch:12⤵PID:1588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=6224,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6240 /prefetch:12⤵PID:5148
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=6156,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6044 /prefetch:12⤵PID:5244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6256,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6568 /prefetch:82⤵PID:5736
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\DLL Injector_2.1.0_x86_en-US.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=4500,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5780 /prefetch:12⤵PID:5780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5648,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5576 /prefetch:12⤵PID:6040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=5876,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5928 /prefetch:12⤵PID:4616
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5112,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6020 /prefetch:12⤵PID:6092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=4612,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5652 /prefetch:12⤵PID:3704
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=4868,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:12⤵PID:4320
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5380,i,16628693287188527084,13716927786323014561,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5976
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2808
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5024
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5996 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding EE3AF1E3A340CF9ECA4E536D018713BA C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3192
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -windowstyle hidden try { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 } catch {}; Invoke-WebRequest -Uri "https://go.microsoft.com/fwlink/p/?LinkId=2124703" -OutFile "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" ; Start-Process -FilePath "$env:TEMP\MicrosoftEdgeWebview2Setup.exe" -ArgumentList ('/silent', '/install') -Wait2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3336 -
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /silent /install3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4908 -
C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUA524.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2580 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6056
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5280 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:6140
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4916
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.25\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3604
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qjk5MjRBQzEtMTYwNC00QUFGLUIyODEtRjhCMURDQ0RCOTI5fSIgdXNlcmlkPSJ7RDNBNzcyM0YtNTQ1QS00QzVGLUE5MkMtRjQyNDI0NEZBQzkzfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntEMkYyOUZFQi0wOEM4LTQ4MTUtODdBRS1DMUVBNzRBNTdBQ0R9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjI1IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTA3MTU1MjE4IiBpbnN0YWxsX3RpbWVfbXM9IjExNDEiLz48L2FwcD48L3JlcXVlc3Q-5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4116
