Analysis
-
max time kernel
529s -
max time network
530s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
17/11/2024, 14:18
Static task
static1
Behavioral task
behavioral1
Sample
CRIMSON.rar
Resource
win11-20241007-en
General
-
Target
CRIMSON.rar
-
Size
4.8MB
-
MD5
c621a656ac973e464050f3a5a57705ad
-
SHA1
9d6f560c3d51ce652141798ebb6956d5b4515548
-
SHA256
0c966a7beeb63c7bee76689648713ebb8ee7428f71d5f48959dcd45e940fef89
-
SHA512
4583bc8f821d147aee46b3e8394b8aaa5a6e5b9f7d1270a8ad4c6d066c683a9b95186a938fa38b8ac486eb9cf592d97b342308c330829e96776ef02d16a6934a
-
SSDEEP
98304:6ncLKHPZCXVBFzYb0Kkar7w5ka+YrAcycgYLHSCPedgNBQ2TwBgMke:6uKHPZClBFzwDM+xYNycg4IgU2AgMke
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 14 IoCs
pid Process 2640 Crimson Best.exe 408 Crimson Best.exe 3536 NDP48-DevPack-ENU.exe 5704 NDP48-DevPack-ENU.exe 2532 NDP48-DevPack-ENU.exe 4916 Crimson Best.exe 2792 ndp472-kb4054531-web.exe 2400 Setup.exe 5816 Crimson Best.exe 4980 Crimson Best.exe 3080 Crimson Best.exe 1360 Crimson Best.exe 4808 Crimson Best.exe 5248 Crimson Best.exe -
Loads dropped DLL 27 IoCs
pid Process 2640 Crimson Best.exe 2640 Crimson Best.exe 408 Crimson Best.exe 408 Crimson Best.exe 5704 NDP48-DevPack-ENU.exe 5496 MsiExec.exe 3620 MsiExec.exe 3620 MsiExec.exe 4916 Crimson Best.exe 4916 Crimson Best.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 5816 Crimson Best.exe 5816 Crimson Best.exe 4980 Crimson Best.exe 4980 Crimson Best.exe 3080 Crimson Best.exe 3080 Crimson Best.exe 1360 Crimson Best.exe 1360 Crimson Best.exe 4808 Crimson Best.exe 4808 Crimson Best.exe 5248 Crimson Best.exe 5248 Crimson Best.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{362af3ba-ef6b-483c-9cb9-8033838e8b7d} = "\"C:\\ProgramData\\Package Cache\\{362af3ba-ef6b-483c-9cb9-8033838e8b7d}\\NDP48-DevPack-ENU.exe\" /burn.runonce" NDP48-DevPack-ENU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA NDP48-DevPack-ENU.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\PresentationFramework.Royale.xml msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\xsd.exe msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Microsoft.VisualBasic.Compatibility.dll msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ResGen.exe msiexec.exe File created C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\Include\um\gchost.idl msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\SecAnnotate.exe msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\ildasm.exe.config msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\mageui.exe.config msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.IO.Log.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\UIAutomationProvider.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Drawing.Design.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Security.Cryptography.Primitives.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Activities.DurableInstancing.xml msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\ClickOnce Bootstrapper\Packages\DotNetFX48\pt-BR\Package.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Collections.Specialized.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Net.WebSockets.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Microsoft.Build.Conversion.v4.0.xml msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\ClickOnce Bootstrapper\Packages\DotNetFX48\fr\Eula.rtf msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.ComponentModel.DataAnnotations.xml msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\PEVerify.exe.config msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\SvcUtil.exe msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Net.NameResolution.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Microsoft.VisualC.STLCLR.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Xml.XPath.XDocument.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.ServiceModel.Security.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Linq.Queryable.dll msiexec.exe File created C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\Lib\um\x86\metahost.tlb msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Drawing.Primitives.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Microsoft.Build.Framework.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.DirectoryServices.AccountManagement.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.IO.Compression.xml msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ildasm.exe.config msiexec.exe File created C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\Include\um\ICeeFileGen.h msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\ISymWrapper.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Threading.Timer.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.EnterpriseServices.dll msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ildasm.exe msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\ClickOnce Bootstrapper\Packages\DotNetFX48\cs\Package.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\UIAutomationTypes.dll msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\WSatUI.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Web.Extensions.Design.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.ComponentModel.dll msiexec.exe File created C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\Include\um\CorHdr.h msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Windows.Forms.DataVisualization.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.Threading.Tasks.Parallel.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.ServiceModel.Web.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Activities.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\PermissionSets\LocalIntranet.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\CustomMarshalers.xml msiexec.exe File created C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\Lib\um\arm\mscoree.tlb msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\Facades\System.IO.UnmanagedMemoryStream.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Net.Http.WebRequest.dll msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\lc.exe msiexec.exe File created C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\Lib\um\arm\metahost.tlb msiexec.exe File created C:\Program Files (x86)\Microsoft SDKs\ClickOnce Bootstrapper\Packages\DotNetFX48\fr\Package.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Windows.Controls.Ribbon.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\PresentationBuildTasks.dll msiexec.exe File created C:\Program Files (x86)\Windows Kits\NETFXSDK\4.8\Include\um\VerError.h msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Workflow.Activities.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Printing.xml msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.DirectoryServices.Protocols.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Windows.dll msiexec.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.8\System.Data.DataSetExtensions.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\SystemTemp\~DFB6F28B4BE81EC2C0.TMP msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Installer\e5b301a.msi msiexec.exe File created C:\Windows\SystemTemp\~DF2E4C671EF26665ED.TMP msiexec.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\e5b301e.msi msiexec.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Installer\SourceHash{BAAF5851-0759-422D-A1E9-90061B597188} msiexec.exe File created C:\Windows\Installer\e5b3019.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Installer\e5b301a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI417C.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Installer\SourceHash{A4EA9EE5-7CFF-4C5F-B159-B9B4E5D2BDE2} msiexec.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\Installer\SourceHash{949C0535-171C-480F-9CF4-D25C9E60FE88} msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\SystemTemp\~DF4A549E4C76405C43.TMP msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\SystemTemp\~DFC72FC15234B68F41.TMP msiexec.