Resubmissions
09/11/2024, 21:59
241109-1v6r4atbqk 609/11/2024, 21:57
241109-1vch9aslex 609/11/2024, 21:56
241109-1tn6natbnj 8Analysis
-
max time kernel
208s -
max time network
202s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
09/11/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
Retrac.Launcher_1.0.14_x64_en-US.msi
Resource
win11-20241007-en
General
-
Target
Retrac.Launcher_1.0.14_x64_en-US.msi
-
Size
6.8MB
-
MD5
ae30168aa8f32e9a4f00df855a303509
-
SHA1
287b7fba5ff1ba3f5261b8a842da3f6b23e61e02
-
SHA256
b99bb0941d2258332591632921c5fd9a35bcc2487e69cf2b7a92579965dafc2c
-
SHA512
4e88b2402fcf60465d8990227f13d5d0c7e016a7a62b0478d7b26406e3cbde86e31e212d5b5cbcb4dad08222694f02008c078cfcd0ed6cd851756fd832bf563d
-
SSDEEP
196608:0wcRCejj2fzY5Uj1H7lNMsR2AcEE7IEEvo1L1:dcR//2bYI1blIA/wWUL1
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Retrac Launcher\Retrac Launcher.exe msiexec.exe File created C:\Program Files\Retrac Launcher\Uninstall Retrac Launcher.lnk msiexec.exe -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{1DEBC8E2-16D4-4E22-8390-1DC685669AD1} msiexec.exe File opened for modification C:\Windows\Installer\MSIFC32.tmp msiexec.exe File created C:\Windows\Installer\e57fb4a.msi msiexec.exe File created C:\Windows\SystemTemp\~DF078805FB089FC906.TMP msiexec.exe File created C:\Windows\Installer\e57fb48.msi msiexec.exe File opened for modification C:\Windows\Installer\e57fb48.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFA1560C2BD64E80C8.TMP msiexec.exe File created C:\Windows\Installer\{1DEBC8E2-16D4-4E22-8390-1DC685669AD1}\ProductIcon msiexec.exe File created C:\Windows\SystemTemp\~DF80151E47BF3B3F85.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SystemTemp\~DFD646934F5EFD1DC2.TMP msiexec.exe File opened for modification C:\Windows\Installer\{1DEBC8E2-16D4-4E22-8390-1DC685669AD1}\ProductIcon msiexec.exe -
Executes dropped EXE 4 IoCs
pid Process 2164 Retrac Launcher.exe 1452 Retrac Launcher.exe 2068 Retrac Launcher.exe 3364 Retrac Launcher.exe -
Loads dropped DLL 2 IoCs
pid Process 4808 MsiExec.exe 4808 MsiExec.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 5056 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 12 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2976 msedgewebview2.exe 3904 msedgewebview2.exe 4840 msedgewebview2.exe 4864 msedgewebview2.exe 4980 msedgewebview2.exe 2976 msedgewebview2.exe 3964 msedgewebview2.exe 3316 msedgewebview2.exe 5016 msedgewebview2.exe 732 msedgewebview2.exe 4416 msedgewebview2.exe 1588 msedgewebview2.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fe04b3d77c703a960000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fe04b3d70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fe04b3d7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfe04b3d7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fe04b3d700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 12 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedgewebview2.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedgewebview2.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe -