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{B9924AC1-1604-4AAF-B281-F8B1DCCDB929}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1044
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:396
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5784 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMjUiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMjUiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Qjk5MjRBQzEtMTYwNC00QUFGLUIyODEtRjhCMURDQ0RCOTI5fSIgdXNlcmlkPSJ7RDNBNzcyM0YtNTQ1QS00QzVGLUE5MkMtRjQyNDI0NEZBQzkzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTJDMjU3MjEtMTNGRi00OEMwLThGRDUtQzY2REUxNDVFQjg5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyNyIgaW5zdGFsbGRhdGV0aW1lPSIxNzI4MjkzNDAwIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNzI3NjYwNzU2NjEwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTUxNTkwNDk4NiIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4656
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\MicrosoftEdge_X64_130.0.2849.56.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\MicrosoftEdge_X64_130.0.2849.56.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4600 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\EDGEMITMP_DFD9B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\EDGEMITMP_DFD9B.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\MicrosoftEdge_X64_130.0.2849.56.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
PID:4840 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\EDGEMITMP_DFD9B.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\EDGEMITMP_DFD9B.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=130.0.6723.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{52AEEC4B-4907-443C-AF20-838962ABA7B0}\EDGEMITMP_DFD9B.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=130.0.2849.56 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff7c1ccd730,0x7ff7c1ccd73c,0x7ff7c1ccd7484⤵
- Executes dropped EXE
PID:632
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.5MB
MD5c6eaeae3cab85586271aa8e94a1d3de8
SHA14b7b23bf9e9e966ffcf21e8306f31765b993ae23
SHA256c91c71046f15cc7f5dc4bb4e1e14b5a7a3329ea95954a245c47e181c808a70d2
SHA5126ec08f95e66ec4a00c72a5a257bcfbbacad09b8a2de4168780373e76fef6951dc0a830b2eb129799dea8dbdc30eb10bc73061aeeab4ce8074f3bb6ede9e7cc81
-
Filesize
6.5MB
MD59a98f71bb7812ab88c517ba0d278d4c9
SHA1459b635444042ad0eeb453cdba5078c52ddba161
SHA256273f8406a9622ddd0e92762837af4598770b5efe6aa8a999da809e77b7b7882f
SHA5125685717b2192b477b5c5708687462aa2d23999f565a43b7d67388f48eb9a3d33d9a3da54474ce632a0aee1bc4de8a6172a818239033d4a035f045e15947868f3
-
Filesize
12KB
MD5369bbc37cff290adb8963dc5e518b9b8
SHA1de0ef569f7ef55032e4b18d3a03542cc2bbac191
SHA2563d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3
SHA5124f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1
-
Filesize
182KB
MD5d16deab532387bb817fcaa50b9bd8972
SHA12338f86ce086f48fb5c0c340d3fa5d71dd006064
SHA256ba27ca798445934d02be72a0faa198539dfa38e922c06bdd93eb3070ee12311b
SHA5120574f1fdc21d9c9b82a48d0ec651bb3b02c79bbad4643dbacfc72336200bf1bf8a524a5a0beaa19aad07e616d63b1e2f7c49c2e51e9397b05b5eb1e52d5c8290
-