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Installer\e5b3024.msi msiexec.exe File created C:\Windows\Installer\e5b3028.msi msiexec.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File created C:\Windows\SystemTemp\~DFF7F46F92528C2171.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFD15DB1AF2FEB46D6.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF26D485B1213C24F9.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI41CB.tmp msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File opened for modification C:\Windows\Installer\e5b3015.msi msiexec.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\SystemTemp\~DF4FD940508E0DD813.TMP msiexec.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\Installer\SourceHash{7556B2FA-6364-47EE-901D-12B23F78F382} msiexec.exe File opened for modification C:\Windows\Installer\MSI3303.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log ngen.exe File created C:\Windows\SystemTemp\~DFA4321B58A9BC00B0.TMP msiexec.exe File created C:\Windows\Installer\e5b3015.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3C4B.tmp msiexec.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\NDP48-DevPack-ENU.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\ndp472-kb4054531-web.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NDP48-DevPack-ENU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NDP48-DevPack-ENU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndp472-kb4054531-web.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NDP48-DevPack-ENU.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ngen.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3755855d3e98e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d3755850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d375585000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d375585000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d37558500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe -
Enumerates system info in registry 2 TTPs 36 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Set value (int) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe -
Modifies data under HKEY_USERS 11 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763272201408632" chrome.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|TlbExp.exe\TlbExp,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="X86",fileVersion="4.8.3928.0",cult = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e002e004d002a00730049007d00680021002800450044006700450040003700350051004b004300750000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5350C949C171F084C94F2DC5E906EF88\Servicing_Key msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|wsdl.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\28D1962B71B172844B286D467C3D8F26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\28D1962B71B172844B286D467C3D8F26\5EE9AE4AFFC7F5C41B959B4B5E2DDB2E msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.StvProj.10\shell\open\command msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.stvproj msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3FA5405E3D35B5331B0E94C9A2689CC6\5350C949C171F084C94F2DC5E906EF88 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NetFx.MTPackLP_enu_4.8 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EE9AE4AFFC7F5C41B959B4B5E2DDB2E\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\.svclog msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|xsd.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|SvcTraceViewer.exe\SvcTraceViewer,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="MSIL",fileVersion= = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e004400440059003600500069007d004e00690042003f002a00380067005f002700290045005200520000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5350C949C171F084C94F2DC5E906EF88\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AF2B65574636EE7409D1212BF3873F28\MainFeature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EE9AE4AFFC7F5C41B959B4B5E2DDB2E\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NetFx.SDK_4.8\ = "{949C0535-171C-480F-9CF4-D25C9E60FE88}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.StvProj.10 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|wsdl.exe\wsdl,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="X86",fileVersion="4.8.3928.0",culture= = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e002400530073007700770072006f0055007e004100260075006a0031004c00720044005b006a004b0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5350C949C171F084C94F2DC5E906EF88\PackageCode = "4CC9C6CCDCDD41C4181E0470EE947D0C" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF2B65574636EE7409D1212BF3873F28\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1585FAAB9570D2241A9E0960B1951788\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|MSBuildTaskHost.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|sgen.exe msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VisualStudio.StvProj.10\ = "Microsoft TraceView Project File" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3FA5405E3D35B5331B0E94C9A2689CC6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|TlbExp.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|WinRes.exe\WinRes,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="MSIL",fileVersion="4.8.3928.0",cul = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e0064002500640061005500480075007100640043004500790071004e0053005700730033006000450000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|WCA.exe\wca,version="4.0.0.0",publicKeyToken="31bf3856ad364e35",processorArchitecture="MSIL",fileVersion="4.8.3928.0",culture=" = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e006d00520055004500400076007800630061004600600056002900480076006b0026006c006a00450000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AF2B65574636EE7409D1212BF3873F28\Provider msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|wsdl.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|xsd.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5350C949C171F084C94F2DC5E906EF88\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|WCA.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|SvcUtil.exe\svcutil,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="Amd64",fileVersion="4.8.3928 = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e0068007400760065004e0045004f0041003200450043003900710069005f004600300045006000420000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|disco.exe\disco,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="X86",fileVersion="4.8.3928.0",cultur = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e002c004f0064006c0067002b0050005200550045005a007300730071007100740035004b004900680000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|SqlMetal.exe msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|SqlMetal.exe\SqlMetal,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="X86",fileVersion="4.8.3928.0", = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e006a00480059007200730079007e002700210042005e0030002900540033007800420030003d005a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5350C949C171F084C94F2DC5E906EF88\SourceList\Media\1 = ";1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1585FAAB9570D2241A9E0960B1951788\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NetFx.MTPackLP_enu_4.8\Dependents NDP48-DevPack-ENU.