Analysis
-
max time kernel
273s -
max time network
299s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21-11-2024 00:39
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://gta-6.en.softonic.com/
Resource
win11-20241007-en
General
-
Target
https://gta-6.en.softonic.com/
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 14 IoCs
pid Process 1604 Rockstar-Games-Launcher.exe 2828 vc_redist.x86.exe 1040 vc_redist.x86.exe 5060 VC_redist.x86.exe 2852 vc_redist.x64.exe 5896 vc_redist.x64.exe 5584 VC_redist.x64.exe 5644 RockstarService.exe 1868 RockstarService.exe 3320 RockstarService.exe 4984 LauncherPatcher.exe 4348 Launcher.exe 5852 RockstarService.exe 2664 RockstarService.exe -
Loads dropped DLL 4 IoCs
pid Process 1040 vc_redist.x86.exe 4732 VC_redist.x86.exe 5896 vc_redist.x64.exe 2104 VC_redist.x64.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{410c0ee1-00bb-41b6-9772-e12c2828b02f} = "\"C:\\ProgramData\\Package Cache\\{410c0ee1-00bb-41b6-9772-e12c2828b02f}\\VC_redist.x86.exe\" /burn.runonce" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{8bdfe669-9705-4184-9368-db9ce581e0e7} = "\"C:\\ProgramData\\Package Cache\\{8bdfe669-9705-4184-9368-db9ce581e0e7}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
flow ioc 155 https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File created C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File created \??\c:\windows\system32\driverstore\filerepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF dxdiag.exe File created C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF dxdiag.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File created \??\c:\windows\system32\driverstore\filerepository\msmouse.inf_amd64_5ab7d1c25144fcab\msmouse.PNF dxdiag.exe File created C:\Windows\System32\DriverStore\FileRepository\keyboard.inf_amd64_cc6edbde0940344f\keyboard.PNF dxdiag.exe File opened for modification C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB RockstarService.exe File opened for modification C:\Windows\SysWOW64\msvcp140_1.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_EAF064FC44599326900E60DC50ABB82E RockstarService.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\msvcp140_2.dll msiexec.exe File created C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File created C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File created \??\c:\windows\system32\driverstore\filerepository\input.inf_amd64_702fdf2336d2162d\input.PNF dxdiag.exe File created C:\Windows\SysWOW64\concrt140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created \??\c:\windows\system32\driverstore\filerepository\usbport.inf_amd64_585900615f764770\usbport.PNF dxdiag.exe File opened for modification C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\SysWOW64\vccorlib140.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\SysWOW64\vcruntime140.dll msiexec.exe File created C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\mfc140.dll msiexec.exe File created \??\c:\windows\system32\driverstore\filerepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF dxdiag.exe File opened for modification C:\Windows\SysWOW64\msvcp140.dll msiexec.exe File opened for modification C:\Windows\system32\vccorlib140.dll msiexec.exe File created C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 RockstarService.exe File opened for modification C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140u.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\machine.inf_amd64_726cea1f0f349cf7\machine.PNF dxdiag.exe File opened for modification C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140_1.dll msiexec.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\System32\DriverStore\FileRepository\hdaudbus.inf_amd64_8207ba80cf22e40a\hdaudbus.PNF dxdiag.exe File created C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\system32\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 RockstarService.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x64.exe Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-file-l2-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-convert-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-time-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\LauncherPatcher.exe Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-sysinfo-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-heap-l1-1-0.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\RockstarSteamHelper.exe.swap RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-file-l1-2-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-synch-l1-2-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-stdio-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\offline.pak Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-utility-l1-1-0.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\LauncherPatcher.exe.swap RockstarService.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\ThirdParty\Crashpad\RockstarErrorHandler.exe.swap RockstarService.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\libovr.dll.swap RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-datetime-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-debug-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-synch-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-timezone-l1-1-0.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\ThirdParty\D3D12\D3D12Core.dll.swap RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-process-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x86.exe Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\Launcher.rpf.swap RockstarService.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\ThirdParty\D3D12\d3d12SDKLayers.dll.swap RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-console-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-handle-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-localization-l1-2-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-private-l1-1-0.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\Launcher.exe.swap RockstarService.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\uninstall.exe.swap RockstarService.