Filesize
201KB
MD51509ed11b3781e023e9c0a491bfdac80
SHA12183e8228f0596d6c80927c0df49ddc1101a1219
SHA256f626890b39920d9fa35ebcc31d448b75df05fe4a7a424c2b5ceb95c7d61e5d71
SHA5121a9c53ff6906251cba2133d8907401c5f9e8f4f0ac918ae8466c4d21b2f5468bc86a08dbd01527bc0150cebf55737ac3023d564a6d032ac8d526648815662047
-
Filesize
214KB
MD58cda2d501c51f0869a69d5951f2aec5e
SHA1b5263b1302ac3c9d99a7c7bd655c3fb9829e4a03
SHA256208497513ff0c793e6dc0a9935d73dfc37887c875fe00aff4dfaeb3854054d31
SHA5122dc9dd6299a6b0781879ea1d9fb14ef19c55e372887ac006a658d5d9c3396cf7953a8d93963053173c7c40d4d3d8650f46999cd766edddedd33064a2c15f9c64
-
Filesize
262KB
MD56fb9e3cc84490ac01ce63c90bd011d03
SHA1472b6a9f09c7b5eb1d508f2c83468fab1a623261
SHA256fdbedb7ffd417839bef8a9fcc69b545adf002739dd6a3f4fe92fd2e5859502ef
SHA5123e1bd82154e8c142aaf19c2ef8e2b581c6f5d0697eaab350931e8d39da2b3e01d41be93b2d472a7d88a0279c1f62d8faa4476176ea41b3b5db712256e13338bd
-
Filesize
4KB
MD56dd5bf0743f2366a0bdd37e302783bcd
SHA1e5ff6e044c40c02b1fc78304804fe1f993fed2e6
SHA25691d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5
SHA512f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e
-
Filesize
2.1MB
MD58a816664389165f11a9e50fe42671657
SHA1ae43aba2a512b5139e7dfd034655259bf638c698
SHA25609d9f52e86ddd5fb3391d7dd683c42a9fa9d03a2ceee56b1273ccd42986b4851
SHA512a65fcebdbc170ddff5eea916cc92233c5a91d7167b35cd71f2093a43e34020c3813f083d82622ad4f8db8cca30728cbd21f8bdbfd17663273f05de24538d0f7b
-
Filesize
29KB
MD5606ed68037082cee9216cb2f67766f4e
SHA172a736e0232877318c4faefa7e34c6dfba61e042
SHA2564231acb9cc52694d3a314bd43266cdbfec48ee7f805e278a3cdf458b1550bb90
SHA512f159c18eebd3db5bde59f378901dc1a1a34f4770e0467cb29b1d13cdc987aa43d59abed849547347892ec74a729425c0a538386886035101eb766161133ac3da
-
Filesize
24KB
MD500dff51bc419ca992c8b00ba6f600911
SHA1ce1beb0d9f721493942d37eeaad453cfdc258ab1
SHA256bc9c9e5e30d6da8f566ea3d34cb58aebae0751b43106244dbfaf99af88a03e18
SHA512284fe349cac1ea4f359d5aa5fe5942c8ee08073a2a4b95dff01522b7164c324674ab87f153309b8c699280e0d346dda6cf5e5238a95a86d297ff187d4868e0c3
-
Filesize
26KB
MD596bc228c659fc3b2f09b39aae22a0d08
SHA10e92c15622a60eceba9451b7262fe430399b4c74
SHA256e863afcc91f8eb43808cf936cf3c9eca097740cb65ba50d615171a96c79835a0
SHA512a17fe3682c681592c1fe19dada7c02dd809af2f5e7c49abede362e3986610bb1121d86d2beb72a0387c5c32b1fe88f6a3e1208192543ff5a906d430b7c382bb7
-
Filesize
28KB
MD5f0bb461ccbd972b8890e62c110941324
SHA1528b0b2bc5e67a70bb7a519ccd3110a57c3ced30
SHA2564021b6bf6678eeaca50f787fa653ec5a9b8d9c0d4d0cc0bcc515e19590e659da
SHA512808410313f1dd24357bcdd74cc00d282eb712eb3e3326de4f7db23b57512b0256b73f6660e8eff2a92fac124e2b9863e0beeae4a4b7af2faa9f60aaa40f2806d
-
Filesize
29KB
MD51d92f560471809eea74e20645f189f84
SHA1eba6611cbbf97d3149bf1c2827323d6accddbd42
SHA256b4a953430a4dc8d5a2b69709c1f6af2e42277df366f5528604734c1d933c212b
SHA512589f3ef4a3b21d1959d5b8a70e07e71c6baac6b57468e1a8638beb0d6ebc6a4fe7e1fa60c0a1d255bee769c1b88c265879a01486d7e397750aa8dbaf3987890d
-
Filesize
29KB
MD55b17b4ac96d90bf48af3814f82679e13
SHA10097d33be3c86423002fb418c07172791ea04239
SHA25614a5cd6d9e23888df3314aabd68b44166ce4f5c3a59f492a5194483aa2b0d824
SHA512828e97c92b6864fa713bb5fea48d27c2a31678d271703ec04432a691939c516196b170f9787b12d7350e80d56b0751c108d3333a415669c0263025d6e5553ce9
-