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NetFx.SDK_4.8\DisplayName = "Microsoft .NET Framework 4.8 SDK" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|xsd.exe\xsd,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="X86",fileVersion="4.8.3928.0",culture="n = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e005300350058002d005d0057004a007400240045005e00680055004900560065002800350058007a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF2B65574636EE7409D1212BF3873F28\ProductName = "ClickOnce Bootstrapper Package for Microsoft .NET Framework 4.8 on Visual Studio 2017" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1585FAAB9570D2241A9E0960B1951788\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1585FAAB9570D2241A9E0960B1951788\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|disco.exe\disco,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="Amd64",fileVersion="4.8.3928.0", = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e0041002d0032006b002d007a00620041005b00440021002d004200430072004b003f0056002100360000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|sgen.exe\sgen,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="X86",fileVersion="4.8.3928.0",culture= = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e004b004d00620051005b00410026005d003600440057002600640068007a004f00250047007400560000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF2B65574636EE7409D1212BF3873F28\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{362af3ba-ef6b-483c-9cb9-8033838e8b7d}\Version = "4.8.3928.0" NDP48-DevPack-ENU.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.NetFx.SDK_4.8 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|MSBuildTaskHost.exe\MSBuildTaskHost,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="Amd64",fileV = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e007e004300500054002a006e002a004a002a00350071002e005400330055002b0074002d0040007a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|WFC.exe\wfc,version="4.0.0.0",publicKeyToken="31bf3856ad364e35",processorArchitecture="MSIL",fileVersion="4.8.3928.0",culture=" = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e0021007900760060002b004600490056003d00430079006b00260026002600750048004c006600480000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.NetFx.SDK_4.8\Dependents\{362af3ba-ef6b-483c-9cb9-8033838e8b7d} NDP48-DevPack-ENU.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|mageui.exe msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|WSatUI.dll msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|x64|xsd.exe\xsd,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="Amd64",fileVersion="4.8.3928.0",cult = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e0065005e002a006c006d00440069004200320043004100700030006c0030003f002400390069004f0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF2B65574636EE7409D1212BF3873F28\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{362af3ba-ef6b-483c-9cb9-8033838e8b7d}\Dependents NDP48-DevPack-ENU.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5EE9AE4AFFC7F5C41B959B4B5E2DDB2E\AuthorizedLUAApp = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|TlbImp.exe\TlbImp,version="4.0.0.0",publicKeyToken="b03f5f7f11d50a3a",processorArchitecture="X86",fileVersion="4.8.3928.0",cult = 3d0076007000690057005e005300580031003f003d003f0071006f00450059006d00530025005400570069006e00530044004b005f004e004600580054006f006f006c0073004d005f004400440046003e00680073003d0061006b007500520048006f00440035007800380079006e0024007500600071005a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:|Program Files (x86)|Microsoft SDKs|Windows|v10.0A|bin|NETFX 4.8 Tools|SvcTraceViewer.exe msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF2B65574636EE7409D1212BF3873F28\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AF2B65574636EE7409D1212BF3873F28\InstanceType = "0" msiexec.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\NDP48-DevPack-ENU.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 899872.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\ndp472-kb4054531-web.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 229479.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2640 Crimson Best.exe 2640 Crimson Best.exe 408 Crimson Best.exe 408 Crimson Best.exe 3604 msedge.exe 3604 msedge.exe 2044 msedge.exe 2044 msedge.exe 2368 msedge.exe 2368 msedge.exe 3964 identity_helper.exe 3964 identity_helper.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 1892 msedge.exe 3124 msedge.exe 3124 msedge.exe 3244 msiexec.exe 3244 msiexec.exe 3244 msiexec.exe 3244 msiexec.exe 3244 msiexec.exe 3244 msiexec.exe 3244 msiexec.exe 3244 msiexec.exe 4916 Crimson Best.exe 4916 Crimson Best.exe 3848 chrome.exe 3848 chrome.exe 3416 msedge.exe 3416 msedge.exe 4948 msedge.exe 4948 msedge.exe 4544 msedge.exe 4544 msedge.exe 2964 identity_helper.exe 2964 identity_helper.exe 2800 msedge.exe 2800 msedge.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 2400 Setup.exe 5816 Crimson Best.exe 5816 Crimson Best.exe 5816 Crimson Best.exe 5816 Crimson Best.exe 4980 Crimson Best.exe 4980 Crimson Best.exe 4980 Crimson Best.exe 4980 Crimson Best.exe 3080 Crimson Best.exe 3080 Crimson Best.exe 3080 Crimson Best.exe 1360 Crimson Best.exe 1360 Crimson Best.exe 1360 Crimson Best.exe 1360 Crimson Best.exe 4808 Crimson Best.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5236 7zFM.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs
pid Process 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 5236 7zFM.exe Token: 35 5236 7zFM.exe Token: SeSecurityPrivilege 5236 7zFM.exe Token: SeDebugPrivilege 2640 Crimson Best.exe Token: SeDebugPrivilege 408 Crimson Best.exe Token: SeBackupPrivilege 2560 vssvc.exe Token: SeRestorePrivilege 2560 vssvc.exe Token: SeAuditPrivilege 2560 vssvc.exe Token: SeBackupPrivilege 4712 srtasks.exe Token: SeRestorePrivilege 4712 srtasks.exe Token: SeSecurityPrivilege 4712 srtasks.exe Token: SeTakeOwnershipPrivilege 4712 srtasks.exe Token: SeShutdownPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeIncreaseQuotaPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeSecurityPrivilege 3244 msiexec.exe Token: SeCreateTokenPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeAssignPrimaryTokenPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeLockMemoryPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeIncreaseQuotaPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeMachineAccountPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeTcbPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeSecurityPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeTakeOwnershipPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeLoadDriverPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeSystemProfilePrivilege 2532 NDP48-DevPack-ENU.exe Token: SeSystemtimePrivilege 2532 NDP48-DevPack-ENU.exe Token: SeProfSingleProcessPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeIncBasePriorityPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeCreatePagefilePrivilege 2532 NDP48-DevPack-ENU.exe Token: SeCreatePermanentPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeBackupPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeRestorePrivilege 2532 NDP48-DevPack-ENU.exe Token: SeShutdownPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeDebugPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeAuditPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeSystemEnvironmentPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeChangeNotifyPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeRemoteShutdownPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeUndockPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeSyncAgentPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeEnableDelegationPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeManageVolumePrivilege 2532 NDP48-DevPack-ENU.exe Token: SeImpersonatePrivilege 2532 NDP48-DevPack-ENU.exe Token: SeCreateGlobalPrivilege 2532 NDP48-DevPack-ENU.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeBackupPrivilege 4712 srtasks.exe Token: SeRestorePrivilege 4712 srtasks.exe Token: SeSecurityPrivilege 4712 srtasks.exe Token: SeTakeOwnershipPrivilege 4712 srtasks.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe Token: SeRestorePrivilege 3244 msiexec.exe Token: SeTakeOwnershipPrivilege 3244 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 5236 7zFM.exe 5236 7zFM.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 5704 NDP48-DevPack-ENU.exe 3848 chrome.exe 3848 chrome.exe -