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\Redistributables\SocialClub\Social-Club-Setup.exe.swap RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-processenvironment-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-rtlsupport-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-environment-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\ThirdParty\Epic\EOSSDK-Win64-Shipping.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-heap-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\Launcher.rpf Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\ThirdParty\Steam\steam_api64.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\svc_events.json RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-multibyte-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-string-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\libovr.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\uninstall.exe Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\ucrtbase.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\svc_events.json RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-errorhandling-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-file-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-profile-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-filesystem-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-locale-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-runtime-l1-1-0.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\svc_events.json RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-namedpipe-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-util-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\svc_events.json RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-processthreads-l1-1-1.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-string-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-math-l1-1-0.dll Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\offline.pak.swap RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\RockstarSteamHelper.exe Rockstar-Games-Launcher.exe File opened for modification C:\Program Files\Rockstar Games\Launcher\RockstarService.exe.swap RockstarService.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-core-memory-l1-1-0.dll Rockstar-Games-Launcher.exe File created C:\Program Files\Rockstar Games\Launcher\api-ms-win-crt-conio-l1-1-0.dll Rockstar-Games-Launcher.exe -
Drops file in Windows directory 43 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e5b5dde.msi msiexec.exe File created C:\Windows\Installer\SourceHash{D5D19E2F-7189-42FE-8103-92CD1FA457C2} msiexec.exe File created C:\Windows\SystemTemp\~DF6AB891FA3D4146A1.TMP msiexec.exe File created C:\Windows\Installer\e5b5e06.msi msiexec.exe File created C:\Windows\Installer\e5b5e07.msi msiexec.exe File opened for modification C:\Windows\Installer\e5b5e07.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SystemTemp\~DF18800EA95E1027B5.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI7708.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6699.tmp msiexec.exe File created C:\Windows\SystemTemp\~DFDEA7C5EA809220FE.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFF98844B5BCDAB80B.TMP msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI608B.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF076278CD023425D6.TMP msiexec.exe File created C:\Windows\Installer\e5b5dde.msi msiexec.exe File created C:\Windows\SystemTemp\~DF2D7C43C6CC69F4AE.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI64E3.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF8FDA647ECD9E9A7A.TMP msiexec.exe File created C:\Windows\Installer\e5b5df3.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DF14EB19A56D1A09E3.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI61E4.tmp msiexec.exe File created C:\Windows\Installer\e5b5ddd.msi msiexec.exe File created C:\Windows\SystemTemp\~DFB98CC84056A357CD.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFB4C3624F8360DBCE.TMP msiexec.exe File created C:\Windows\Installer\e5b5dcc.msi msiexec.exe File opened for modification C:\Windows\Installer\e5b5dcc.msi msiexec.exe File created C:\Windows\Installer\SourceHash{C2C59CAB-8766-4ABD-A8EF-1151A36C41E5} msiexec.exe File created C:\Windows\SystemTemp\~DFE925104E2DAED1BC.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFA6BAB7E75D531C3B.TMP msiexec.exe File created C:\Windows\SystemTemp\~DF742E0E07EC6AF297.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{73F77E4E-5A17-46E5-A5FC-8A061047725F} msiexec.exe File created C:\Windows\SystemTemp\~DFCD57D66C92E222EB.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFF52CFAF28616248D.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{0025DD72-A959-45B5-A0A3-7EFEB15A8050} msiexec.exe File created C:\Windows\SystemTemp\~DFCAA29191E8D633CD.TMP msiexec.exe File opened for modification C:\Windows\Installer\e5b5df4.msi msiexec.exe File created C:\Windows\Installer\e5b5df4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI73AB.tmp msiexec.exe File created C:\Windows\Installer\e5b5e1c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7204.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI75CF.tmp msiexec.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\Rockstar-Games-Launcher.exe:Zone.Identifier msedge.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vc_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VC_redist.x86.exe -
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID dxdiag.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 dxdiag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 dxdiag.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fe04b3d77c703a960000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fe04b3d70000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fe04b3d7000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfe04b3d7000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fe04b3d700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 58 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs RockstarService.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs RockstarService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs RockstarService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates RockstarService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs RockstarService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople RockstarService.