Modifies registry class 26 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\Language = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\ProductIcon = "C:\\Windows\\Installer\\{1DEBC8E2-16D4-4E22-8390-1DC685669AD1}\\ProductIcon" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\287324E2A8A2DC05090DA73D4E4E3F4C\2E8CBED14D6122E43809D16C5866A91D msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2E8CBED14D6122E43809D16C5866A91D msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2E8CBED14D6122E43809D16C5866A91D\ShortcutsFeature = "MainProgram" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\Version = "16777230" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2E8CBED14D6122E43809D16C5866A91D\External msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\ProductName = "Retrac Launcher" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\PackageCode = "81B208A4D7FEB6D46846DBD889F777F4" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\287324E2A8A2DC05090DA73D4E4E3F4C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\SourceList\PackageName = "Retrac.Launcher_1.0.14_x64_en-US.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2E8CBED14D6122E43809D16C5866A91D\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2E8CBED14D6122E43809D16C5866A91D\MainProgram msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2E8CBED14D6122E43809D16C5866A91D\Environment = "MainProgram" msiexec.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2836 msiexec.exe 2836 msiexec.exe 1804 msedgewebview2.exe 1804 msedgewebview2.exe 660 msedgewebview2.exe 660 msedgewebview2.exe 1052 msedgewebview2.exe 1052 msedgewebview2.exe 1116 msedgewebview2.exe 1116 msedgewebview2.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 1388 msedgewebview2.exe 3016 msedgewebview2.exe 4432 msedgewebview2.exe 2192 msedgewebview2.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 5056 msiexec.exe Token: SeIncreaseQuotaPrivilege 5056 msiexec.exe Token: SeSecurityPrivilege 2836 msiexec.exe Token: SeCreateTokenPrivilege 5056 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5056 msiexec.exe Token: SeLockMemoryPrivilege 5056 msiexec.exe Token: SeIncreaseQuotaPrivilege 5056 msiexec.exe Token: SeMachineAccountPrivilege 5056 msiexec.exe Token: SeTcbPrivilege 5056 msiexec.exe Token: SeSecurityPrivilege 5056 msiexec.exe Token: SeTakeOwnershipPrivilege 5056 msiexec.exe Token: SeLoadDriverPrivilege 5056 msiexec.exe Token: SeSystemProfilePrivilege 5056 msiexec.exe Token: SeSystemtimePrivilege 5056 msiexec.exe Token: SeProfSingleProcessPrivilege 5056 msiexec.exe Token: SeIncBasePriorityPrivilege 5056 msiexec.exe Token: SeCreatePagefilePrivilege 5056 msiexec.exe Token: SeCreatePermanentPrivilege 5056 msiexec.exe Token: SeBackupPrivilege 5056 msiexec.exe Token: SeRestorePrivilege 5056 msiexec.exe Token: SeShutdownPrivilege 5056 msiexec.exe Token: SeDebugPrivilege 5056 msiexec.exe Token: SeAuditPrivilege 5056 msiexec.exe Token: SeSystemEnvironmentPrivilege 5056 msiexec.exe Token: SeChangeNotifyPrivilege 5056 msiexec.exe Token: SeRemoteShutdownPrivilege 5056 msiexec.exe Token: SeUndockPrivilege 5056 msiexec.exe Token: SeSyncAgentPrivilege 5056 msiexec.exe Token: SeEnableDelegationPrivilege 5056 msiexec.exe Token: SeManageVolumePrivilege 5056 msiexec.exe Token: SeImpersonatePrivilege 5056 msiexec.exe Token: SeCreateGlobalPrivilege 5056 msiexec.exe Token: SeCreateTokenPrivilege 5056 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5056 msiexec.exe Token: SeLockMemoryPrivilege 5056 msiexec.exe Token: SeIncreaseQuotaPrivilege 5056 msiexec.exe Token: SeMachineAccountPrivilege 5056 msiexec.exe Token: SeTcbPrivilege 5056 msiexec.exe Token: SeSecurityPrivilege 5056 msiexec.exe Token: SeTakeOwnershipPrivilege 5056 msiexec.exe Token: SeLoadDriverPrivilege 5056 