Filesize
29KB
MD51289424869c0efde5c5d7d81304ed019
SHA159904fb85b90b373c1e5de9fc1e67a2232082253
SHA25619c114b66308c20fef3955d586740b63e61169d49cd81603e0418b546bf6a25a
SHA512aae935ed3856fa93f15b1c89ac849d5d397b417e59b7de97a4af1d2c82efe3b5b58b545801fb9ea6de554213ebb373b07f21e880a725ecd14f2947d6264fb5a0
-
Filesize
29KB
MD5ebffb9a8931987a8295709723183f980
SHA13d3085b39a34210d362149943ae73dc1978314ac
SHA256a233815225c4cd9eeb0c4225ff6f37127ea68c363aebc4bb47474306746b63c3
SHA51209939fb403d4731eed9fc7023af306663426e76884fba880428312d4fa322bb1fd11b4ef4a7116e5a4d809dc46486f0fed8e84887359e7c69c13eb57d9d9d009
-
Filesize
28KB
MD5cb09124947b9355f54a25241f2abc507
SHA1faafade6af4ec3ac77ceba740191795aafcfce79
SHA256c982c2e0917ffed0e63763aae668ff9b5b552c4f5ff6df5e04bd861906b62cad
SHA512cc3d0a34e191fa3d58fc389f29554898d6ad896357eb89baecf68ebdbf7d715b12e57508fb172394c3e540fcd275b78a859411cffc7b304b9ba5d605e82efbb3
-
Filesize
30KB
MD504688fdbe31d266e55142daeb163da3d
SHA1472f0404857b2d9209ef47c7e100a7902a0407c1
SHA256f5922aca346c9eba86b6cc1035e0f72a1cfe87cec99ea019736412a738fa8cba
SHA5121aff7c09b75b5eff7ea101844ce1c681ae22a0473eea5334e51e5b4af137a2133a73dbec4bbbd0f0fd1c412329d3b3e88298e6a4fa20c61e24542e7d2746277f
-
Filesize
30KB
MD56a258d3b877f79678312901752a9b357
SHA1c5c9a2b3757e44b791587bd8b9676b0c8bcc7d1b
SHA256ae1120fc76dbef20dbf56dbd7284253547c27d55029f2a170772b7f1bd8651d3
SHA51252371bd55629d8a4daa45a12141a067250d8d7987cc1a7047a3239f56ccb24a868f9613d98908546bcbe63cf751031b18910472be2578b570888681525d73cdd
-
Filesize
28KB
MD5cbcb2b97100273ae1154453e171810d8
SHA198d9a1bf4aa6f89e9a87d04bdfd544de2e09cee2
SHA256c6b72665d574ba37e7298a78e062bed12708e7c7b99edfad4ca5f1dfcc20b925
SHA51245b24b05879d07178441bcbb1062bf2be810596c6a934c4913c4c6e7e995b5a0345592b960ab77bece26100a03afadfee8824c0cea16c0174010cce5a23f1e63
-
Filesize
28KB
MD51378af7d3892821f50836e46225e4118
SHA1a3b166f0504a1b698e8dd7dac52f84e61354d07d
SHA256c6f221add2fd4fe61c95d38b758d170a5980792f903d78551b2087d6f9016d3d
SHA5128a82c7973f02d9881394d4b9569e65efef77d9722d6936eb5814be95fb59225121efe0851a11520549c152dafa1c5353c3a60b6bed80e78f81e8f3aecf3634f4
-
Filesize
28KB
MD5b7ea9525f9530a18ed950b1d0a0f441c
SHA1d98a918ec86e0763c89027c472357a9b9a809ab1
SHA256731aeea1ebed6917807b391f91dea189fc3018d054848b1a7ada0475a1e8e669
SHA512e9e64b5627d32f0a7cab8d0b5bc4645cdc59bf65a0b3e2e15775a9dae4097be0356ca31943c92508357ba67bbf954f15428a489425a095091fe286227206df1c
-
Filesize
31KB
MD5268e87ce4b23af33164c815b63d416f0
SHA1f27d19649b06f66cda9d20fd8491ab3bfc4c4da1
SHA25650bce9a1fdafb8662a9ef7bcc978a13d45f8b3d033078e0570414a7d907863b3
SHA51296ee5bb4839c13bb8ec55e5dcec973f21825734569fdc5ceff2af08d3494da5f1c4d4a3a4bbc473418f849e0d1443582e20c92e080ea13b5b1ec9dcb39183cd3
-
Filesize
31KB
MD5051a632cf0947f026c840159c9b6788e
SHA1c7ae20da32edc05b4fbdaf78fb7c4f30672b2dfb
SHA25676a85e756027b2416e7086e45aef7de969988bf17bbb28f922bef5b5f44f4f15
SHA512be2c60267c5e2e57c62741c444b8aa8f374bbc3c970d495309e6601d8d5eba74c35897160a11df770e42eff38d41a43c93d9b4ecbcd6e5403af260fd796ce175
-
Filesize
27KB
MD5412f14940f8777054627d1432cef7db7
SHA14b32bb293684790dff39d970bdd241afee929f4c
SHA256db617f26678b9b43490b56c9a1f48bbba5ef86ebedf95ca3de3ae04f68b3de1b