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs RockstarService.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\Assignment = "1" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{C2C59CAB-8766-4ABD-A8EF-1151A36C41E5}v14.36.32532\\packages\\vcRuntimeAdditional_x86\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F2E91D5D9817EF24183029DCF14A752C\Servicing_Key msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E} VC_redist.x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.36.32532" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\27DD5200959A5B540A3AE7EF1BA50805 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider\CurVer\ = "DxDiag.DxDiagClassObject.1" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.36,bundle\ = "{410c0ee1-00bb-41b6-9772-e12c2828b02f}" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\PackageCode = "1670FAE368D173749B9C4C5C64DAEC3D" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{410c0ee1-00bb-41b6-9772-e12c2828b02f} VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\PackageCode = "73C8C8E4844B0BB4A8B86F043B32F917" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 VC_redist.x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BAC95C2C6678DBA48AFE11153AC6145E\Servicing_Key msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ForceRemove\ = "Programmable" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.36,bundle\Version = "14.36.32532.0" VC_redist.x86.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\Assignment = "1" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Language = "1033" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CLSID\ = "{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\VersionIndependentProgID dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\InprocServer32\ = "C:\\Windows\\SYSTEM32\\dxdiagn.dll" dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.36,bundle\Dependents\{410c0ee1-00bb-41b6-9772-e12c2828b02f} VC_redist.x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Version = "14.36.32532.0" VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject.1 dxdiag.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagClassObject\CurVer dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.36,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532" VC_redist.x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{73F77E4E-5A17-46E5-A5FC-8A061047725F}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BAC95C2C6678DBA48AFE11153AC6145E\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\ = "{8bdfe669-9705-4184-9368-db9ce581e0e7}" VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EEB1CAE3-D0B2-446E-AEDE-727AA9089A1B}\ = "DxDiagClassObject Class" dxdiag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{73F77E4E-5A17-46E5-A5FC-8A061047725F}v14.36.32532\\packages\\vcRuntimeMinimum_x86\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.36,bundle\Dependents VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F2E91D5D9817EF24183029DCF14A752C\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E4E77F3771A55E645ACFA860017427F5\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.36.32532" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DxDiag.DxDiagProvider dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E4E77F3771A55E645ACFA860017427F5 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle VC_redist.x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27DD5200959A5B540A3AE7EF1BA50805\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13} VC_redist.x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A65B8071-3BFE-4213-9A5B-491DA4461CA7}\ProgID dxdiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E4E77F3771A55E645ACFA860017427F5\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532" msiexec.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 796868.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Rockstar-Games-Launcher.exe:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 384 msedge.exe 384 msedge.exe 456 msedge.exe 456 msedge.exe 6024 msedge.exe 6024 msedge.exe 5572 identity_helper.exe 5572 identity_helper.exe 5548 msedge.exe 5548 msedge.exe 5548 msedge.exe 5548 msedge.exe 428 msedge.exe 428 msedge.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 1604 Rockstar-Games-Launcher.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 5308 msiexec.exe 236 msedge.exe 236 msedge.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 4348 Launcher.exe 2664 RockstarService.exe 2664 RockstarService.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 53 IoCs
pid Process 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 3948 vssvc.exe Token: SeRestorePrivilege 3948 vssvc.exe Token: SeAuditPrivilege 3948 vssvc.exe Token: SeShutdownPrivilege 5060 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 5060 VC_redist.x86.exe Token: SeSecurityPrivilege 5308 msiexec.exe Token: SeCreateTokenPrivilege 5060 VC_redist.x86.exe Token: SeAssignPrimaryTokenPrivilege 5060 VC_redist.x86.exe Token: SeLockMemoryPrivilege 5060 VC_redist.x86.exe Token: SeIncreaseQuotaPrivilege 5060 VC_redist.x86.exe Token: SeMachineAccountPrivilege 5060 VC_redist.x86.exe Token: SeTcbPrivilege 5060 VC_redist.x86.exe Token: SeSecurityPrivilege 5060 VC_redist.x86.exe Token: SeTakeOwnershipPrivilege 5060 VC_redist.x86.exe Token: SeLoadDriverPrivilege 5060 VC_redist.x86.exe Token: SeSystemProfilePrivilege 5060 VC_redist.x86.exe Token: SeSystemtimePrivilege 5060 VC_redist.x86.exe Token: SeProfSingleProcessPrivilege 5060 VC_redist.x86.exe Token: SeIncBasePriorityPrivilege 5060 VC_redist.x86.exe Token: SeCreatePagefilePrivilege 5060 VC_redist.x86.exe Token: SeCreatePermanentPrivilege 5060 VC_redist.x86.exe Token: SeBackupPrivilege 5060 VC_redist.x86.exe Token: SeRestorePrivilege 5060 VC_redist.x86.exe Token: SeShutdownPrivilege 5060 VC_redist.x86.exe Token: SeDebugPrivilege 5060 VC_redist.x86.exe Token: SeAuditPrivilege 5060 VC_redist.x86.exe Token: SeSystemEnvironmentPrivilege 5060 VC_redist.x86.exe Token: SeChangeNotifyPrivilege 5060 VC_redist.x86.exe Token: SeRemoteShutdownPrivilege 5060 VC_redist.x86.exe Token: SeUndockPrivilege 5060 VC_redist.x86.exe Token: SeSyncAgentPrivilege 5060 VC_redist.x86.exe Token: SeEnableDelegationPrivilege 5060 VC_redist.x86.exe Token: SeManageVolumePrivilege 5060 VC_redist.x86.exe Token: SeImpersonatePrivilege 5060 VC_redist.x86.exe Token: SeCreateGlobalPrivilege 5060 VC_redist.x86.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe Token: SeTakeOwnershipPrivilege 5308 msiexec.exe Token: SeRestorePrivilege 5308 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 456 msedge.exe 4348 Launcher.exe -