msiexec.exe Token: SeSystemProfilePrivilege 5056 msiexec.exe Token: SeSystemtimePrivilege 5056 msiexec.exe Token: SeProfSingleProcessPrivilege 5056 msiexec.exe Token: SeIncBasePriorityPrivilege 5056 msiexec.exe Token: SeCreatePagefilePrivilege 5056 msiexec.exe Token: SeCreatePermanentPrivilege 5056 msiexec.exe Token: SeBackupPrivilege 5056 msiexec.exe Token: SeRestorePrivilege 5056 msiexec.exe Token: SeShutdownPrivilege 5056 msiexec.exe Token: SeDebugPrivilege 5056 msiexec.exe Token: SeAuditPrivilege 5056 msiexec.exe Token: SeSystemEnvironmentPrivilege 5056 msiexec.exe Token: SeChangeNotifyPrivilege 5056 msiexec.exe Token: SeRemoteShutdownPrivilege 5056 msiexec.exe Token: SeUndockPrivilege 5056 msiexec.exe Token: SeSyncAgentPrivilege 5056 msiexec.exe Token: SeEnableDelegationPrivilege 5056 msiexec.exe Token: SeManageVolumePrivilege 5056 msiexec.exe Token: SeImpersonatePrivilege 5056 msiexec.exe Token: SeCreateGlobalPrivilege 5056 msiexec.exe Token: SeCreateTokenPrivilege 5056 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 5056 msiexec.exe Token: SeLockMemoryPrivilege 5056 msiexec.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 5056 msiexec.exe 5056 msiexec.exe 2164 Retrac Launcher.exe 1388 msedgewebview2.exe 1388 msedgewebview2.exe 1452 Retrac Launcher.exe 3016 msedgewebview2.exe 3016 msedgewebview2.exe 2068 Retrac Launcher.exe 4432 msedgewebview2.exe 4432 msedgewebview2.exe 3364 Retrac Launcher.exe 2192 msedgewebview2.exe 2192 msedgewebview2.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2836 wrote to memory of 4808 2836 msiexec.exe 84 PID 2836 wrote to memory of 4808 2836 msiexec.exe 84 PID 2836 wrote to memory of 4808 2836 msiexec.exe 84 PID 2836 wrote to memory of 1572 2836 msiexec.exe 88 PID 2836 wrote to memory of 1572 2836 msiexec.exe 88 PID 4808 wrote to memory of 2164 4808 MsiExec.exe 91 PID 4808 wrote to memory of 2164 4808 MsiExec.exe 91 PID 2164 wrote to memory of 1388 2164 Retrac Launcher.exe 92 PID 2164 wrote to memory of 1388 2164 Retrac Launcher.exe 92 PID 1388 wrote to memory of 2352 1388 msedgewebview2.exe 93 PID 1388 wrote to memory of 2352 1388 msedgewebview2.exe 93 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 732 1388 msedgewebview2.exe 94 PID 1388 wrote to memory of 1804 1388 msedgewebview2.exe 95 PID 1388 wrote to memory of 1804 1388 msedgewebview2.exe 95 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 PID 1388 wrote to memory of 4416 1388 msedgewebview2.exe 96 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Retrac.Launcher_1.0.14_x64_en-US.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5056
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 706553DF904293198409BE54DB38F72F C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Program Files\Retrac Launcher\Retrac Launcher.exe"C:\Program Files\Retrac Launcher\Retrac Launcher.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=2164.4820.65974980196451404214⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\site.retrac\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b4,0x7ffde4113cb8,0x7ffde4113cc8,0x7ffde4113cd85⤵PID:2352
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1720,718084372349002756,14162411439953334900,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:25⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:732