SHA512a3aa40300480019d91e09353979aa52fefe2fbb141d1b5915ff6c8d8368df682dc1e244516bdc86d389c812ba8500ebf6a1c6387472d1c1bbdeb905ba9ffd540
-
Filesize
27KB
MD5ca40f911aba7884d6840edfa2898843f
SHA1d99e19aff7a2cea9f2796e10a23dc7938ff20332
SHA25646cca81704cd9cd8a14968f493227691e91d3eda03aa265c38352ccd30c46ac1
SHA5128f591900ae18cd264164fd7022b93eca30c54a8e99a612773da77fe23ce6d54f953cafb936d557d5f3155ebe46187cbd668ef7d38a03d4e33d29ed93ff72e687
-
Filesize
29KB
MD55b4a8cb162175ade8e56c1d4afce6fd7
SHA1eaaca18e5f69f65751cac9daf3371bf5c411be0c
SHA256fe8b34128ddd26783231283e22d08ad8d5025982498ef4d365d65c43fce6dd7c
SHA5122b5ced77b5806ce04d3ce165631f686e516f2560743a8cc7658ddd6b6671479212028390347153e24ec4fc13c1fba63ce83b9a4e3c55a873c901ed896e4ac95c
-
Filesize
28KB
MD5a72510382afdb9a146078cb00db8df22
SHA183b2ca1eb24a39690e0c922398faa6c4be112e88
SHA256e7982412e9ffa812641bef2cd2935e4f9ca4f844cb93b9031e7af3971e2cf50e
SHA512197c6d6441cb417162d6459715825a9955cfaf8f08a8a3f47ec56bb3c7804f28dc0ecb6d60588fc98fe3b77b1ae4bb9856395d37b04e82a20278417b38fd4c33
-
Filesize
28KB
MD59385b45b97a6dc4521151c21f319ae8e
SHA139e513b01e8ff7b8c94dc2cb52e20e9bbf8e5e8c
SHA25603885d51017cb514bc30da68fd2513c45cb05a97f7421677cb57f27f0669783f
SHA51277c003f5c2257e67aa4e06d78d527ba624d264dfd0e8bb434db23d7069aa4e58c88b9af3200af5a77d88b0e2299253e8f132c070925c1fad3fda2336105d73e5
-
Filesize
28KB
MD5f2457bd665a2474e7e90dd8915ad444c
SHA17ced03f29de9b441d963d23fcc2e19dc3f3f697d
SHA2565b5ce990854c315149a3effbc4331153da47925d6a0e3b85741c0b3618e67931
SHA5129562b54bf11d36a97352cac408e73ef274578ea30aaaf211cfdb9ae1a7cf82acbacd731983b14a6a1472f44909b5277c7bbf6cdbade54cdd2f24e3d326355677
-
Filesize
28KB
MD52462f00c347bfb4c939608285d21dbce
SHA143c236c750492f897c13c1f8bef4d2d011eaf4c3
SHA256d171391294443658848e870e01244cd6d3b12cf650fa4e22f2b32dfcd4ca963d
SHA5128ca5a7381d8559f82b59df04fd9067670aca48deb39190687791ba8a9fbb4c1f0344a07ea7f23b0d85963e454d1446987fe7cd66b1f14a2b5861f4019c97056a
-
Filesize
28KB
MD5f529fe2fed08c665ad34e6788d2440e0
SHA143c6c32e3a82211443ebef2934ac7879c194f1a8
SHA256a64abcff7b54e139a12e87cce7f157c8af6e9df301a0947a2a6967af9b5e27c3
SHA51284dadf95f56f04b4e4f165f2c58caeb627ca760c2467892917496c4bb4b211dddda846a1fca4f677d0dde16fffdbfd0d386eae8c089655db5d70ae0ad790efe3
-
Filesize
29KB
MD54b955978ee33b0f15f27c0ffca0b3202
SHA13ee61ed1795a1deffe333c524b810f6922b1b4d9
SHA2563024691ddb1e2dd72622dea4e8d30245d3c8274950da53eb28be5a1d27530109
SHA512b53b09caddf7b06a2fed7d405faadcbe96c906277a5a34bbc9d7af2e6f76a8ccca39c18187bbdf6905d2d3c1d632c13f365c84413562d14842e6ddc9555e3a11
-
Filesize
280B
MD57dad6327ee04e59e9f95e960bd2e2531
SHA1961264a48e1c384e328bcbf4a2573bbb41eaa90b
SHA25690c937784dedfa6609255ab9b42a08ebb8f119159a4a9e79d62e72b0c2932871
SHA5129c41a5253a779ed74f9d4f4bd838a7e70133cabb22543b3ca14517f4c8e45451c55e9758998f28922646730a5f557054be1116047a4ebe87f823484a57869a4e
-
Filesize
81KB
MD5f2cfe5e8c8cb99cb534d8a5ce067736a
SHA1c10267632de8df48ec89c876244ae9b5e974509b
SHA256fea8f9b7127a7108f87fbebbcef10d598ba60d65750d8a330f83db1ebe457df3
SHA512033dc6c3a7e765ea104ffa4e6574a44fe6e4157edf187ba583044929e9afba18a2a4afd167b44f016d1d113c63a57408b3d628aaf1cf861d707ff4bfa8361c84
-
Filesize
2KB
MD5389ffe0a84ac3972174dd0dcf26c450a
SHA1304682449dab65d74351904f6e495f7ccde68807
SHA256a1f7a01067c94df339fb6ce9f74339905ab13fd6b3ca36c6d9d868c34c8181f7