Suspicious use of SetWindowsHookEx 17 IoCs
pid Process 1604 Rockstar-Games-Launcher.exe 2828 vc_redist.x86.exe 1040 vc_redist.x86.exe 5060 VC_redist.x86.exe 5572 VC_redist.x86.exe 4732 VC_redist.x86.exe 5780 VC_redist.x86.exe 2852 vc_redist.x64.exe 5896 vc_redist.x64.exe 5584 VC_redist.x64.exe 4876 VC_redist.x64.exe 2104 VC_redist.x64.exe 5156 VC_redist.x64.exe 5644 RockstarService.exe 1868 RockstarService.exe 3320 RockstarService.exe 5028 dxdiag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 456 wrote to memory of 3544 456 msedge.exe 79 PID 456 wrote to memory of 3544 456 msedge.exe 79 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 4628 456 msedge.exe 80 PID 456 wrote to memory of 384 456 msedge.exe 81 PID 456 wrote to memory of 384 456 msedge.exe 81 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 PID 456 wrote to memory of 2772 456 msedge.exe 82 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gta-6.en.softonic.com/1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff94dfa3cb8,0x7ff94dfa3cc8,0x7ff94dfa3cd82⤵PID:3544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:22⤵PID:4628
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:2772
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:4616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:12⤵PID:4960
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:12⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵PID:3512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:4700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:3236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:12⤵PID:3052
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:12⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:12⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:12⤵PID:2892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7188 /prefetch:12⤵PID:4372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:12⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:12⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:12⤵PID:5044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7600 /prefetch:12⤵PID:2476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8172 /prefetch:12⤵PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:12⤵PID:5180
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:12⤵PID:5268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8696 /prefetch:12⤵PID:5360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:12⤵PID:5684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:12⤵PID:5692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8928 /prefetch:12⤵PID:5760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:6024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9952 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:12⤵PID:6008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:12⤵PID:6036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9632 /prefetch:12⤵PID:6040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:12⤵PID:3400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:12⤵PID:5656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9684 /prefetch:82⤵PID:5800
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:12⤵PID:5508
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:12⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8296 /prefetch:82⤵PID:5892
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9796 /prefetch:12⤵PID:6028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:12⤵PID:3220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9968 /prefetch:12⤵PID:1040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:12⤵PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9204 /prefetch:12⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9672 /prefetch:12⤵PID:3640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=9336 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:5548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3500
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8372 /prefetch:12⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:12⤵PID:2852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:12⤵PID:996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7608 /prefetch:12⤵PID:5600
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9452 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:428
-
-
C:\Users\Admin\Downloads\Rockstar-Games-Launcher.exe"C:\Users\Admin\Downloads\Rockstar-Games-Launcher.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1604 -
C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x86.exe"C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x86.exe" /install /norestart /quiet3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2828 -
C:\Windows\Temp\{FBA29688-288C-4431-9828-EC255322E554}\.cr\vc_redist.x86.exe"C:\Windows\Temp\{FBA29688-288C-4431-9828-EC255322E554}\.cr\vc_redist.x86.exe" -burn.clean.room="C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x86.exe" -burn.filehandle.attached=596 -burn.filehandle.self=608 /install /norestart /quiet4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1040 -
C:\Windows\Temp\{A62015EB-63AC-47A9-9D2A-B03F10E17469}\.be\VC_redist.x86.exe"C:\Windows\Temp\{A62015EB-63AC-47A9-9D2A-B03F10E17469}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{60DFE734-D60C-493F-BAB9-2A2830449EC8} {0C3142A5-E40D-4852-8094-2FCDA35521B2} 10405⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5060 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=944 -burn.embedded BurnPipe.{A4FBDA13-4A08-4E8B-9A21-8C6B6E74146E} {E6B04517-306E-402B-9FD8-DA428EBE2228} 50606⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5572 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=592 -burn.filehandle.self=608 -uninstall -quiet -burn.related.upgrade -burn.ancestors={410c0ee1-00bb-41b6-9772-e12c2828b02f} -burn.filehandle.self=944 -burn.embedded BurnPipe.{A4FBDA13-4A08-4E8B-9A21-8C6B6E74146E} {E6B04517-306E-402B-9FD8-DA428EBE2228} 50607⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4732 -