Suspicious use of SendNotifyMessage 36 IoCs
pid Process 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 2044 msedge.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 3848 chrome.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe 4948 msedge.exe -
Suspicious use of SetWindowsHookEx 20 IoCs
pid Process 2640 Crimson Best.exe 2640 Crimson Best.exe 408 Crimson Best.exe 408 Crimson Best.exe 4916 Crimson Best.exe 4916 Crimson Best.exe 2792 ndp472-kb4054531-web.exe 4228 MiniSearchHost.exe 5816 Crimson Best.exe 5816 Crimson Best.exe 4980 Crimson Best.exe 4980 Crimson Best.exe 3080 Crimson Best.exe 3080 Crimson Best.exe 1360 Crimson Best.exe 1360 Crimson Best.exe 4808 Crimson Best.exe 4808 Crimson Best.exe 5248 Crimson Best.exe 5248 Crimson Best.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1616 2044 msedge.exe 89 PID 2044 wrote to memory of 1616 2044 msedge.exe 89 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 5804 2044 msedge.exe 90 PID 2044 wrote to memory of 3604 2044 msedge.exe 91 PID 2044 wrote to memory of 3604 2044 msedge.exe 91 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 PID 2044 wrote to memory of 5356 2044 msedge.exe 92 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CRIMSON.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5236
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:948
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2640
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ea723cb8,0x7ff9ea723cc8,0x7ff9ea723cd82⤵PID:1616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:22⤵PID:5804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:82⤵PID:5356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:12⤵PID:6140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:12⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:12⤵PID:3660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3596 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:6064
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:1928
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:12⤵PID:2832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:324
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:12⤵PID:2364
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:12⤵PID:2660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:12⤵PID:2616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:12⤵PID:4868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵PID:5488
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:12⤵PID:3616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:12⤵PID:3444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6576 /prefetch:82⤵PID:5408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6264 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,4045471031831502965,10899946312022919360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6736 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3124
-
-
C:\Users\Admin\Downloads\NDP48-DevPack-ENU.exe"C:\Users\Admin\Downloads\NDP48-DevPack-ENU.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3536 -
C:\Windows\Temp\{6A52A14D-1237-4C87-9D1B-FC5E05DF23EE}\.cr\NDP48-DevPack-ENU.exe"C:\Windows\Temp\{6A52A14D-1237-4C87-9D1B-FC5E05DF23EE}\.cr\NDP48-DevPack-ENU.exe" -burn.clean.room="C:\Users\Admin\Downloads\NDP48-DevPack-ENU.exe" -burn.filehandle.attached=608 -burn.filehandle.self=7563⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
PID:5704 -
C:\Windows\Temp\{61C9B9EC-F858-465B-BB83-A18B4E5706DE}\.be\NDP48-DevPack-ENU.exe"C:\Windows\Temp\{61C9B9EC-F858-465B-BB83-A18B4E5706DE}\.be\NDP48-DevPack-ENU.exe" -q -burn.elevated BurnPipe.{E49C1251-964B-4738-B2AC-408FFBE44C28} {32A13EFB-2F42-45C7-98CD-4304ACF43464} 57044⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:6040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2004
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2560
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 84CAA353B62A755819E9979CCF1476482⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5496
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 199D18067D34491F70D00F1489F7B5F7 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\aspnet_merge.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1956
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\aspnet_intern.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:908
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\AxImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:236
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\AxImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:1388
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\lc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2020
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\lc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:564
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\ResGen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4672
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\SecAnnotate.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\SecAnnotate.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:2916
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\sgen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:5028
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\sgen.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2804
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\SqlMetal.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2580
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\TlbExp.exe" /queue:3 /NoDependencies3⤵PID:5264
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\TlbExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6068
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\TlbImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:4696
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\TlbImp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\WinMDExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1672
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\WinMDExp.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:4680
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\wsdl.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4608
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\wsdl.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:5952
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\xsd.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4356
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\x64\xsd.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
PID:1504
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\xsltc.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4688
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe install "C:\Program Files (x86)\Microsoft SDKs\Windows\v10.0A\bin\NETFX 4.8 Tools\SvcUtil.exe" /queue:3 /NoDependencies3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue3⤵
- System Location Discovery: System Language Discovery
PID:3064
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue3⤵
- Drops file in Windows directory
PID:5256
-
-
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4916
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3848 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e627cc40,0x7ff9e627cc4c,0x7ff9e627cc582⤵PID:4968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1888,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:22⤵PID:2628