SHA512ad7f7ff0f82d79883fd4bde80b9327ce797b567ca26dd0dc8dc5b014abd38bffff9a65fd6041fc11353a2f8081062a0f8a0c7125bfcc1145439cef04bc388aed
-
Filesize
1KB
MD5434f83d2fbbbb484c8805818233189a3
SHA1fd19b8338c7d553688ec0e5c0057baf3516498e4
SHA2566fb9834d9565c851d7fb0515e3f5140a48a7867b17eadd5e948944ac669f3de8
SHA512d5726588f86d7624820c7dcc24256bc0ebf7d99df20e9ff691bc891ab1e646496c71483de3844430995987eef58c9d2e9c6c70f606649568927db9ffc22eb1a0
-
Filesize
649B
MD504d4feadafbf3044b7bad466da2f31eb
SHA17d7f81bb5942b005429d3a3330b0737244516d48
SHA256068112620392c8ea78b0a08447b20968627d0335df868160374dbdc7a8a66c9d
SHA5127a89c264ddce3bb58b606972404c3a7afd37e2b9b56275878e156f28c8011fcb28e7febb9d2fe36e3928302ddc498288e01f35334470830a5dbc58bb2679e391
-
Filesize
31KB
MD5961b4e60bee35c1775233af68b08e1bc
SHA1871d635638681ed786541da923f3af3b908c397f
SHA256f9a4c2809d3d4e72610751362f7c0afd0827723f275c4a7a144448ad1e6b11ec
SHA512970a591272d53987d1a6a19fcb1a4d43175b2324a9c39f97a391fa958b877b537cb14a8fdd2709d82e955b09e2585f74444af133cbcafc17b12a617af294e8a2
-
Filesize
16KB
MD53a8ad551ebf9122274a160d7a22100ac
SHA11bd2fcd6b86c37a717b387186e510de5c8a2ef2c
SHA2564c1ee3e726da9b0dd3dae0c2ba58824daaf0e132d9ede9721a8c7dc190a4c099
SHA5127d6f1986a535b21a45399d13024f28298fd74c4e0e08737b47df6050fdee324ebd7f86b912615287a4cf6d71597ac78805b3aed16c1da0f561c724648ed9e98e
-
Filesize
20KB
MD5bec2af13143a7771b0b89cec2ab92b27
SHA19cd25b2c17a630fd0d6dae4aa80ea510ef4b89b2
SHA25652aa9c3bdb64b5d1c1fe6dbf456fc50da434916b6c7489f3c64a0ea9253408ab
SHA51242d00250350982b0d3f26b84f33cc1365c8ab57f830f2f859cf3cdc8ba2879c09249264b1177c4b85de6a2461efe06620668c8d5bb036fde0b0030fa246075b6
-
Filesize
3KB
MD59e53225d28fb25fae6fbc3b0c01f5d01
SHA1a3e4b78061b8d70f2602421033a262e201a9229f
SHA2562a3883ed5877057974772bd41005001b7874b020b08c0ae43bc71348563a3b1e
SHA5120898b5d9e0cdd76ec384feb38c4cc0ea5652c3825617611f975e860016938cb82383a0fa485aaf8a05679eae5979aaf9f32edd3284bfb8d31e3955d595b3d92e
-
Filesize
282B
MD52793657dd1ec41be2685badbafe7eda3
SHA178c6fd61f9d3c1cc4b750b153233999d728e8259
SHA2567a101a9f5c8a64a0bf6a3afce93122ad6f3e354a4e80127f9a8ab9881367368d
SHA51200e1adf8ffd80048d4b768fc4923169f93f508ccc37da752c80a9f6aa2c5797a6be0eeade4a6ade0dc6a556509cbc26358ce0aefa423c398d56f0c89e541ec2a
-
Filesize
1008B
MD5a1bfbbbb7c163a1ec35189b45d41aded
SHA104ebb7f55496553c98c318869108c3c3592498e5
SHA256e286a20ea0a22684b9a5f5ea19132d918c7ee94e8f2af91ff4da22861df85938
SHA512f7f4a79800dd9b05ea52cb196862462f4ca281d20d29a1339f96b62af76f680fe3ca6a8cac45a35bd593370a31c821b65f1b57cc8fc369e2b228882677a9b0fb
-
Filesize
1KB
MD58df9933137c14e1ea7115dfddab5bbc8
SHA1af2d4649463ae95a9171de00b487a125a514cd86
SHA25630f2c5df9eb6bb35dd4cf42180d400a993327a4f613b54d7dd6dc1ff66fc8fbf
SHA5128bd5b6f5a1d8e1405d5d87a909cf8528ecf57a8e088602435c4e17e9bfc42393f3fdeae80ed1bd58e817f8aa82c15cc176657f9611f2fd12566667935e14da54
-
Filesize
13KB
MD573ab708139800a925167654533e64490
SHA18663b534f54256d5fdae67baf5ae0d6b012862bc
SHA256cf2258e82e9a584591d5b5938e0b3f57b257ed53b4d9fa48d749eedcdbacdd44
SHA512535f54721fe4d3d95ba43845929519af1c660cbfd2154c70b9807de4d33f1d8e4e12e5025e1b963116b4d1f485de7b4b022e0adc6da5ceda18e08da11153454f
-
Filesize
14KB
MD5a5bb90ab10f78ffb9e6566dea9976e1c
SHA1b72238ac0e02c47abfbb59c0fd88809fe208a1fd