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,718084372349002756,14162411439953334900,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2088 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,718084372349002756,14162411439953334900,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2352 /prefetch:85⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4416
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1720,718084372349002756,14162411439953334900,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:15⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4864
-
-
-
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1572
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3312
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3396
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:768
-
C:\Program Files\Retrac Launcher\Retrac Launcher.exe"C:\Program Files\Retrac Launcher\Retrac Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1452 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=1452.3684.103896106663115256602⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3016 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\site.retrac\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1d8,0x7ffde4113cb8,0x7ffde4113cc8,0x7ffde4113cd83⤵PID:2500
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1796,2832502917471038062,2546844877358963286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1844 /prefetch:23⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4980
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1796,2832502917471038062,2546844877358963286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2088 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:660
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1796,2832502917471038062,2546844877358963286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2560 /prefetch:83⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3904
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1796,2832502917471038062,2546844877358963286,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2956 /prefetch:13⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2976
-
-
-
C:\Program Files\Retrac Launcher\Retrac Launcher.exe"C:\Program Files\Retrac Launcher\Retrac Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2068 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=2068.1568.3296544180007641312⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4432 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\site.retrac\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x11c,0x7ffde4113cb8,0x7ffde4113cc8,0x7ffde4113cd83⤵PID:3564
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1800,373822362865304526,2351435858175466475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:23⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3964
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1800,373822362865304526,2351435858175466475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=1900 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1052
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1800,373822362865304526,2351435858175466475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2516 /prefetch:83⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:3316
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1800,373822362865304526,2351435858175466475,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:13⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:5016
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4472