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:32⤵PID:5392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2200 /prefetch:82⤵PID:3152
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:12⤵PID:1972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:5284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4280,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3564 /prefetch:12⤵PID:3756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4732,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:82⤵PID:3388
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4764,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4884 /prefetch:82⤵PID:916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:82⤵PID:5868
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5028,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:82⤵PID:440
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:82⤵PID:5092
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:82⤵PID:2984
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4756,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:22⤵PID:4856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4668,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:12⤵PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5480,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5448 /prefetch:12⤵PID:2036
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:82⤵PID:1260
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4552,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4964 /prefetch:12⤵PID:4288
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5740,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5744 /prefetch:12⤵PID:5612
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4468,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:82⤵PID:1852
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4540,i,11769185650757889847,14886893627484365688,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4508 /prefetch:82⤵PID:2456
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2392
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:2092
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4948 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9ea723cb8,0x7ff9ea723cc8,0x7ff9ea723cd82⤵PID:4160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:22⤵PID:4832
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3416
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:82⤵PID:5376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:4640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵PID:6092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:1320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:12⤵PID:4156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:12⤵PID:5604
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3876 /prefetch:12⤵PID:4308
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:12⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5692 /prefetch:82⤵PID:3720
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2800
-
-
C:\Users\Admin\Downloads\ndp472-kb4054531-web.exe"C:\Users\Admin\Downloads\ndp472-kb4054531-web.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2792 -
F:\9ce405a5eb6953b779bc196566\Setup.exeF:\9ce405a5eb6953b779bc196566\\Setup.exe /x86 /x64 /web3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:12⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:12⤵PID:3732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:12⤵PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,11991166012404539448,12545833549841117967,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:12⤵PID:1356
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2792
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4876
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:4228
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5816
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4980
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3080
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1360
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4808
-
C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"C:\Users\Admin\Desktop\CRIMSON\Crimson Best.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5248
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
73KB
MD5ddcd8ce269e07f953df33b4e8b5e7f10
SHA1eb39f6c4370441f8ecaf9c46c5d89708e380dfa4
SHA2560bccd20544c458e8ab347ada3f747d3ac53bee6eb138d6e53a34806e362a4e47
SHA512a37a6e9576d5c4c7a2a6dcfa71fc10d5e457c28efd48f2ec238f68bd62da447c6b45d32e80905717645f9505d55ac6778d4991ee8723a32fe76e043fbf02037a
-
Filesize
37KB
MD562f33e8d554091e5bcb4b1f2aec7a8cb
SHA1c595d3c6e8eafbf18d6323619569a13889e510dd
SHA25654931ae91b221347ff500d2af80ec29a25004162eb560a84671fff614204e905
SHA5127944e20dacb25ba199226451db2cbfd60ce35ba398fe4d960c8b7cf791960f3a22efd19cf65e86de27de02c4ebea787502ffa63a0ca93d15cdeb3d1a336fe485
-
Filesize
332KB
MD5c9dc97093b0544e1c6252d03f1935b53
SHA149249c1d7fbe3072ef28d8ad7c21bf4e9d02d01c
SHA25635d13f623b06f3483461fdfc1c7e40bd5f090dab5da6d45e59860fe0ed09e874
SHA5127d574a7b799b6409c69bff698cdbcf4f0a6ac6786beca5dd03355394e8a3f40ecbdcfc982389efd020881a1bab236626fa1baa493b6121c546a8d1532efcbc7f
-
Filesize
17KB
MD521cd46cada64abd448dffddc4bd03cd4
SHA155d8a401891aeb24e1e693523680b2401338cf76
SHA256c23be044c1dc6a234244a9124ce2b54cf88314e933846ee84393f3f374247fc1
SHA512f6cb7251ebff685cd766c720a166a64534b2133d6e33b24ba99fd6575fc8b40ddc532c218b2a97bc46d6bf2fd3f0ba9ce52f892154d30a10893370cc90c847dd
-
Filesize
223B
MD57033a6fa2f8a457716f6d642137cc7db
SHA17a2cb4bbf68074357e450d6cd6fa9e4fcaf0ed2a
SHA256d1e116f59c6cf832090da36f95725827a7f5edb3173cbce13ffedc4fb6b61d2e
SHA5127b3f7532c57590f16bd79a37b66392aed73c1bb2ecb185273e229b32a722ca7a96051f419a42e1df1f28132190170625a09e5354a26773d2482fc749f15ca9da
-
Filesize
649B
MD5b71b4a8c1bec2ccd69dcd23bd3d1388c
SHA1f084eb7adf9f3de4d7c4ef4799b7e5c3e5a29ec1
SHA25635bae798702245fdf85755dc7a9f7033db09a1f88aee41e55a69d8ced126b5a6
SHA512a8398dd73b502cec92e00de49ae434701f29f1a26332e832072748b8ceba413f509f18ade85c59e60ba140903f3740bd95d460501c426c2e69101ae698c7ba35
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
22KB
MD59196e81f8ed7f223d765423c1f9bc8a7
SHA188f9d5c2a6908cf36b8daae803578ca9e1fd2929
SHA256a4e2bcf7ef3c6c614c2142d3c1fd44caac4eafa86a1779ac31cba164e2d89cbe
SHA512e7d23866fcac017762d2e2f18597124e9147f458d30038f78ba9f3a2bcbe479fe4792573894370ce2d6f93a00401231d9f01955fde351ff982a82ba87a8241f8
-
Filesize
58KB
MD52688aaa1dc30a3443123bdf980a35ac4
SHA1379b28a92cce713f07de8d149e8646cc5ac1a968
SHA256c41d9474ca4e9fe7a3d35e95894f6d42b91e2404fa7ce5eb685d61aab514614a
SHA5121fe884aff279d52d875fa0aed31f141aa27e18c3a6ade2da3f8d017e0fb621d1eaa5ae15da86bd7974f7c9e6a004a33f46fef4b9178f39fea13288ab64ac8346
-
Filesize
55KB
MD55ad67628093b90d7b09f19fea57ebe1d
SHA1c983290e8692fe0d4a5a6f7354c27ad4c61a0221
SHA2564c79b51c58fa56da28c18b94f01cd86596fcceeabe3f7e624cfd355bb966b63c
SHA51277831e58cad399009e784dca517836ed2a27237890f5ab63dda6409b528952313c33f76b689076162f239d3de2da1aa96d369c19a3a328da431ce712642574b8
-
Filesize
42KB
MD55aaa8c37cd59979b920cd21c4a50a38d
SHA10ee61e3b2d58513b92cf4c6b5114c1beb55539e7
SHA256db6c6f42e1d56092fb2c3d317968077cb29435139274faefbf4ab7681955bec6
SHA5120fb4c45db9f29963fce195e79b4e9963e57a50ef0fcab74466d6034834e0099f1f344a8569973d4c1ece05d9b70b5938b42ead4fabaa08de7d24c911df28c235
-
Filesize
1KB
MD58d223a11a17e61eef6f85d094e50aed0
SHA13fac4f36b841d482ed282b9daa52a48d8e85c357
SHA256062b8994ec3213fd2c544ed33b5099863042f9218a980e6688665c44daeb7f12
SHA512c1985b43dd0758d5c25e47f23d33df88635657c0735fa9fcdc00e80c04f0c3d1e6654d0f85a114805a3659cb8cddb282338f2f76941c1696039c7af4f094ad7b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\_locales\en_CA\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.83.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
4KB
MD5056ab58fc54ce7b1018654d057e8f046
SHA1d55fb6c1edcc5dac87c090a6fed9b98dda5e1731