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{D44A319B-6677-4F86-8032-39B93E54A1DE} {886CF87E-A9E9-403C-BBA8-295B232BAF03} 47328⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5780
-
-
-
-
-
-
-
C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x64.exe"C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x64.exe" /install /norestart /quiet3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852 -
C:\Windows\Temp\{D71873AB-F2E5-4DD2-AC32-C706A4B29982}\.cr\vc_redist.x64.exe"C:\Windows\Temp\{D71873AB-F2E5-4DD2-AC32-C706A4B29982}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files\Rockstar Games\Launcher\Redistributables\VCRed\vc_redist.x64.exe" -burn.filehandle.attached=592 -burn.filehandle.self=600 /install /norestart /quiet4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5896 -
C:\Windows\Temp\{69B9BF4C-B0AD-4F8F-BDC0-B9A938D0285C}\.be\VC_redist.x64.exe"C:\Windows\Temp\{69B9BF4C-B0AD-4F8F-BDC0-B9A938D0285C}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{A5B7643B-2638-4692-88F1-F1CBD22EC3A0} {1FEE659D-2048-40AC-9F14-684402E881D7} 58965⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5584 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=988 -burn.embedded BurnPipe.{5097EE3D-0AE5-4EFB-8C69-D54B070A1D0D} {934666C9-0F63-4862-A154-DD1C1FA775C7} 55846⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4876 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=572 -burn.filehandle.self=588 -uninstall -quiet -burn.related.upgrade -burn.ancestors={8bdfe669-9705-4184-9368-db9ce581e0e7} -burn.filehandle.self=988 -burn.embedded BurnPipe.{5097EE3D-0AE5-4EFB-8C69-D54B070A1D0D} {934666C9-0F63-4862-A154-DD1C1FA775C7} 55847⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2104 -
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{375B283C-F4A4-489F-854E-F81E2EFA518D} {C9167BCA-2592-4ABC-8CE3-CB8527A6D4A4} 21048⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5156
-
-
-
-
-
-
-
C:\Program Files\Rockstar Games\Launcher\RockstarService.exe"C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" stop3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:5644
-
-
C:\Program Files\Rockstar Games\Launcher\RockstarService.exe"C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" uninstall3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Program Files\Rockstar Games\Launcher\RockstarService.exe"C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" install3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
PID:3320
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:12⤵PID:2428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:12⤵PID:1824
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9256 /prefetch:12⤵PID:3448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵PID:4976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:5872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:12⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4612 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:12⤵PID:5236
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:12⤵PID:5244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,15367333773827343561,11145443039499108576,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:12⤵PID:5768
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1440
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3424
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C01⤵PID:5816
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5356
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2820
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3948
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:412
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5308
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2104
-
C:\Program Files\Rockstar Games\Launcher\LauncherPatcher.exe"C:\Program Files\Rockstar Games\Launcher\LauncherPatcher.exe"1⤵
- Executes dropped EXE
PID:4984 -
C:\Program Files\Rockstar Games\Launcher\Launcher.exe"C:\Program Files\Rockstar Games\Launcher\Launcher.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:4348 -
C:\Program Files\Rockstar Games\Launcher\RockstarService.exe"C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" start3⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5852
-
-
C:\Windows\SYSTEM32\dxdiag.exedxdiag /t "C:\Users\Admin\AppData\Local\Rockstar Games\Launcher\dxdiag.txt"3⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5028
-
-
C:\Program Files\Rockstar Games\Launcher\RockstarService.exe"C:\Program Files\Rockstar Games\Launcher\RockstarService.exe" stop3⤵PID:5416
-
-
C:\Program Files\Rockstar Games\Launcher\Launcher.exe"C:\Program Files\Rockstar Games\Launcher\Launcher.exe" -upgrade3⤵PID:6108
-
-
-
C:\Program Files\Rockstar Games\Launcher\RockstarService.exe"C:\Program Files\Rockstar Games\Launcher\RockstarService.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2664
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
1Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD52e0e2cf92a504b9616907a8e45c82553
SHA16da22a13fac5d600c5b2d1b6d1f3981412d1d79b
SHA25629d4e223d91428ce33c30612b5b1ebbe2b2a7f12df968fa8e61c7111d7e7bb25
SHA512c7780f16cce9985393ec9e2cbc89ce410aa17d6d095bc3bcba3208547aed2fae50e74af24eecd66c04f9a266b59ea5c350730664fb2b29394fe8cc4f648f9634
-
Filesize
18KB
MD5734b85d80bddef505a038c558a448bff
SHA1a357a5f31e832e75f3024d967c1ef0badba4ecb2
SHA25619d0cc07e967fc81f605fd58e92d23fa1567b88a8ad0301cb96423a642f37cee
SHA512b06451041522e8eabe49861dbf14f9385e165a366d09c7b5cd468f0b15c5a0ae8d34c669afa968c82a5c2c048b37064373865f1cf5e1d35649f70454c0d602c0
-
Filesize
20KB
MD5b8f4067a2af6283234049e40a415fe55
SHA110ab3ea843969dfd23a2e321a7b962443df08a41
SHA2567e923affe1e24190ca8da6286eb0e2d40d7a0ad2b9c08de8f6d5aadd2585b965
SHA512cb391f96c1543c9ac257b59948df7f7745b39dc7a857d0f24991afe7e3288f554eb5ff961151bfa86831abbf96f3e2e42f3ae9413767e8ae2241198d108f3e88
-
Filesize
19KB
MD592b1e91030b3d840ba04abd86345b214
SHA11815c6ad878687411d2040fd9a90128906f7b026
SHA2568c35cd3707e02d3b8a50f14eb947539c0f6100afeef1ea22b68f972152355bf9