-
C:\Program Files\Retrac Launcher\Retrac Launcher.exe"C:\Program Files\Retrac Launcher\Retrac Launcher.exe"1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3364 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --lang=en-US --mojo-named-platform-channel-pipe=3364.3820.43461490256794662482⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2192 -
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\site.retrac\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\site.retrac\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1ac,0x7ffde4113cb8,0x7ffde4113cc8,0x7ffde4113cd83⤵PID:2060
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1716,9307472822947079934,9214831321464898628,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:23⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:4840
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1716,9307472822947079934,9214831321464898628,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2100 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1716,9307472822947079934,9214831321464898628,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2580 /prefetch:83⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:2976
-
-
C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1716,9307472822947079934,9214831321464898628,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msPdfOOUI,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSmartScreenProtection,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch,msWebOOUI --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\site.retrac\EBWebView" --webview-exe-name="Retrac Launcher.exe" --webview-exe-version=1.0.14 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:13⤵
- System Network Configuration Discovery: Internet Connection Discovery
PID:1588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10KB
MD58dbaf90bd510a14dac1488ccc82f1d18
SHA1ef8c495e24dfb061b770187511635f33b51ec724
SHA25631fe9775bd166a8ad43fb05566063646d4711d8504715cbe30f0f3cf95267b8e
SHA51286d1a245a7bc8d7b0114f1187e90dda4cab1b66b65dd5885bf14c1b5690b9ecd1e7fafb0a30921e4e9968bb6119c9dfa134125943969dcb5aebbf6abc9e595ba
-
Filesize
13.0MB
MD5581db83f7ec4b6d773abbf1f5ce67b64
SHA192bda9c192cd611ee969bdbfb3f9019fbd5a0a9a
SHA25636657fd756a26c855923e601e239c855e36593c2a7ffca04a7d9629cdc0c6ca3
SHA512837d2609cc3cb4270759f6d23ba730a220ea684e1b4b3f82da1d64cee69c30c61a1ba9e0e59c8473f7042bce7f00c4b31e52dde69ad7d8e59f76566870906b65
-
Filesize
2KB
MD5daa93373ab67fb89dfa13bcdb87f79a6
SHA1f1015f34153e66e537a1965436e9a903b3b50b83
SHA2569616dcc556ef6039688599e884e65ec3ea588297e5ddc21bc90b169d9092435e
SHA51219d778df4c2d0965c8b19e3d11677637b7889597cf17d77e01742f85a18280b65ba301b677cbc332e67fa64276c72ea513db86ad5a5bea85bc527d5c758ff8bc
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Retrac Launcher\Retrac Launcher.lnk~RFe57fcfd.TMP
Filesize1KB
MD5ec44127d57f80743045022a260eaf2dc
SHA1e0a8aad8a8651bf3545d8fb34d4092607f26e4fd
SHA256039e5ba5d73767fd7466c6da495d38dbc1fe059ced02e1d45fa71b6e4231a282
SHA512faf0586518510dd148500be687219f200f600b6cf9563a34b164ea696d5d3179cfb7dba1341a5a0c936e559287809938df0a7b739472ca2a5ebb3afa6538079f
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
113KB
MD54fdd16752561cf585fed1506914d73e0
SHA1f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA5123695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600
-
Filesize
2KB
MD5ae41f707ad9a46d8a199688c466267a3