SHA256664ae5a9622f2d118bfab62497e123c1baace43912ed047c0232a4db1c18e803
SHA5122b965624df0c242d9cb3110084ba17ecaaaa4ff55c68f74cddfcdb375d0a032264b5a6e15f3770e147bb86bfe04d8c809fb8bac8ca068fbc6c112c6c376622e0
-
Filesize
5KB
MD5f83baf8ce9a5e84e1fcf0d1756c206cd
SHA117b82490c0c252b9552c7964efccc3357329aa4c
SHA2569f78d0ec56ba049b1f025a2f5f1280fa79b0ff5d9c29ad5fcc4e5a426059135a
SHA51203d4294cf79c58ec5fbb84084cc93f4c11eb71e72eec647d5dd6dd566f268f7041166816edaa4b0ad5945702589a6eadc969ef22fc1f8c3949f8493a8d72f22f
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD543a1cae2c6f6a989996fd85b3576c3df
SHA175adb94e2be04c2a8dcc334deeacd009a584d494
SHA2566868d4bf1dfd64c3a311972574d35e585cd13d09497826bc866f271f4ebeb2c4
SHA512a60e4b860b0da9a4524c80a065377a4d5a4b0200f272ba9a3559703b8f64c90f85a298986a1bae0c89fda7d1f0e002af713bb45975044fc645d013fc47cda8e3
-
Filesize
1KB
MD53d9e16965fda433b0e2512e450d588e8
SHA1ca86abb5dd440e778622e61f90c509e92874699b
SHA256a180d02a54da36303f1dfea6ec6a723204bc2b4f92f5bb17e5843c788ddedc90
SHA5126fde0fe474da56f7b243d8d67f05eb0bf2ae516e9b6e0bf0a496af0060f75ea94480ff806f41681d1d23d1a14a3ad2360f03da1554d0f2ed49041728cb1687eb
-
Filesize
1KB
MD5a952b67001f0c7dd972bd90a25f6ea26
SHA19be68a3703235f5cbcbb298e41ea17af6b11d4b6
SHA256e6980d3b5a564e253f6913527b3fdd83dc4005645ce888e04cd5a4cbb5379713
SHA51296a6ca67e36eabf1f3bb3b1cb1687f678a40b785c6139a5f70a326204b870f943bca233efd98d90fdc1025ae35e89a1e1da45b0f8ebb71ad47a59cb294506f31
-
Filesize
1KB
MD5adcc8ce3994778854acd29b0c74ad2db
SHA12fd581cbf3c0db780f59c0b38b05ad53980a9d3d
SHA2562f25d790d7b18a1d68ca829825ee5a9068c8551a16e204dbcdce8fac81939d00
SHA51203c00656e9420f6bcce052dee809ce1e3756c597bf7f67a50a6c1b75220df6434717cebb4d42bf8f70637a4eaf04a67525a02110545114ee1cfa6dde80106844
-
Filesize
356B
MD516098fd8fd875cef228d48a90ae7636f
SHA1f0e87bbbabd2928514c0e525a6bfd5fbf6289986
SHA256fd897e168107160e2977a618797da472c4cb43016c713bad357df63dfbaac952
SHA512a9f6efa1e6518b6215ce366236a0bc6286c7d14a945ce98c673248dc212e03cff16d054d0ffa01e78880b4d5085a95e1bcc74fec1f3679662b80dbc6d7e8c53f
-
Filesize
692B
MD5490d4a0e2a88807dac87cb23607eddec
SHA18b0eb7153bc20850573148b489bb5c262d6bb4fc
SHA2562840354b0a89b90872e8eb306483fdf28c01a20f6d3d25728da79fbbc0a4d7cb
SHA5123cbab132a6679719e50cec36cdaa0dc65aaa88d3d8e192ae1179f4f0a7f1fb55001d864a459c050f5efda2be733d786f532b574a4fdfc7a2d6513aa781b1a8bf
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
10KB
MD593ca30deeba1d2c6690574d46e2c91c8
SHA1e22a4b4c5e1dcdae790d24ddcf6b47820f557e68
SHA256d470165ca0dc9d7e50d336d51c2083d95ec362a6dff290dd3f93befdffab8f8d
SHA512391c84c324274e5df25a2a136c9bf12f91a4f791600f873625236fc1326942ff94aa62032d0a39e32c3c46fe3f9b917a3d6ccb39399cc31fca06bbf187e011e8
-
Filesize
10KB
MD59211f0c6146a340a1b9f71d8bd802333
SHA18eaffd4edc20f480ca35b862b3f6cb59fbbcf4d0
SHA256fcfd49d4cbef66c79d6ef180c8634223a5ca5aa425d604ae3a124e9d86e6aedd
SHA512b5bf33cb6958dad59577b056a192ebce7903c9d8446b718d3bb56e51715f49dbcdfd707193a53ff8a5073695467f2f020cc1843c0b6f2d8709acc7c69d742ab8
-
Filesize
10KB
MD513bff820b44e9cb4eabc1914cd3e8162
SHA172588fc13c8cc8c09ecbfe9f071c85264c64f32d
SHA2562da28f517d9f45700152ae12a3e2de7535d386df976610780d3233c70a2e0d05
SHA512c90a3bb3643b3375813ea799de8a698468a915f4f842cb2f3dcbfcc4ef5dbf7b2ed878b1a4c5273f4da3f310fa2a2b7118beb6d4ad1366a97a53d64cb81c92c5
-
Filesize
10KB
MD5d6fe01e4c17f8c679f4f327f5ef1b0c4
SHA1276576fe11fe6a36c391c60197a93e2405aed919
SHA2562cfa5ea9d957a0454e2e0a05fb3a18266b10c5153656633fed989b1e79da8365
SHA51277feed5c16f661d448bed80d2638e60233bc1790e2eb319b3d5435f9ee4f4055869a7a60dffd43db2f113471693a3636d21bec3e0fa9589eea7ca132a7c4055e
-
Filesize
9KB
MD5cee8bc9cef6545db43d499d74d09f666
SHA1222cc7c9c1b5ff8eae134499580abc433c3b8345
SHA25691ab89e0b6a2843c6dcccfe0eb3670349d45194be855d87cfa1b179ea2c35b58
SHA5125381bc121201341eb571c1dde9e126f1a4a13f7e89afcb107c6ed3f1788243491d554ac0beeb877e47e79797706aeb7e2cc10d6728e4dc040a205760c803fbe6
-
Filesize
9KB
MD53c846e5bc2bc066528f01570063789a8
SHA1a7cf56d44642f349a872dea2cf1e8b05520b42d1
SHA25650ef3610b6017b80c1b3163bd8e4b1c329e2e9f54a6750ed406f7c945c855335
SHA512e7bfa7e7d53444c79db0274858da7c861746f00be0688aaa8e389493e81462c8a7441c5d831cdd12e7ac75b1921b80b81428f4a82c7a4d4295fcad95b9dc7af7
-
Filesize
15KB
MD5dedeb731f9706cf76c19e1fe7c0134d3
SHA1adb9a884a7cf004868d2cfdba4a7dc1d15922c1a
SHA2569ffc874f98cf39a52c9771fed1cfa12b08dc93cfbd753a5279fbeb7fb2070315
SHA51226aa2e08af91183af2fa9887392534bcc8fbc86800e5dc7a0679d9497f46cc679b2a90d3cbbf804eefcf78ca789bd14239341952646398f1ec9d0185136c6de6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5a0becc5b05cbab1e4b1a4c493df8c305
SHA17d3e8cbcf390480e27d36ee0fa95456409a67bc1
SHA256dd3dfacc9ec808671396bba0ff26caee8813237113c183aad0357c1487d81b6b
SHA512b8c90e5c9b3f1a5c648e1f9e5c314af2c03720a93f1ba9b28b86294a1eba2fcf90163b61e5b47baf074aaf1ec8927c3e7b6ecd6a02aa0cc55a8eedf19e4e4dd2
-
Filesize
264KB
MD5888d4c55cfbd8b2a3e98614cc0d79236
SHA1a30ae535d82c78beaccbb626788daafa4f46e754
SHA256cfa46d2a1ee9c607086850f4d8fbe37a9df8ec9716ed5933d1d37dd4a5dd118e
SHA512226968ab1903c663a5dee14d975effd4fb058c0a699e3ae8a5dae180acb2a6cf997c4c0a823c8cc4f3e49459a2bf59a2b30546ecbec1fa70421425a0f74916fd
-
Filesize
232KB
MD50a3c19c8a6eed137b1a83317d775fb69
SHA1243cce87f17374ad99b3c2e634ad4d5dfb701af0
SHA256e95b6c33d91d5f708ae4d133fc8f06a880f45416d2d557bc1b1dd0fd914facf2
SHA5128c1bb45dfeda201b8c2555916f2f9711d3e6be8f310b71cd7b2514afed9733e9d6b23786f4fe959027a16522d8b1f7e611f9be72e1418fdf097610ef5ab52326
-
Filesize
232KB
MD56cef50eee71baf27849271443bb5f428
SHA1df49a215d05fb536e167e9348794c30f52cb19fe
SHA256e3d57215356c47b725cb4112c67be9affa494f7a9fe4cf4db601f3f64dcc4b22
SHA51270f79262c5e5ca54851a18e45d3c8442870a5705c6b3664a4c9bc3994d374928a7b424af43ddae64e1da0bc32f5ac0c1bbe3eb05eb9f4a886420ea47eb4a211c
-
Filesize
232KB
MD5c260a130ef88a78d53ca282d172ea009
SHA1bb67a17c21c6c08b9c83b7cd6606a1d931c10291
SHA25642f941b31a243b00aba603fa20c32d636306628bde2fb187ffd7ec1cd92dd6bc
SHA51263d0199f12940f6b0bebcefdca1a6a54ea4e2daa054e41c1b80bfffc13c805daf5cab2ace3cd1fb66b73a2986b9bb4de5e0bd972cc5fd43f8026b6ae17eb40fc
-
Filesize
152B
MD5cb557349d7af9d6754aed39b4ace5bee
SHA104de2ac30defbb36508a41872ddb475effe2d793
SHA256cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee
SHA512f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a
-
Filesize
152B
MD5aad1d98ca9748cc4c31aa3b5abfe0fed
SHA132e8d4d9447b13bc00ec3eb15a88c55c29489495
SHA2562a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e
SHA512150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72
-
Filesize
152B
MD59f0807009817fcbdc250b8b7b56d5080
SHA165532815231f2e6fc80606cc920d75461a0cd8b6
SHA2561e88fc7e894699e0b3fde977922d98ff3ec06f4c1b24b1d16f1e3a9d7e9a2470
SHA512bdd7c18ff8c4e6c1e952fb3c222cfc140d55d74c536b8b74428585c090c2b6cc9018da6acd05de9d1f2ebaf151e7765d11eb6077d01d183a0ca30e5100b0b85d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD51d7dddfa14e0a65ff99649deabde4749
SHA12345e4fd8bed25f1b82d0d5dee64b88c2ea7496a
SHA25629a60b8fcf7077402daf4e62c6fdb275a897a5a3321dbb514ab1322c88527854
SHA512219ab30072b97fb51211ccd9f0c3da21730805e51745359e6a2a1876b1d7b2a007d762d23bcb5c57cfa0678798b4048c6f0b6eacc9081ba66d52d4d9d32ae4e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5e0d2f627696b6d9aea53b7bdbd8fb2b5
SHA1ccb605886f6c1a94f7ae019e8cd9142c3c866d41
SHA256a85050db8758acd07b04af81454c98bf9fa49b4aa93cfc0e094f8e3b9632fd93
SHA512e8481d5142c2ddb0893f056eba14adfec90b3d563f30a9493c99dd104dcdb5688eae92117609bd26d5df4c3f6e73b2653ea7f4c346203f98d555a8fd390abcda
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5473f108eb0bd93891357412d701ae949
SHA12f1a60cb69411d781cff70f77c4b4be10b0ecbff
SHA2563163c605f5bd9499cc10734fd35404ff2655f9e49ed47b68ee51ba0ed78f156c
SHA512c16d392c533c959516711abd14b9d2a81a4a4619dc4b666b1422e57de14374f1e38e595c309812eedfbd8d168e9d5d28d1460607bfa22d0e7ed270623fc74b2e
-
Filesize
1KB
MD5b875f275c6650a0210d7d4d08fdbdf1c
SHA1a1eece66ee25482adfa09d1c9ca88961c95c3843