SHA51282a228f9157b90c6dd1dd1c73eda386edcba82e44b523ccec593e0f935b4843a3c3b81383a2f12b3e4cbcc8835bf520cb4f96e9b5c252541bb02db045db64e22
-
Filesize
19KB
MD5c2d548ac52c92ec2841164701e17f2fe
SHA1af66e47ea247d35b2a0e29d1a85be36088753979
SHA256af755e4a168dbe0fa2648de3065c40bd75cad2a281014baa68b0124e51b3f195
SHA512fe082f007a0e7a6ee508a07ce3944069506208daad9ef262c0cdbdf6287ee8c1841e4c2773f7c77bdfc0e22c3587937e2e48c75451b24a5835fa5da9a2cac1d8
-
Filesize
19KB
MD5e10a225b974da63211076cf400d68e72
SHA1d97dedb049bac77f4ea5ce92c8d673d013723290
SHA2564f4617756446d31cf735f6a55a21e812a4eb2c8d14a8894fdcd499e084bb5ef1
SHA51234b81995c81ebcde4d1a61fd3dcd62311c2e5db21cae84ff21da57e86ffc6800d0cff08c859f9046acdd9c100f5fc2a33672b20a0243ea0151a3faf701752f9c
-
Filesize
21KB
MD517f989147908724de0bc44b8a2b5292a
SHA1273c0e1e4863bf89d9778c8b2f1c7966f4b41275
SHA2562dd82c998a6adcb87c4d158c18baf753d22d4ce2a95bf0b61ab234b8a98e33ca
SHA5125a6822aa98494cf994e4abc9806d5410eb9c1f68d093fe4778d228bd1b5b380a27f109e2c57ecfe50831eb4f804510f68ccff72b83776d1ea2e88401bb15a4cf
-
Filesize
21KB
MD581d2fb84144c773c65de6503f8995d0d
SHA18bd294f603a0b288aaf3bbe6c2b5bb95c66cf087
SHA256b0623a0bc79f84417bd04b9003ec3a0a8ae881b114493a86dbb63196f3389832
SHA512551e10ce3ed81f92bded8057628fd1a98a58c653e9f816a8ad7462f0ea36d948b87f7502c8afe31bdd6529b596063aac56d31207edeb8143d7b7e780e7fbe13d
-
Filesize
37.4MB
MD5c2488c93c2b3848b8b6875dc4552214a
SHA1e50131a8ee5ba4fd0eb16ca5509719a0503443e0
SHA2567582e8b759dd7affabb396536696f29053542cb8db782c4fe90d5806f295272f
SHA5122c615ee342dd410e76f828de3d1a47829e4719d6212907a18b8b1db6b3d4daaea9080388e3ca1784b1195137f6e0c7d48170e889b40217cfabdf9a68fa03a78a
-
Filesize
24.2MB
MD5077f0abdc2a3881d5c6c774af821f787
SHA1c483f66c48ba83e99c764d957729789317b09c6b
SHA256917c37d816488545b70affd77d6e486e4dd27e2ece63f6bbaaf486b178b2b888
SHA51270a888d5891efd2a48d33c22f35e9178bd113032162dc5a170e7c56f2d592e3c59a08904b9f1b54450c80f8863bda746e431b396e4c1624b91ff15dd701bd939
-
Filesize
13.2MB
MD5ae427c1329c3b211a6d09f8d9506eb74
SHA1c9b5b7969e499a4fd9e580ef4187322778e1936a
SHA2565365a927487945ecb040e143ea770adbb296074ece4021b1d14213bde538c490
SHA512ec70786704ead0494fab8f7a9f46554feaca45c79b831c5963ecc20243fa0f31053b6e0ceb450f86c16e67e739c4be53ad202c2397c8541365b7252904169b41
-
Filesize
7.2MB
MD54f3c2c7fb88bfb97b3a88f9a425f0361
SHA18ed4ecd3ab67bd32cfe944ae5deb7c6fed81beec
SHA25672e030b72a052321f5e76de854cf49b144f497b70e318e3aeef037c2123325f6
SHA512ca30399cee365ef8e2ed5c0a139bb263112a39895a70f3875fc676f505f74cb72d3ab5d2b1827b29725bb648b84ca07616433bf7c1defb95db7385aee096b0f1
-
Filesize
7KB
MD5ead852ed07025210b1fcfae0dac39937
SHA19f0bc243e8cb9dfab6d3481b05302f541b618350
SHA2562082999663405a8fb6653b44667823eb5b4a12c871819664c946a81a1ca2850b
SHA5126430c986313b5fe8d8325bd9968931629afe9804d2a6c3963b60f45bc54e664c5743cb19f177d0d7eb533e33cab243520b1869c653ba2247db615510694762d7
-
Filesize
40KB
MD58c1e6b089f957c67a99945dde592303a
SHA12a5186dee4f01c1dc1b62ef305621c5ccdd68292
SHA256ba924dc6621e444493f72fb9b8a26789fc41687930a71e494e354038ce8715e1
SHA512589e15be4200f9415ac02d904f04a96e02c962b2e5ca67e93187c24c4873135f92c0e35ac22abdf9ebbd24f2b8c82f7869b0da14d073aaf89c49c7836df50bd4
-
Filesize
152B
MD54c1a24fa898d2a98b540b20272c8e47b
SHA13218bff9ce95b52842fa1b8bd00be073177141ef
SHA256bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95
SHA512e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e
-
Filesize
152B
MD5f1d2c7fd2ca29bb77a5da2d1847fbb92
SHA1840de2cf36c22ba10ac96f90890b6a12a56526c6
SHA25658d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5
SHA512ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14
-
Filesize
215KB
MD5e579aca9a74ae76669750d8879e16bf3
SHA10b8f462b46ec2b2dbaa728bea79d611411bae752
SHA2566e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf
SHA512df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640
-
Filesize
62KB
MD5fdd3922edde39c73dc37b568650e47d2
SHA11566ef03ec365d9d7e4ac9fc9cbb4e5609b9b976
SHA256d464beb2c15b29d24af42a7cf74db9539652dba74de861feb169145b5589a3ad
SHA512b3c7e48d1bdf62d8436ff428af14155a5c2e834ffec8003e9457fc1458cd77b7474210edbb5f57eb838723844f6139b3c523d3a9d1d4f525aa067bbccb9e146a
-
Filesize
31KB
MD5a4da976dde535a4f11ff4c9d57a8a56c
SHA1fc4c29049db6d81135507dc3736cb638340f55aa
SHA2566b85680498d0061e6b748f0fd9c904c74eb9f265f7d6ff6b33a37a0656164bf9
SHA512e3db7eb080a2c927ec3a223d16d818cc76f9da51525a91b8eb3cc9e15106e2939ef6d550121b8cdf76d38c001971662d833d70a269ccf35d36278d25cf42aa18
-
Filesize
41KB
MD5503766d5e5838b4fcadf8c3f72e43605
SHA16c8b2fa17150d77929b7dc183d8363f12ff81f59
SHA256c53b8a39416067f4d70c21be02ca9c84724b1c525d34e7910482b64d8e301cf9
SHA5125ead599ae1410a5c0e09ee73d0fdf8e8a75864ab6ce12f0777b2938fd54df62993767249f5121af97aa629d8f7c5eae182214b6f67117476e1e2b9a72f34e0b4
-
Filesize
47KB
MD50d89f546ebdd5c3eaa275ff1f898174a
SHA1339ab928a1a5699b3b0c74087baa3ea08ecd59f5
SHA256939eb90252495d3af66d9ec34c799a5f1b0fc10422a150cf57fc0cd302865a3e
SHA51226edc1659325b1c5cf6e3f3cd9a38cd696f67c4a7c2d91a5839e8dcbb64c4f8e9ce3222e0f69d860d088c4be01b69da676bdc4517de141f8b551774909c30690
-
Filesize
62KB
MD5c813a1b87f1651d642cdcad5fca7a7d8
SHA10e6628997674a7dfbeb321b59a6e829d0c2f4478
SHA256df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3
SHA512af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b
-
Filesize
67KB
MD5b275fa8d2d2d768231289d114f48e35f
SHA1bb96003ff86bd9dedbd2976b1916d87ac6402073
SHA2561b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1
SHA512d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
19KB
MD52e86a72f4e82614cd4842950d2e0a716
SHA1d7b4ee0c9af735d098bff474632fc2c0113e0b9c
SHA256c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f
SHA5127a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1
-
Filesize
25KB
MD5a0914bc7fb19bf3ddf3ff50958a69e42
SHA124b38738128b1efa1dffa433b25d5b1dc19dc124
SHA2568b7bde3c9555d7d20aba60467cdb0e5901bf9112ac781562fe9cf442fb08cd43
SHA5127693c9bbafdea30976470b3ff95bb6551f7cc2234d8179e820764ac4ec8e1a8368eee71a8804e07bf0278d636be08bf14f8cf4f3bd586328c8e9a12834df2b7d
-
Filesize
151KB
MD50f31134987b19699ee4cd0aeb9071eb8
SHA1fb922e4f7acacaaf82d18ff67f3edbb91f6bc32d
SHA25606e28481014b8fd1a14aca11b356d3001bad5d467161793b3a13440717313a89
SHA51202f8aaf584055393c15c291f2dea85f7a9f334df3d468e2b3ead674f3e12c754396b4694dc12e8a6c5ab51f89e47df1319b6682d87eccfadc76676e954a4e1e4
-
Filesize
137KB
MD575bb8cf0d0646c3098a0681eec9543b5