SHA25695a993c650de05f3cb16a62ff62079fd066cd83e95b9dcd5894efdb18fe4b981
SHA5128bded2a36bb5565edbd71362c000392010d5975b06a3e17dd5291fb29f641c05596452ebc032a54fa695a7e8f7138d9a8938ce3e7ef3e6911687aaf8ccdadd37
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5a8636d4473c2a804101a24b14f5d31b5
SHA1b46d7dd9daca492445f585b4da7f4dea516167fc
SHA256820ef4adf2c169a0ab3aaa063e7de0173f44b656af32bad5487588cb917c8d78
SHA512af826e9117318a159dd8473b34dab63c6ca4133a3e4773524996a4f9ddecd7a74db32d108b21e9f061d9ec85f5a2ca2d23da0cf6854b0e164cbe0d70d807ccf0
-
Filesize
1KB
MD58f8ffcbcf90e41485bdba59e17312e0d
SHA1d14d27aa50eb7945d0f97b7d7f363e36aab86f40
SHA256ae9a313312d9b4365301f021d5a8f53fb1c7c48ed5070f8931013541b5ea5961
SHA512e05006c5401741597a5697674d8754de6ba4bee2bb963fd852a1db25fc872df232988b18b029cc47736a72dcd7429179a7a62506e1ad84321a3a8734aa84eca7
-
Filesize
1KB
MD5ee30b08a3d98b698c877162619e57d73
SHA1a1b1d01629c928778ade6d59ee2b576bd8a6e8ad
SHA256782f27ac3bfff2c185fafca0b4f46187ff0a2ccfa132cec6f9e4d0537a7ebb31
SHA512645746ba8af1150edef569a6673a23b1a5dde66c9028ee4029f71b37df65084c832f157d899b526af635e3b2f158b19c1ed35fba3c2aead4e3cf7b73edf8d63d
-
Filesize
9KB
MD5d3fc5986d2a32d5e3c31ed1f992f45b8
SHA1a6f890fddfb2be0129576355048a092512a40c0c
SHA2565b150480cbdc3a67c5138a1770eb34c1ba9aaaecc695ed8ad7a0eb598a7561f0
SHA512cdfeee4c35b0432d10ffea6c8f329a8a77177a191805f8034be6a94189e54dc1349919105bb6d73f7af9eb4d0685247c27d628aa4b99605ce7e7ed629d0d9a34
-
Filesize
9KB
MD5bc9c44652aa46fd199148a5fad92044e
SHA1f3cfd9a1c8eabb8796ec33c310793d4e2aa03a6c
SHA256218f5043d6c09c56df50c5c5f7ce6a966a4bd021640095635d7a3156e916d510
SHA512ca254cb48f16d1b9a4c9d331f781c5cd781e4247f4d5b58b652c04ee0e2c52d423b0b518b04365e9ddd228efb3b548e88cf2e229aa8a6ad92fdbf66937299e27
-
Filesize
10KB
MD50cd12c46fed7cd6dfe66aaceb9e37e6d
SHA134b1e796191bf5f1213092e6a1413c701a28bd2e
SHA256d85aa8cd19ee27b63431fb7cc99a7419a8d952eeab74050fc09bcaaf4c6f511b
SHA5124d7d0e74354749228a3ce13e22014fdaf15294b93c51edc08a6ff6d963a1283140274bc924003cc9ff51f2c53f52e98436bfe1e593ee53b66b0427c48d7b7045
-
Filesize
10KB
MD5b52006c5a15b27b9ea614a1fead3f7a2
SHA17b60c63679a1e522c7fecb5fd8deda1ce0994769
SHA25676e7455b7d2fb09ee0f11fd5a1fbdfb16c3f1c28b0178c6647eeb4a7f0819263
SHA5122179a5302ac819ff873139b0ddc2d75e2cbeefc24d7b69e053afe8128a8759247b282095d30d300ec9213aee93f858d4f79872a76566f1fd63edd4ad3510aaf6
-
Filesize
10KB
MD5f66977ff6c8ffff70ca0069ded22c32c
SHA1c641ee671a189fa227ba40b50f91a760d13d09df
SHA2564400ed6587e1ffe9bb9bed52c7d6e3cc066c788a37b3b0d9aeebd3f5eb23a418
SHA5122e5c9f3053509f0156cb0fb0d3578fcbb5735454a60f7f242226128f2a8b999de9d5a7e5e8952db3894460d38ea952dee68485ad18f54a640744550fc8431c52
-
Filesize
9KB
MD5c9d82e7c98e8bfac3e9514de3c124507
SHA1311281a375dd7b6a5e22e9cc9262f43aa332f8ff
SHA256eb3dbc88ea3e8ce0a690dba9996db6bc2067fd010636af7278e042ccc23014b8
SHA512312aefe2136a3e843ab3946419ed3710c9d80c853132afad296d4e68a7e912e9f50ef9b4d060c3d9198218b4fffa4256a7efad853bd15b219d65c466479b4bcc
-
Filesize
9KB
MD52bcb56416ee6ccaa44cb711031fd1ab0
SHA13662bfd6ba35ffcc3c1a30253c10c0f6b0c5e3ea
SHA256541af61173fb4c30af290a3265eb458c3b7e2f63ffd6378f6d097aabdbca11e3
SHA512d1afa967d5823ce0aa0ecb94695f48afa13b0166ac57c0cb0a85a5b2273f398dd4c2aa795d490ba8eafde4307092025830abc7a1b4eee8e3c287f45a0705529b