SHA15a292dbfa834b3c9260e58a1baa48ee00bc40d16
SHA2561de5aed5f7a3e7bc94ec71d60099f9e055e01e8f8f8ddc930caeb80103eabb3c
SHA5125068ebd73a074511e708c5c7eeb6d4b699c40b149b28c05ad325e80340fbbddf7624851b313a5b2ad1086f5605f00bb02eb6ba328d9a092697625eccaa3918bb
-
Filesize
152B
MD5274e63cc6f0faefcb8dd0e06725c42c2
SHA131fbbcca5341512081bbc569718b31724974270d
SHA2568c4ee8d6a4e8b0d423eada5fb2320825955bc77306d9004b911cc542b4dde4cc
SHA512cefbb35f51b188a84a4d044192f936b48fdfc6edf475779f6a5d521c826d7df80f4c9f77e12cf4f7419c0f1c6e782b8a835b69f499748abefc98719f7ac3cdd8
-
Filesize
152B
MD5190da491cf7e8ffa213741e3dd25f890
SHA1744fe6842767a7ac0a41eefa5b31486c4d6ea7ad
SHA256b5f27420d4d4704c70d0068c5a4aa963345fd86c051ee63cbe3e0a99ad4b9c3b
SHA512041f98dd01fb415516c93d7d18352d4684dd472bff01ec7e31309db4f7115f0627634d5f40b32e65e8d724ae3f7c4982a71f440a70822c453ccf0db7cca6a360
-
Filesize
152B
MD5a712c0a3d5eee103a1259d61c72c9cb8
SHA1f42c5e9e102994ef9e957b72463801617b7d3ee8
SHA256318dd9b08bbaf0eda5d3800c658b2b10c7be64d7b432950484a9c714a5cd6fae
SHA512be4175b00071184dc6414876c50d4d8e67fb063126fafb77af40270fc099f4cfe666206f0c3e69927c1ce96398c5df7b8e6d0a4cbd73cf971a60b903f63e2146
-
Filesize
20B
MD59e4e94633b73f4a7680240a0ffd6cd2c
SHA1e68e02453ce22736169a56fdb59043d33668368f
SHA25641c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
24B
MD554cb446f628b2ea4a5bce5769910512e
SHA1c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA5128f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0
-
Filesize
48B
MD541b7027705dddb3e99a7bc4b3f236c1b
SHA16b9375270977b024bf461d76ee46898d6ffef119
SHA256767574fbc5f654dfb4276ad29568280200f0cd24d3998bdbf46cc59bb40f5131
SHA5127b8b14fa42cc756e35b7f934c81da5a24fbc115850229156af57dbb23b2c0a9cb41a5fa16cef2a581e5a2e2873ad456b2a90dc4ff8ae57c86ad8364fdb978c1d
-
Filesize
20KB
MD522be08f683bcc01d7a9799bbd2c10041
SHA12efb6041cf3d6e67970135e592569c76fc4c41de
SHA256451c2c0cf3b7cb412a05347c6e75ed8680f0d2e5f2ab0f64cc2436db9309a457
SHA5120eef192b3d5abe5d2435acf54b42c729c3979e4ad0b73d36666521458043ee7df1e10386bef266d7df9c31db94fb2833152bb2798936cb2082715318ef05d936
-
Filesize
20KB
MD55688ce73407154729a65e71e4123ab21
SHA19a2bb4125d44f996af3ed51a71ee6f8ecd296bd7
SHA256be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60
SHA512eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537
-
Filesize
8KB
MD5cf89d16bb9107c631daabf0c0ee58efb
SHA13ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA5128cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
8KB
MD541876349cb12d6db992f1309f22df3f0
SHA15cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e
-
Filesize
256KB
MD51034a4c07732e9cf1474cde56d038b71
SHA1f697e98f18a22da4f1e083d5193682d225324245
SHA256bdb9f95383c30df8bb700ebc2f851a6c5045d8970dcce1b59244a93a3a4004fe
SHA5120029ed8b3be83bdea6793ca1c76ce497c2f2dd1202916253f43251517e4bda393de26ee85bba0cfef1aa6680196a2138772bf3092a3781561e219198875fab53
-
Filesize
116KB
MD54e2922249bf476fb3067795f2fa5e794
SHA1d2db6b2759d9e650ae031eb62247d457ccaa57d2
SHA256c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1
SHA5128e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da
-
Filesize
6B
MD5a9851aa4c3c8af2d1bd8834201b2ba51
SHA1fa95986f7ebfac4aab3b261d3ed0a21b142e91fc
SHA256e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191
SHA51241a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818
-
Filesize
40KB
MD5b608d407fc15adea97c26936bc6f03f6
SHA1953e7420801c76393902c0d6bb56148947e41571
SHA256b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf
SHA512cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4
-
Filesize
76KB
MD5cf7ac318453f6b64b6dc186489ff4593
SHA1b405c8e0737be8e16a08556757dc817bd02af025
SHA256634434e865f1ba1b90039bd5afd8f01bad6d278377106022ea2a9c2d8778d31a
SHA512b64e484d16222d8de31f53cd60b719b7d855bbc552a7d052e202382bc3013e0edaceb31e3a287f2ea6b7117ccfdb8a56ea9d7da78535d2c606183072ecd084e4
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
61B
MD54df4574bfbb7e0b0bc56c2c9b12b6c47
SHA181efcbd3e3da8221444a21f45305af6fa4b71907
SHA256e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377
SHA51278b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a
-
Filesize
3KB
MD542d6fb3e3072802b980c3dae9a8357b1
SHA18270f7516e3f091b61e6d41302ff7f7ef634d9ce
SHA256e50909a607453a8042dae83c59a1ef937351342b271a225ab28b5a92226f2ae9
SHA512f74344e7d91a8a0f2269e33afe6eaac033e6132cfb87fff65197e85a6a96a9e2c3da5e6506535d862d630c12b0e1a28fab25b810c606c70a2090352b1dfa8989
-
Filesize
3KB
MD5e070d8b22ecaa970efd9b27ee0e6c3ad
SHA1729dbc27c5d09190a30e08e640d7a009b717b011
SHA25605167b57b6906fc12e095d3436602165b0bd5e7628c7a114ad34aa3be3491d49
SHA512ed48f475a2bc5072633ca925a68316d6d7fb433b7b17fa3115a728c0f7b9bb24b0db5422fc77974a6670a10e83438f25e7c95f318e132f47f7e2945322aff6ea
-
Filesize
3KB
MD558baf445b0803f8941ce7272a870adb8
SHA1d3e99686cb984ec966b87d1fa9d0b3ae92623051
SHA256139fdc80cfc78c568c40f41f608f13d4204f32947346cdfe00966eebd259ce73
SHA5129865ae4cefdcf8e7f200a61d5862a972d0aafd5f559e9563392c6d84bcfa496bf997c58b4ce29885d6ceab109d1833fa915f7261bcd1aa4aa37e22b4997be558
-
Filesize
3KB
MD5e76eb63722a65ace0f7da35c46330e5b
SHA1ddb35d3d72e5125ebda774798a6b71e51ac5b8b2
SHA256dec02f2c8808afd8a76c8bceeba02b328c3d750cdcff7b097ac43498dfdf2312
SHA512e31aee2504b853a545f711d423ee2cfe40ed5cde39d610d1b41ac0bf8042e2fb1838cd9e91291addd57d9eccd4e7ef0df1fc007e729195ceba1e63195749cf16
-
Filesize
8KB
MD50701798d8e3fd583a7fef8f47ae0d85c
SHA14bfa0d63fd795c16ecdc0d5cff5df663c032f8ce
SHA25634feec8eceebf7e61624a7ec44901219ccc6a03c941d06e9f15715a551e5bde4
SHA512440502ee99cadbb685f7c2b4929c32dbf7a0a37694af4a64c7cdf486d37f566115a4c983ba7f311e9b949f4956009c2eecd23cc65c355d1463919197a26a3eb1
-
Filesize
40B
MD5148079685e25097536785f4536af014b
SHA1c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
301B
MD51bc614191e4032e0174a86f0ce034792
SHA1b875dc4992ff6ed17bfd218530cc28fc3e6bff9d
SHA256b2600e90cf28459d1f716b0e8c3d7f20edb32c42e3fc1bc00a16a9fa47333ddb
SHA512a915ff97babe30a76710b8c1a9453fdeb2397e967d008fb9b7d1e390851d1652fe0dbf506205a438cb0f862c934b17564bbe0ec55036219bd8af89992f69f203
-
C:\Users\Admin\AppData\Local\site.retrac\EBWebView\Default\Site Characteristics Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
46B
MD590881c9c26f29fca29815a08ba858544
SHA106fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA51215f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625
-
Filesize
277B
MD5536a7f9f4090116e159fcd023778eeff
SHA1d696f963664f0c858ee6274f91ba54cc06959ee5
SHA2567229e22800ed3410fb9dcf94dc97efef44022e8b958ea51bf5fd470eecb92bda
SHA512b52fa2fb5461d98f0e4c9278bdc04c0aa3e0131741fd3da5af44b04a78f89d0c484ce0edfe91579c2e76f34fa10a108f483db88d1fee8bc4532945f249a90fb6
-
Filesize
20KB
MD5325ddf165383376a8e530a8288a9fb73
SHA1f451204bb6f3de9de42f27bd887576b083026e87
SHA25653eb4fcb3cbcaacd4d94036c9379715990f86185b8ef7fd18cb27665193da6c8
SHA512edb9c49956741560f40df102b81c3b558b1ae9ce902040f89cecb2fbbf60277dcb73f68d8b7c60340a92c46915828b7a204420292d0a4906ac0e9082943ad528