SHA1dcfe7b88ab6fde6ac9d9f2b7f3e07b5106190795
SHA256b1ad099bb624da25be65c6cf34e4dccbdcae2051157b39b105f8017bd0412d4c
SHA512d64532b3359105076424c084c4edebdf199e80a4522f2b7e05574c4532ed1000255e82a2851bfb896f35eca454fc82efec9bf3cd85d283e1ebfa9136c5ebd0b4
-
Filesize
40KB
MD53051c1e179d84292d3f84a1a0a112c80
SHA1c11a63236373abfe574f2935a0e7024688b71ccb
SHA256992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3
SHA512df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff
-
Filesize
53KB
MD568f0a51fa86985999964ee43de12cdd5
SHA1bbfc7666be00c560b7394fa0b82b864237a99d8c
SHA256f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f
SHA5123049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7
-
Filesize
3KB
MD5ee4942c777ce8b85c70b9fc46e57dc12
SHA1b1fb97276bf4940e77354e51be2238b09192bfaa
SHA256b30fe866a2871e1061e7be8af8006816c2643f663ea0e22c4629a601828c29d4
SHA5120048254f52ca83facc2aff39d78330784c5c5758a1fd855b7f3406af9cb2c6e8d18950ae37ffc79aac95c465e597eb008d3beac10b08bdc96dc3ded335777b26
-
Filesize
5KB
MD59e2d4e68c1649b390d527c2204c98270
SHA14a616c9b59f9242d8daff3df8ed9b0f4735e88e8
SHA2565d3501c2e6f47a47be304c04ac3ac3b512f6988219113b02caa82c424eb4591d
SHA5129d221ac0e0fa1745fb56a2eb2f4ca9e16c24eec6da6f6e840c669068c9357d28bd817af2b9c68c12c972fe001c2952b8d44081c97345536d6c8e3769ad6a7eeb
-
Filesize
1KB
MD543a078afc87f92ecda7e4b42af2b2096
SHA109029746a4c051287db35292496548baa9f76b2a
SHA256a490ebea59c00f9dab584acb557a5d2d3613e4cc9f0090629701acc33c9d379a
SHA5128200f57c934e9378bf47642af7632101e5b55517159251150bf6a8cfda83060496440219abf50bc3d0aa20ce1fbf1d40f89a70f8afc534494f75659b88cb29bc
-
Filesize
23KB
MD5cef679d6a65976389a1997f95597d254
SHA1ea12f014acd741b9c51fe0d71f864860f27fadae
SHA256b9fbcbe86ca39242cf61764805e6c07b0d210e81d1bf54a19cfd2a86ab3754e7
SHA51246e9909b6a8fa31c8133d2a9602d4af03dc0f632a65da1e84ec5df45885d221c1dff52572f877a00786d39c10b43ae790877b0703849d3b162bb926796b71ed6
-
Filesize
9KB
MD5f01676aadadc0aef0e5a58b7e0194997
SHA181c13f6b739e508ac0d0214438e5d1013dbb6e70
SHA256c57db210d39fc481075d2b649f8a8ae3dc88204ec7f128218e0786a06aaba0ae
SHA512601e707bc8f0059ddf6f9a29996ce8141e74346763ae249297bbd7113be7f2bdbde43efd61835c42bfa11115c83a7b5039a04d2665264355c39507af1aa053f9
-
Filesize
1KB
MD5f1c587d3da84b1153d1608c9e25b9a76
SHA1ee7162e7b7163f7de672dedd1ac8a852be08047a
SHA256a7aca1ec89642150ce02a55943c2c19f53ecbc647aa7c91591e61b8728bf75b2
SHA512a5b94eed13cbd4d67f07ef4add514c8b542738571f68c9eedc263f53aef0b1b89219c0c34ec634f4a771ab9d986c19eebc35add2599240c8df02ca5f3dc66e4a
-
Filesize
1KB
MD59ac89542504cc9866c2317e617b5ace0
SHA1742d0f159da6a568bdab85346bc895ce29cb9c7d
SHA256da6c5842a82542300e84df6e007cbc2a706bb0f9f29d6cb94c851e694364c93e
SHA51271438c599dfebcf27f059596005234b1c327320ae00578649133bb06bf23fb63338b3a932d343dc96b70f385d7acc51e46987adaefb85d6602089f8616c862c5
-
Filesize
7KB
MD512b448b9feb8a7a8277e208dcafa1a2a
SHA14c69240ea92a4a859101e25d7acf95ca374a3e4d
SHA256d47b05479c96afa63309c79e4be4dc64faa759997b8d6aa1d2534daf5427dd69
SHA51243fa4f65631321216d5cbdc33b579dacc37471a7c955274f589a607cb86148e642cb7d6f5434c60c305ccde5fc7e468c6bc5fee4087bd1ed294ee78ed55a68db
-
Filesize
3KB
MD5ed80a880379b9b658078ac6321b0c51b
SHA14abc8d2d80efba85afe067b0dccdf2fb5916411f
SHA256f48b0303f13e6e9f907380979b0feb81201db2ade55db8c3ba929c3c43853615
SHA51294474ae0618fe822116da1fdca391450477e916de53b190c35d0ae0c47d5bd267a02afdeae4bf800f157acfb1f2e79724881d035a2ce86845d1e5f0893aa4314
-
Filesize
2KB
MD5a4e64575f0df2b24f12002f1e57fcd1c
SHA17157b68eaeed79833b9766d91769c3ecce5158b8
SHA2569726caea04d7bbed7d14e00c7c069c1b403684ad799d24486dd9215c11e4bb99
SHA51229c88a21360419b5dee30b8c9d5fe85853ba19569c8437f9bf752d835b30454323d5dc634c6c7103f8b60a0aec05dbf688c09963c04ac58b222c1299aec4f48b
-
Filesize
11KB
MD557965a809a89937daa75f0a13ee1fa3b
SHA17d094247e3b8c44bcd4d4152ad7d9098cfceef96
SHA256b03665c5043bb2f4f0f96490ac843dc387367baf6a5e389bb2ffeb52630824d0
SHA512733966e58355ec64e3255cd44fcc2cfec199b54c7fddeb9c0e202c3bb79c5f1e0b839bbbeb80fc07b59fa13ed629f0e54454d1661e9b9e61ffbc61e22885855d
-
Filesize
15KB
MD5969cba31de526db7027db81d4704e35f
SHA1d13bd4df9b00da91aec7e671c1fd7d13d0582df6
SHA2568ba7862a4df9ffdfe5353e5336684ffc5ec42e5c4244573d34581a74f9d61a94
SHA512943d460d74d3e87d6a99509b413f40fffe39a09d99966028aa6741d1596d1815354a2a075d98b4f7855e6e3454f0be078ce332956166dc94b44199800835c3b9
-
Filesize
2KB
MD527847a460cb024fda001ca446f2b80cc
SHA130f06fb986f3b33faa4752cc0fd2e54e909153f8
SHA256cb27dac940b7c8eb4cf9bc3c85cf7d2febe5332d98c4f0100ab64bfae341e8d3
SHA51230d9afc12da74a105d34bb76b1036b3adc88203ab9e62b674d722460a4f561d80b410fa5aba5acf241fd6f05ec3b840f0460176885fe4fca030dd5bebc07672e
-
Filesize
38KB
MD5ca8833ee08bd97215536245c76f5b9af
SHA1f2bb473843d92f1347f609bef1af306c113448ab
SHA256feb669daf057ad9c17033186f35ecd57c9ea2bf4e0bc422ea432b2c5e7188ff4
SHA5120e139d3f414071494d5383bb5645976d261e1a93c0010613a61b368bdf5f6d5e83811a3832ca6e7adf4cb9f61b3db477d5e7c9a763134cd5760cb57a0932a000
-
Filesize
12KB
MD56634a7e1fa16a746c0c14486ea92327f
SHA1f10aa0c1525f44458417d6eec44cbf6267359522
SHA2561d1897af79bd591cf02cb757de621bac82c4fdb7e0aaa44061702408bca5761c
SHA512f17c81a3dd2dbf460446cd2a496a0a5b05c592c53e56c5d7cc32c0d6742c7de90548fe451abb259f4c6f3e9a5eb5c7327c5f1530af879b41321104811d845ea8
-
Filesize
262B
MD5473578ea557a9a73b10ea64474bc8965
SHA1047514e5d49b8dd83bf3f1d07994580aa27c5f65
SHA25694840a78d9cbfb019f1ab8619ec7ef6786ee686d31d526218c2aa6a166f24552
SHA51267d2383d93ea33db21a269cf8e1d1287c1705b1f515fc6609e847f544295fef822699bd388e1e32bd0e147994168cb3262c63ecb3bd7bf87af830bee8b004fd7
-
Filesize
3KB
MD590517e5fb4e8cbff1ee3ef34a7e1c7ca
SHA19a9761777a4721c30900981106f98d26e5494924
SHA2565b0a8bfaf319861d635404c64193767599eb31b38f83e14fcba31b76a6ba0e9c
SHA5126832bb4b8cd6851a52a1361539e7f6cbd0db96b544ef14533d4cba0b4f7c0ef23ce30b02911b953b7f4929e80502f789fddd2092c5b852386f31123f9dd02b89
-
Filesize
291KB
MD595ef9322e891028e41ee54b1812187e9
SHA172bc3683ca7d2669518fc18abaeed77d7bd3a17e
SHA2560ef94bb83dafb81325d61edf5695f6921840536c173c26d606c278ae43c4a5de
SHA512c96266320bc558f651d0fb3d807321af576779d9d21e96ec7131eba71ec41d1b69dfe78fb64bf95a7c9174eae9bf34bcc9d30b0eaa818b5bffeb5fb940cba804
-
Filesize
10KB
MD5d50f2d795e0496c332aa832dcffbdaea
SHA15eede9ab58f835c7fae4d0b0ba47f07b9768cb83