-
Filesize
10KB
MD5abcb8adae22dbc79a21d4f762b4e929c
SHA13012b83d035608e2d51f1f258ff2a2e6d362bb46
SHA256d63ca9de82448666db03cc8c2ebe019ead1f915b8c72f559eabf2ce269afca77
SHA512896cbf31af87e349d0c0ef7719444eb40a3acd48b9c401e93746ba1d2109c463e0cfe3392ddeafb1d3f39d276a55722392831bd2268a99e74e6ada4a40c82c7e
-
Filesize
10KB
MD561476d8f478bd57c8d0a05df649d05f6
SHA185d978d0e16bf3f604af58f8c4e5c56019de2cf2
SHA2561dc7338bddf22a74aadfb01983207e1b3046dfa60e5e2a91c5031a7d456231a1
SHA512fb96dcac94396e39726685e653d214d55f3b7f83c6780684f0a73f016026fc1ed407162b371362026601d39fd89ab80e6c135386568b641dee692f4c39fe6b46
-
Filesize
10KB
MD523fc549ec2c76a1b3d7819a39875b88d
SHA1c8a27f82694e396d2a441a82267db52deeed320b
SHA2568f0da8107f8b532c1358d4d7200f0179c6f34d66a1e3cf6cf7c71ecb9b594bf6
SHA51270fde4a93fcc8971206f711ba06d3e9e0be15c8a9669138aef632e87568ee4d4b30e79164ca6464b3dcfad5b5639ff796ddc1f6d94e6c2df021cbe6f1f0fa613
-
Filesize
116KB
MD54bfaa1bf29935620dc1bc2dfd5b69499
SHA1226716d079f9fe82445a82f6abbe8ab426304a54
SHA256c585b2423207e28b78344e6e3945542021c1e9411caf8d1065ab75a5835650f1
SHA512597d38f9acc250087cf85abe51b887b84b379109eda3e6d8f7c53cae0711f429b59201e3f8cd1985334ba4f343b53dcda8cfce2f5e4768c4f88e7870e6e530ec
-
Filesize
116KB
MD5ced6a180a360c6cdcaba39d31f394616
SHA1a8218cbf796011743640e0ac0cdab15c69f1bc05
SHA2567aca2f6bf6e105ac29fa7b6bf1b89d7c4b6d925a2797fc74fb2d00a6a7412d6b
SHA512b0dab8b98cc98b8e37b32ad0c74a61290f5dcca42ccc92894fddfc803bbcf08d3944ba33b0d571a8e2abf746a1ff1a3607693b70c960d1a7d8918d7629fe19a3
-
Filesize
116KB
MD5c663ae5ef15cbc7ff3e72367a9247502
SHA1d106b446d0d234c25222ca2652f0b0f822f98ded
SHA256248fb9841a074884cb30bcd29db020265b376c26320ab2099684eb5b4272cdd9
SHA51216d7d41fde7b8b5b5d1eea8cfe62dbff99ca270599673be217f9c1bc15595fa099499541be423f00fe712df882d93750aa0b0b81f3454bb3319a12f50745accc
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
1.6MB
MD5a05c87dd1c5bef14c7c75f48bf4d01ea
SHA1d71f4a29ba67dc5f5a6cf99091613771d664ee0e
SHA256274e12d01e0cae083202df4a809c1c153b02cb3ca121c19c43b0aaa1c3a53a40
SHA512f64864193ff892be86462aaea9a019a9085e937d199161536d163bf183f4ba08100d17f2cf962818b106b2c797d1f22b92933e9711273d85d7d08f0d18400222
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2.9MB
MD50592ca25cf22e8d5daabacd1130d38f6
SHA10a59fd8723de4cb9bf6c3272a5db7771e575eff9
SHA2563b8991f1eebfc46988db25fe0ded11c3c08df81ae2ca1baf9103ba8259cafc99
SHA5121be2c9f7ff9fc9cab5e5a784b281585d89070413722cb4584e91d4a4b57e628643871ee672049c32a8b2399c8358f1c6d7df20af1b3c39aa9b669902b71a91cc
-
Filesize
24.1MB
MD56440e47ab599ed1453f23a65842982d2
SHA12d12ff913331eaf0f6b70f56b290c4633c9bc55a
SHA25670b6a3cd076c884caa0f17ed8dca00e21b8d32cd1661a09f8b943b8c6992ec10
SHA5126bdd1c089ef2b5d3b34349d6cc022790562db965ea5fc82da79bbc04429aad19f56ace2875add74f8c3c622db4e9349e94226baa5e623969275dbe97f838a64a
-
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4a4d9a68-35f4-4ab1-8c7e-c2790798ac46}_OnDiskSnapshotProp
Filesize6KB
MD527b4670d78df58e1580f15aa2276cf98
SHA1a040e1703778e5a891591770d827d90b69984c10
SHA256e986845847d33530db6a8c870d676a2beeee59f02f0670ba1ee27174a73460b7
SHA512bdaf4bc5b6b647bb6060f83ae5ce79b1630981e0cc4e909941022a88e6698323de348c5fd42774752d7da765e560e47e0e1c854addf3781ef373c734efbb0695