-
Filesize
128KB
MD5eba383c0000d7b23376a5d595e15c2e6
SHA1e210eeb59d8cd945eb9ae3e35b646d0de5267b5c
SHA256d99146c20b4d5fedbb01810a811895562de52ae6207804f9e44fdd07545741a8
SHA512548546a7a22b10058e087e9422e76720e0ffa2fdeccffa42388cdbf13d945996e95394bb1e7770050f07fe5f4a0c0ea61425257456bd1ebb7390839f960acc60
-
Filesize
110KB
MD512aff5c24b1e165da94cc9ddef6d752a
SHA1345a57b067d6c7561b149b6a7de1d0cf53e42cc9
SHA256b49ee954c97289b707fcaed55266f7c49720d1c24f4a8872038384155081aabf
SHA512fd584f3d7e3a5603ff2699e1b4930d6594b0ea09c0a194b7329f44d3d4d2e1e985a42ab512afc1b6a0f35412ef839d35f27fab1f6506e871d74c648c3adb0ae6
-
Filesize
44KB
MD5144dfaaa82df72858197f4ef7ddd34f2
SHA1e6bbbc5593c1d782e2d23c6ba6a5f5468e7548fa
SHA256fe2844d9713e3f49ff6e5c6d5e9f3b7af671fe9165cafe01ebbaf61bb1ae84b9
SHA5125a53b1dfd4729dd2cf7c5fb45b4b15e3b1729c7c7dca1a029b39964a6e0f9435bde61ba5c8e7b859254798fa135264c9814533409e5980159e52cdca2b1a5793
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
11B
MD5b29bcf9cd0e55f93000b4bb265a9810b
SHA1e662b8c98bd5eced29495dbe2a8f1930e3f714b8
SHA256f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4
SHA512e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011
-
Filesize
2KB
MD5b309f42099630b350281a683ee978360
SHA199fa211ec8959669d099e30605079064cfbcd7a4
SHA256c2b7b8e46f2b23801c9fbd770b5e2828e89778d81cef5c164171f3cef87faf81
SHA512bc56e0b00adba87a5d594588945975276e9784977dae62c78a393d3f0b5dea2274df88ea4af521360317c17301a12d1c722c1769e6fafba1f90435ca9c3d85cc
-
Filesize
2KB
MD58b3fdf2f5b13034d935f4856975f7ce1
SHA1fc17aaca28649d2adfbd93af8bf26a21a84cef10
SHA2563e9c184e9f0e537d2c7e445db039a275e18ce08d5fe48a4526fdcfed1f22120b
SHA512a4846663e4178708c95bcc09b93c7bc72edfe91d36b553acabb9703f10492259cbb24f9700ff31ac00e9c2acc25cf630cb61ab49ec324e71d472db4d9aad7d8c
-
Filesize
2KB
MD5834328c6a1b8fe35e2e7c751933d902f
SHA1bda5c40a8ec6a5315d4431b2cc67457d4c1af028
SHA256bf37cb1f5c262f82709dec711790b4a9ed5764da122bb0ee503e1ebfc3b66316
SHA5124ab8c8a5ae2cf13a891fcc87e679fce515527923e590416e114ba8ef463526ee8d2ad854475776050f23ff99956e1cf8701a29b29ac490f047fa2e14523b9d81
-
Filesize
256KB
MD5a227ef255f43feb9a14b58bc3508b81d
SHA1b3ee2b3141eaa3a2fabb799b6c854a97d8c96d6e
SHA2569dc02fe5bae0645cf4d041531f9847af1ee2666abda552d0a2ae0eace62b59da
SHA5127530770982fad87421f4819101f998b8c949c2d2a391df5f9112a28ba35440660881baf6a8f0eaf0240be7a0be1f2ac375095d68835210078b37f00c9d5c4829
-
Filesize
6.8MB
MD5ae30168aa8f32e9a4f00df855a303509
SHA1287b7fba5ff1ba3f5261b8a842da3f6b23e61e02
SHA256b99bb0941d2258332591632921c5fd9a35bcc2487e69cf2b7a92579965dafc2c
SHA5124e88b2402fcf60465d8990227f13d5d0c7e016a7a62b0478d7b26406e3cbde86e31e212d5b5cbcb4dad08222694f02008c078cfcd0ed6cd851756fd832bf563d
-
Filesize
24.6MB
MD5662ede4b4c3146e8b46f85c5c7caa720
SHA1edb9a8118376405250e7fa3abeedaa63155822f9
SHA25694b38f75afca1c980a63662d30da7ec2b70eb79f51f6a4ad6da3c8bf5d5e6f64
SHA5123d7249f8f7ab0ddecaacfedf50871069425572085f0e6a1d8d4655a28deb2ec93f1d75c3e4667bb3fe35883fba41e64f6c2a43fe1c3479a6739c988218876ed3
-
\??\Volume{d7b304fe-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dd0b12ee-6255-4781-9e55-30a989a95181}_OnDiskSnapshotProp
Filesize6KB
MD572b4192d571d8c546644f2884dd893f4
SHA1f97180981a3f664409d0f62fbab8a0381013327d
SHA2564befc9dae7f933009cb2311f42e4b7dc475b34e23283ff4604415b622c8f41b5
SHA512a702f02f833da92ebfd493e0f4d1f1e89177644bcfa594c2e402a665d3413cd285b33ee57c990a74c8e106216f481b3ebe595e37d8bb7a2e174d4a7002d2026f