SHA256b1c7a91bfc6d009759c79198ed3f567df34ab6342c861f183588ed032acb3188
SHA512852820d5fb330f5e306d612f1dcf9b08e2ccdb5bcaf96e9bf7fe3a4e9fafc2559d2b88d60aa3332216cc5c04f24182335deb8c4f76e20715afe5b8f4f9f10bdb
-
Filesize
1KB
MD509490bf382ebeecf0d913f6d03fa417a
SHA1b8a6ad6520c0c0f43148f81bc5ccc14f98cbaafd
SHA25623accca3b6682e404e8e70c858ff386de686fd02172622648119256afd9ba68c
SHA51261541798d8e2a1ad041b26202e59190c677faed7ac80d90b6b6885e1c5d89c17f10df29ee89b172050136197ad859071d139cfda76a7a243bb918053332f000c
-
Filesize
1KB
MD586131128b11b924805dd1aec203ce2c8
SHA1ea1e30663eaed9b10e451cc7d9b1ef41394368f0
SHA2565be680b9e2d5d549cbc5d533b33b8818a771968902d2c9d43f1161a845e847a1
SHA512ca4550402e3edb4332f9c77430148ecbaf3915b04bdd7c742cf05799b386ac49818407523cbcfb2bb024ff711649c725bf633f5e466d34be207f6f8dcf4344dd
-
Filesize
6KB
MD5b61c9fd23f0a0ab67f31ec54072b1cda
SHA1827179cebf4b14106b7ae3bdbac80c9c125257c3
SHA256a57cc84db76f841b6f94d049df5c6d98754471a5926adcc94163ac7f1942f366
SHA5124a6b87e45bbf6f3bf3c8c5831a80e7547a46012b8edcc569d30e958f02047127ffc38a2f534a1d04e5cabc7661ba9710099b45b89848f42208a7e470e0082d57
-
Filesize
6KB
MD59a131d266aed1a48ead6acc39a6b3f57
SHA1b5908bf887e20b4b1b6612a45bbca84ac7308a15
SHA256c1238ec5339f0da3b340ef4e94b1061ea9578f42c23834bde6125b91e54b4b3f
SHA5121c558b347ce059eae287acad211982213401db05b7b075e89e78519813df08fb5dccf48aa430967ceb3db12832e4ef0e0c54d7d00b045cd01a73b3f61c28e360
-
Filesize
6KB
MD5bbaecec8cd045602b41cfab19572a0cc
SHA1a4005bf4c18233264dfab9c92da5fb55d4f8f33b
SHA25626284967ebebeef62d7d45daea164036d64067cab742ab373920882228915650
SHA5125e3727a5c9fc83a18442e5f463f9bc4d6fe214f1c4edd032811c0043f8f15b32c49bbacd077a83c8987a51996a2d17b6842e00e450e95c6773a84e5ed6cd6f43
-
Filesize
6KB
MD5071939e7df8e6394dd92c773ebd10792
SHA155e3eb70e9ee76c7e3741a5800b027d143adef84
SHA25689aad323ead59ffb39b295fa1af03f73d872359bfdd0059544be654e8cb8c49d
SHA5121953b401de4d9e4962e804390bf34d9b655e753b415879bfbc7ba8e8f7dad3ae99c20295ebdd9e5eac2340963b6b8fcd54063edc7b97adc1d952385677295006
-
Filesize
5KB
MD56d6a072a1d529a550d282ef6533441e8
SHA1f77750c23aa3b21f5e8281adf32e5934b092f32f
SHA256dd5b691ab461da46ca9e27f56dc93be096278367ce6f85c3c3f3ff45f694ee81
SHA51229354362ced2b29085b71b667ad9633801ba590c49c021c069db93b1c7df7a7af0b050a2297d397c9e2a2657d31308b1bc6221e0f762449c5997a7a73136c796
-
Filesize
7KB
MD551388739cc575f5e507dfc2c14c2daae
SHA1e988b72025d74c047f54c136afb6a77aeca4a936
SHA25679c2946f22b4d83f03262699d00932144c931310250216ba78056cf2ec232031
SHA51259b50086d7f5fc9e97ceca3637a2b152bd21949a7920e511d0220c6b6c7738c0d12ebba0dd408b3fb96a79ee1dadecf90022101608d957b5f65fd54296ad23ea
-
Filesize
1KB
MD5cdcc119ccc135998697e86833e8d9303
SHA193629801efe35827abfa146509f461404127c4f1
SHA256f1391a0d68324ba1505d1ec47a1dafc4aea55ec233dad0b52037a86226ad42ee
SHA5124abb2cbda8731a39cc198e8abb65480676b6acc4c13cd6ebbc2f5a2dba3ed44fc3136c5d88df9f6f52ff7de43d1f2a94291bbf96e72898ad86ac5f139d46876b
-
Filesize
1KB
MD598b80b052b896102ea1f22f06815c697
SHA11bea82b1be8fb1e4855b74d43449e11692388741
SHA2568841d3c2f0f522d58006bcf9b360d52c6befadd2015e3e7aa3d2c9563f1844b7
SHA51200462cfb549d82959cca54aebd05214f2df567e4a33ab31e08507130715522554851c3635ad698324582177e303bc9c224a16094b179109548ae2b728d334c7d
-
Filesize
1KB
MD5572c98ebe34bd93d74c8841c10d2c754
SHA1bf04c52ac0421abb474316dd32fc58626f0e6bf3
SHA2564632fa51ce790e9c4fd39ea29ec4b34d619af20087c31d1f5b5b0e81833460b9
SHA5127add1844e163f270c51f401a3d1866a6a3a451253db1f62cdb8d80507854db89bb8bc3cb5a09866895bca6c4bab7f0c9effe8a2ea9c86e8c259e2dda6433c268
-
Filesize
1KB
MD5c4fa04afa081b225c951e994fda8b84d
SHA13b50789dcf491c81a2382730bb83fdc879fc9508
SHA25633f83589309d81e250c989e13b0661300ff59b0946e56000ba121352b0826b7d
SHA512f8f2cbabc8903e4fe36f58cb0f01071c209b357cb4ff86ce67e98053e1de074d6abd96a588dccdcb4137812853efe20191582d72fb1aa197f88b6564eab88679
-
Filesize
1KB
MD51c0b1edab77e28d0ba69e6891516d849
SHA1a1a8a9c57d6fdc4f8126098a0a7e83df88467fed
SHA2564c0ae83738a8369347066b7257751dc3cc7e9384d306e124165eaf26edb0d966
SHA512f7f3e988df2743cef07f21ecd1ecf5001315e6071f2b8534e89569e172ca569e821ae73275509b5e0cd49bce77fcd15f5e1fcbd94bdc4d2e48466ad1771eddc0
-
Filesize
1KB
MD5adbff0d98ee5717673aa9d9aba7d2d3d
SHA1a0c26894596273844744bad3f69539e994ee63ab
SHA256260376f4f8455aa94511a980fb272cf44852803eee7cd857a8746683308d4cfc
SHA512a1b9e5499b264e3b55a6b8feacd6f1799b692a68c610e07c22016f67fcc88f7cfeace024f9ed5b8da24a8a08d77b42f4919edf29b581a3cf9272feb04a3991da
-
Filesize
1KB
MD548f12cb0d85cf2f9a5379dac2f931600
SHA1686ca714ca74c89f00cb95acca056c057d09c886
SHA25666544b2f89f7f24860b6c0f3fbdc399b64bc8bc9ed4b56d238442e6fab7d2b76
SHA5124532399826f2a6908bdf36b90550ecc8677b48b4416a29e007789abac341578553a1821218ce92eacd36ad03c1dd5cbb2db397f85096364b77124dd96138506a
-
Filesize
1KB
MD5338fb306ea8fc42507e8fcb11e1be733
SHA122562209af1252ffc067674071b02f29045e73ee
SHA25633ec17bbba5074854104088ddd488a0ddc7a3ea6d7105153e879368d7b8d48f3
SHA512d7c0840bd51e8e2be06b370711f71f3cb1a4ad14e1fcad054af983a16ac38d7150d6ea5eee6bd8640c57bb85b3afe4844582c557e80117770115a356e4636a3e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD582fe1e0852d1b4241b4606de4e112697
SHA1d8c6975aef411d7e60fea011ca7b0f5c955a547c
SHA25675e34246ad311e211888b78e4ca1713bb2984aa9aa0ac511e660de2a2df5e451
SHA5123196044e617df46a0590e9ab1d753d4549df3fcf19abb56c027f48821e100b051d161577b3169763b6bb41e4602139a34fa295a140deca01aaf14705f81726bd
-
Filesize
11KB
MD59d95072bbbe03b8f930195a50e0081ce
SHA1ef2562d649446abde97325a1d2aca116c5a28e54
SHA2564a25be21e5c8b460889fbe88baa884fccf749bb0661dffd2760e28f66c6777ba
SHA51263a402fda13a2b1252666cf5f84b15e4d98b4ae783489bf4d562f12fa81404d4c2ad7968035ac0785a5b932255311044b1aa32b8c14ee1ca24b4e277db38be1e
-
Filesize
11KB
MD56d72eb26674f94b75331444c4eadfd62
SHA177b8b089c347ed4e09eaa19d803bd866d860c381
SHA25640d8b756bce9631cc23e72df9055ee26e446f19a67d675a433b835bbfa47a7a3
SHA51297cbcf59706e6a7ab98c37efb569a44a7bd571da004aca336d85aa657768c3f5d0f463b14d7b04031234aec258cd5eeaf97d194e06e93855d4ceb6ab8e26da9c
-
Filesize
10KB
MD507cdb7425300524950567367e323b65c
SHA1c3486ac860d98b67afc3104e570bf5886138b54a
SHA2561bcae461cdbec67bab2b6fb48c88f30d153a335c2c09111e26bc90f94c4da675
SHA5123647d297f682f468a294928acce34bebc30065e801b1577e2987eb49dd725d27efe4696d1c3d4c7ad21a6aa33b7ae6d76f8818b7fbd57a5c4af4be347adfabab
-
Filesize
14KB
MD517464f7ac892500c4da8fc806dea6928
SHA16659761a04b4e0da4d4360eb8ceb5168ca13a694
SHA256a85b68541fdffc4acb18cf626d61926b4cef2d3856884d16818adde629e5153e
SHA5125e3840a9412c801df11bf4425ea17a34a640ae34dab0697139c04501f5e25a15e653cd5a3101a48c2bba2d84de83c418a5d39015055434e97b9f69307cf2e9d2
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5b5ec1c651d538125bbad8ae7b5878883
SHA1fc51a9862cd962c1dcf92da77deca73aa79f0c04
SHA2567e4836c483ec272727cb1e69f6d1769be0f8ea3783dab5fc6846bea18f8c5114
SHA512ce915256b7339ce5ae8c12864b66f8c83c4ef31185e46d5877776a4fb21ae18a58c742af77312d54ca77f42d33c63e9b6ff868c078d11d423dac4b72cb599f2e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD51e7dd00b69af4d51fb747a9f42c6cffa
SHA1496cdb3187d75b73c0cd72c69cd8d42d3b97bca2
SHA256bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771
SHA512d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7
-
Filesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
7B
MD5260ca9dd8a4577fc00b7bd5810298076
SHA153a5687cb26dc41f2ab4033e97e13adefd3740d6
SHA256aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27
SHA51251e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7
-
Filesize
16KB
MD5475958008713e900d6f3bf24d78c3e6b
SHA14f3ed036c28ee99fb604cd1136aa1029e89c0ee8
SHA256eeb5cb4c913e76a6ed2b7ddabee4daa35ca2df2e717255f4e9607e567ecd70a4
SHA512acf48503f9f41a40d95823859147d4044e89b7049c6388733e1ce7db720b8517744c507ab84d6bdfa811f92e34a0b0a49dd1764f598ae2df1f180d4ed27dff77
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Framework_4.8_Developer_Pack_20241117142456_000_netfx_48mtpack.msi.log
Filesize3KB
MD52f8d63ae24a87da7fdc751b6d77167b2
SHA1996711fa012ce6ccd6b63b06f76be319fdc9ac61
SHA2565328994d2935bfdae27e12cc3d27d56c19458f36cad2908fc7858d2fe9a722d3
SHA5123fe37ac9be70bf094794dd8af80d9ed1772272c0c1bdb2b2f762f3f53796a974966efc68d9ffb5109bae018c3c433efd6dd760fe1d7aa6aa6a1b7ae4a093de71
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Framework_4.8_Developer_Pack_20241117142456_001_netfx_48mtpacklp.msi.log
Filesize2KB
MD50607930ed8ccea0c5eae53745daae038
SHA1b260df0e5e6f795627324cf9cbf9feaa11653060
SHA2566925a5ee0345372fe5a1552c09ba380035aef6010a9264e0a32dd2145cf4243b
SHA512f3e0074300bb75b65e6eddd470304267c84ac6e76b24300e0d6b5d31a729fe28d9414d015406443b55e8f3040ff8696e71b8e330335de06bf56fbd968a0b4545
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Framework_4.8_Developer_Pack_20241117142456_002_netfxsdk.log
Filesize1KB
MD59b27da5d462582af2d461a70475bc93b
SHA12c0ee3ce35e6d58c0efa9c84085705ab1699c715
SHA25606ab5ff9b9658d09e400be899447da1cdb157fe71b673c98ae567cec5c221aa9
SHA512d8687dfc592965e80f5fbddbf6af7f783766d0be4305c2111012cf1ca910f9bebfdd027d5a24d48304af01d238aa065d6f4dad5fc7e46dab20220975b634244b
-
Filesize
132KB
MD5da75bb05d10acc967eecaac040d3d733
SHA195c08e067df713af8992db113f7e9aec84f17181
SHA25633ae9b8f06dc777bb1a65a6ba6c3f2a01b25cd1afc291426b46d1df27ea6e7e2
SHA51256533de53872f023809a20d1ea8532cdc2260d40b05c5a7012c8e61576ff092f006a197f759c92c6b8c429eeec4bb542073b491ddcfd5b22cd4ecbe1a8a7c6ef
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
133KB
MD581871a76907102262ecaa64aa1f84772
SHA153e4c273523b91956b6a054506e7ff3888fcaaf1
SHA2563321858f43e2ad8247ca62770833096700008c15fd10511d463b1e0f6071ccad
SHA512b656d9251066bf51e319b77fce7db633a75ba5222b8a229bad5c976f15da5e7d075949d1ad4d4f0f74a752f8a29c7b49c8554174acc2b9eaa5136e4641197e76
-
Filesize
2.1MB
MD5c19e9e6a4bc1b668d19505a0437e7f7e
SHA173be712aef4baa6e9dabfc237b5c039f62a847fa
SHA2569ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82
SHA512b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de
-
Filesize
1KB
MD5efd81d18eef80e7a5cc70db71d658067
SHA198b0b7b9c738705263d92b41ef9f810a2f2cd849
SHA25638df7c585f0775d175435305f709b7418d60a98e17d542299e2ccb35c4cd2726
SHA5129a46cd4abc069ad2c7247863c6e9a29bf546f47150ac41feac448bf8d092672e42033e386dcb55a80d9e61c79458cd8589b5587b018e0fe852fb13dd8053b4d4
-
Filesize
171KB
MD5233217455a3ef3604bf4942024b94f98
SHA195cd3ce46f4ca65708ec25d59dddbfa3fc44e143
SHA2562ec118616a1370e7c37342da85834ca1819400c28f83abfcbbb1ef50b51f7701
SHA5126f4cb7b88673666b7dc1beab3ec2aec4d7d353e6da9f6f14ed2fee8848c7da34ee5060d9eb34ecbb5db71b5b98e3f8582c09ef3efe4f2d9d3135dea87d497455
-
Filesize
2.0MB
MD59399a8eaa741d04b0ae6566a5ebb8106
SHA15646a9d35b773d784ad914417ed861c5cba45e31
SHA25693d28520c07fbca09e20886087f28797bb7bd0e6cf77400153aab5ae67e3ce18
SHA512d37ef5a848e371f7db9616a4bf8b5347449abb3e244a5527396756791583cad455802450ceeb88dce39642c47aceaf2be6b95bede23b9ed68b5d4b7b9022b9c8
-
Filesize
31KB
MD574dd2381ddbb5af80ce28aefed3068fc
SHA10996dc91842ab20387e08a46f3807a3f77958902
SHA256fdd9d64ce5284373d1541528d15e2aa8aa3a4adc11b51b3d71d3a3953f8bcc48
SHA5128841e0823905cf3168f388a7aeaf5edd32d44902035ba2078202193354caf8cd74cb4cab920e455404575739f35e19ea5f3d88eab012c4ebefc0ccb1ed19a46e
-
Filesize
27KB
MD58a3086f6c6298f986bda09080dd003b1
SHA18c7d41c586bfa015fb5cc50a2fdc547711b57c3c
SHA2560512d9ed3e5bb3daef94aa5c16a6c3e2ee26ffed9de00d1434ffe46a027b16b9
SHA5129e586742f4e19938132e41145deec584a7b8c7e111b3c6e9254f8d11db632ebe4d66898458ed7bcfc0614d06e20eb33d5a6a8eb8b32d91110557255cf1dbf017
-
Filesize
10KB
MD54ae4a4a268ccd36acffa1674ebbf910e
SHA1b3737ff0d2296a6e5b652af1a4a519f2b336295b
SHA256910716461ccde7774e637f214bc1de262dce0c371751a585ed1dcf84ee748faf
SHA5125c80f85cdeb634be6986131c974b7a400a6cbac4b33e0a9c0523b679df2fea821322d32c8cb1870d6ad07bb5d1e9c35123cd89724de1a6b359b252ecced567be
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
1.3MB
MD5b3844d880d71de6d787190d2e378101b
SHA10e1ec7c7e9e2c7678db5548de80fc5c57f97dde2
SHA256151b1c11f625e7122d517b6a1778841df8ff168d931c41730f59b9e4b8bcbe36
SHA51299b1d7f9264e7d5aea7b01b69ef541065030055a37cfd76f9846b3cc84fd6f2bab612042d68ddf992bda41553c493fb45830699ba5f56ab0aee200cc539cc5d8
-
Filesize
135KB
MD54e73a312f7f849278a5511d4ced5e641
SHA11397d9d1db40d29e6d08fcc34cd213e88274a35b
SHA256a459c886f0bae7019994f73c11f4f308266b1f2954996c43938e24f6d4dd2dd7
SHA5124692b891f74de1d4929afea4169430940e34912b402df92c6d20299ae1cd6418b66d050e876fda30ae2ae451bac07451f26dfbf007b2311f8e6595202d214fb7
-
Filesize
156KB
MD5a03b77a967693e3569808a00c77abd01
SHA19e25caf21091f1eb3cdaf266773ebb675449ebd9
SHA256e462a7f388bd2a8e0e16c507d7b8f11264743245213fa0a4f98bd0123ba3d5df
SHA512d328e10960f9c03e17915a152e090f4e8f42d48fcf9cf2129955eec8011ca62b252adf48b9effb362b2c4c4da8bd38b675883424f47f7f3348bf62381005215f
-
Filesize
147KB
MD5b4a15b755cef59e96ba1a32f7b9e6533
SHA189ccb024e9705eea3d01bbce384bcafdbdf03d8f
SHA256ba5c11698390df5ab82e6c085990548ad75eb35bd6102f20f33f42236fa6ee92
SHA51276f3675c8cd8fea27dc1ce53dcdea0f33b144d41d4d21034dffeda4c6270ce57b728f03dd23e44ed393bcf7a65d7a9d0af6354a49f367915e11dbd3a00c0565c
-
Filesize
215KB
MD5f68f43f809840328f4e993a54b0d5e62
SHA101da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1
-
Filesize
43KB
MD5a7473d5e7524a8a12b28a4c9579e625d
SHA1f2e77c98c3fb08c2e57e2dd19fc38c4262b51a02
SHA2565fb68d7868c8baa2bfafc4b3112053e2e2308cc2bd53bd16647b690fff65ab2c
SHA512f0572ba179634493c409fb9ff23be4cd3af504bc42b75d7b8cc379507108f2a1a35ee7917838b1beb09db99f5f44cc72bfe25129c99c54ba3d4c7c69c5f0e5b1
-
Filesize
43.2MB
MD5bc1d0797bb085ce67818693d4ebb9bd4
SHA16f515e68b5d1cff2e817ca303dcb088a449c4ce2
SHA256a8ef3b350d0c379101b08ed48f9c3fc033d8d6cc27be52e3aba8ac0cd4444679
SHA512f006bbe7cb933ce1ff88b9690618fa259006e7138bd7a341363d34046eb3c108c09372564e0f801985e1210ade7cf88efa90ef620529730a1c2c5ae113a86a7c
-
Filesize
4.9MB
MD5e5539e2120a3c3ed69bb9541591ba6a0
SHA10beae4dc94a19950c49e40f958bd4563da548cd2
SHA256131fa7cd8d661a151a13077a4bed21a4d187c5070b223c28fcf1a2bd1243d817
SHA5125483571270258ec0d6ad6afd878a3ca680a5a27db7804e138cd6c02556c4e1d38a7650e81412a0b4431c48069449f31b20091cacff53bcb55d99a0ef0fbfa8db
-
Filesize
176KB
MD53cf1a83d85315e602958c635e31795c2
SHA1edb04a07ca679bb5760b56a7d2e72093f2f417a9
SHA25666ec65382ffc519fafe2a733af5e8b51d8987cdde12889c05d6438b9c8eb586d
SHA5127b9f327933138844a34e59cbb13c505d668cddf695084e460a07d300dccf31e1b80378a0399b739d2346fbaf4d90910f150d7fe87a5e2b3efdcd5c901b7ee21e
-
Filesize
220KB
MD5627196e57ce6398f411bb5a2f3cb16eb
SHA1fbd983afa48a7956b6176a021459cab679cb059a
SHA25667865eed54de0733aa605eebb4e3a10c675b4dc9bc5b5641c6734d3c9ac761a3
SHA51228994ac1d3fb254aa79ea581039262299aceb3c62223d0a5f78b0694c8fbd74c05a4880a7795cd6be68e11b455f9342bcd9ae1bb4e82c21389834cfdb0438a61
-
Filesize
188KB
MD55bd90f0ba47cc8dd6a79ba27f5ca8c1e
SHA12742b75e703bcee7f982a77d14ae2adb8e73cb6d
SHA256704df3f7317c52c028e2cf06fc6f8b1b306a27494f8aad513d8250fe835aaad8
SHA5129ef6d9b176a7d527b66ed89674151f1873dd3fb0a6f426246c3875a4ccf762eac52e2ef80573e91fb38bca9c9c55cd6de4cf42e5abd13c288603350e0dd6f36a
-
Filesize
556KB
MD56c372859cd7f3815d0fe8b9b3b64ebcd
SHA1ed6fc350ea4580c74690ab5fa5c573811000422a
SHA25661c76da293738f93fd0176837e5e70bf414903ecb527a7fc25fc7c862066f5bc
SHA512252a0ec388c761848186aadce5eb25d79e273dd3bfe82fb35e5b068c5c02a71155236f24fe4f6cadf4ea70066b941ffcd90315cb36da9183bc8eba44b599c004
-
Filesize
649KB
MD5562cf2fdf320cb1025e32c7c396e7983
SHA180b2dd54bdde42400dbbb2b6de262630f90f4948
SHA2566901d6e6c6e19f32caf39dc8022da2fa009a8c6f6a187a59b4c6eaacaa8bb158
SHA5123f874403a4562120c235aad3daddce084c4a94d5623aaa03bb3e2e1efd7b06a9953ed68ca36ca3842f0e82d2deca6203051bf3ecef2daeab5cc5dce8ae134647
-
Filesize
4KB
MD547c47a12e6830b793150494d35d51637
SHA187a11fece572f2a57982270533d6906daf7da218
SHA2564399b24e28becfb3bb2820daa09965860001492145fd7e2466da7b740c31855d
SHA5121b85ff8f11afafaa7368e744d281d964313eb342d294cbbe0e1c5fab3c5e817ca2b58bbcd7fc87a556f7575fd8e9d7404eb0a4f8e045e4c446ba83398eab3127