SHA25699f9de8b99b6365f394d88ccd3f530ef3f3eb3b2213e1053c5008293b09b4de6
SHA512cceec66d11d7f9d46a4f454e3688a22f82cbbda6b8d6b43e80f4dbcbac7b77d052191179eb14ea89a12f5591f2b5bef5ce3428d568f1f4e8a1822ce7bbde1725
-
Filesize
2KB
MD58544521097fe69984a5d779b91d3b00c
SHA1ecf0e442b213ede86260e5c703c2c6e8fb0ba479
SHA256f1108256f9fcde803ad094c8db391fa7b152eab874ac15a0c8f687935dd96ce3
SHA512b27555de9d9a9fa7022fe582a5ab30e3385535ba258669728be2d2ceaef1f7da4c227ef32be815973069cf6b36131731cc73326915877aea768134c38da209fc
-
Filesize
43KB
MD59a2a3318c6519fc31ee240fa9267feea
SHA1b645289de35cbd2a5da049f6f725c27c9ddfd700
SHA256f292ade6744bf8fa8edfb910b3369fb8f0dbba2247884d310f1f7bef5f37a0db
SHA51210310a04a695f80eba95eeb1640b78b0981d6948c4e13c121498663ebd140d346662718a22af8e646d5b29e996067d41e12b8b560e337539b1b0e7140a2a1843
-
Filesize
7KB
MD52f1eed83482462ccd1ee92f8b4d4e69a
SHA19e0ec80e3447e6fc513869439e7eb3e6b19dd042
SHA256d167cbb32155e501e1146fed981e152ab07c56e96945d6164f4fdbce686222bd
SHA51258f9e830ffaed23043366c4f5ad7306191143c748dd9a750cfa30752fab4da197730f01527526e10d0428ef9d3a8dcc3b09e234bfe369603dbe3921ff348e0ff
-
Filesize
34KB
MD5ed1878dd0306f9d0831e8c3a94567e15
SHA18d615fd03072bbf56fd3b00f23a8127ef06ed62e
SHA2569f6e39227714a2c99b0ebc81dd366d5f902f9962624f94ca1d0268679aa2fd47
SHA512bf318e8cb5640176a199707ff7dc342061b7fc1b2a5bb137c8f71bcc9832ee8455b49a6979ecba6113ae2a596f227278882da83f6fdd6406bd461f0b3ffcf3d1
-
Filesize
8KB
MD50e99d81f072a3232f92e800315eb338a
SHA1586179e54b29c68ad3afe46de36e7242ee758820
SHA256f8a9f77bb2fcc8b60e71625a6249a98111efae09bf50190b0f2c5a5ed7182819
SHA512a8138456ac2e4011dcf6a3400aa774fbc6e8cc4ab654521f2617da28bf65cf05428164930283fbfd68bda530dbe924bbfaa71403cc7b9f49e8472506baf7a014
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD5da2f478b5faf7ba7afa3c8178d3bdecf
SHA1c578c6316cd571117ffe3feb7876215fcb3a0e49
SHA25636459bfc36ce4abc4a35400d289951967127595f54cb073aebc64e71e0a2422b
SHA51218faa60fb145aefa5dff86b0625ca30acf566216d25c4d3803fa78b813fada3e41c10c4856b602419794936cd5d1aa8be57caac401683f815494202e60f144a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5004a0f08ae2fcdd52f5f0a1a4d03b637
SHA190102de47aa4edb4ad4ab2bb516903857992923b
SHA25680d28d68e0fa07bd9adf6a31caceabbc1800b4f01c1fe804b27eaf556b1bb45d
SHA512f1d1ab0bce41141eee80345d8560b495179d89c2b6ca4868edf792877beee950e4830d04bb6e8b65919396ea7445bc9b3876a76bf5cbbdab76353ab6bd0f209c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD596030ac64a515ed531537d8be1c10b97
SHA1b8b20e663608473b0456110953f2115a2a9375ca
SHA256f53c1406d6a58ca61cb9660b5a123c94ba6bf682aa1687cf461f80432e063a84
SHA512847addc005c18e112c0424718b1c215be7ee165fba29b8db9673f2218580eb28eefc80b8b981934fac5602912b637f02cccf2cfcb6df4ff464c5078f8f51fa23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5e27a3f761fb777106e8d663d418540fd
SHA123c4f00186e30a2cce147ad9521253b57651d13a
SHA256280d9e86a9ac88e5cb9b34a393b24176ec4f498a3e66c6efc65592c561a913fa
SHA51279063b7c537ef8d88cbe8f49d0b65870a05aea3232c97b6e0ac76fc20b6f533972348480286507d0151b78cf9917fe57b8dbaaeedb66731c8fe1a71a9dcccec3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize6KB
MD5efa1c11532820c15b9d71773c70fda3a
SHA1ce33722ae22ee9e6e6ed8254f7e20bd94793f3b1
SHA25663e6be6f78f549aee70f6d08d1622694780deccbf5f8efe896e927e0d781b0bd
SHA512c3206d13347d84ce1e11d9e0f49ee203439a016a96e88e86b78846e5f8da265e6513279bec450ed0ed3f5f5cdd94aa841b5b83b311e94f917b009c6730f33f9c
-
Filesize
12KB
MD513acd7c1b1ebcfa8cc609aec644be532
SHA19a180588a9fb4851f421075e8b127ce966008c15
SHA256cfb52d622e6ea0e40310b840423ee8ee0939769ad2fcdb590295e0831cbad56a
SHA512da7e0072467b5966d24361d69c4ed0edec4d2648ed1f17033efc7826600816e357f2043d2d9858e5b60213ae9681d8fde8bc29822b02dbb25f02544e912748c1
-
Filesize
14KB
MD590bd606229b29dbce8fa3aa227f112e6
SHA186726599c2036ae1b1e72e07cf380bbe06cc333a
SHA256ade5365e78562d4093f8730218a3c415b6e05e3a38cee94bc0063206e8277ecb
SHA5121a2024057fc8d87ea681c73be0e8463d88060d6f50e091b02885e6cff8d26469d9f2a210055d397a8c533834e333aed15003a34637d65d160bb3222fa45fee91
-
Filesize
13KB
MD54237c553a26afe9a2d3fe285f61adec6
SHA15002eb0c38af065e8ae0546860fd66e24d90d337
SHA2566846d459bcf1ca464d5aa3c1735401de2f058c2ee5bc1971dc70589b99599ab0
SHA512e86ffda8edab18c53d5d8d9e7adc47de0058765dae2b285a28e213eb95f42eb759e8e311b3f8671603f614d8dd3fe726025a899d7ccb17f2f0b2a7d3652bf70a
-
Filesize
15KB
MD5dd6ec3adc85183ac2b30f9171f2cfee6
SHA16a441ba218742cd1cb5cf21dc44d1d93964c84be
SHA256439fef0cbc8eb0a62c70330dab7bfc21487157b860cd30076beec7b4a5cb181c
SHA5120ebd0885842545d1bca83a92e7040e8770281c42417712a5b804e73c3274ab2942a46031135157a95fc6860a99ed798ecc8a3cacadc0bf4f78658ddd94852166
-
Filesize
15KB
MD5cec2d5e62703f9ddef0e31a838f65e57
SHA145522a16977742c96d7cfb8a2da210ebd2911ec1
SHA25614a3330d036a4ea8c5d02a65af5c906b4430571c8d4d37d188854ae0e02d17af
SHA5124fee3f5a5d0ac9986b7815fa819a459d1fcaf1e5e2bc2111ec77d132b3730a419194bbc1be1e3dc9f4a01184720a93098a909f9f8b8c228a31061ababbfab3f2
-
Filesize
14KB
MD55ed423e376fb7a8451a46318e36bf5a3
SHA10b9fcb0859758cfa5575af90373508782b8c80e1
SHA256e5ae1feb01d4b7faafa3f28fa28f8786b826058609ee79d621f17dab362d9b0c
SHA512fbc4cd4bb848c1ac33b979b622cd003a6078bf0f0c365dd700265ecfe75adbf0397e854055bf1ff8201d8fd6e55a2b3f13f01117a7e0787b2cf72de8d8b4ed48
-
Filesize
15KB
MD5acd4bed0aad488781e92e499a4333ae6
SHA13c6e9c4159014a01abebe35383900414a890381b
SHA2569aa1cf5a4da5e519862ab2268764635ab5b573ac52f7784a5b4ae9446cc2f823
SHA51229fe1eadae2a9ebf988130c4dcfb5f494df1458ffd4213ca33282d588aa0b386545c4941f6107c651715353db7b319eeaf00285c8ec5fa6e44b0ceee48013ba1
-
Filesize
5KB
MD5c4637fea59cf08941350f6e10e3d9f84
SHA1378d68f8340fd7936de41844a8c8a999b12a6706
SHA25600031917886d6c8e8ec0d76c1be442f49a1078a810ec11cdc631811ec9d3c9ec
SHA5120306718ddac299d8f5ab2cf5a995ad3c44fdea5b5de3ccefa8d9ae55e173c78dc07ce1e1b32674ce52b367d43570909fd8d89e9175332edd5c71b08490dcd4fa
-
Filesize
13KB
MD5e1583eb6e21f8096cff6a8f2f3a7131e
SHA1232a89781fdef8a1e6755fe1ab05521dbef8fa80
SHA2564f3b53ad754c1dfaacac5c042979677c6d705e98822d9bcbfa21262ce007022c
SHA512fffe4a31e4fbf034c72d782ec46910bd148c44a79e756891129fb1b163b9172bab7da8b05f1c9ec2225c978ab8325cd286e0d9ee689be2dabd7ba2de72157de5
-
Filesize
11KB
MD5c1a5bab3ff35e2dce53b173ab55040a1
SHA17c19f60d322cdd7f13a87022c4c5cf528a62cf0e
SHA25681c199a481231749238fdafdcb5e5d78d5a12cadfcb5897f91d508993791fa28
SHA512d1ca051e175d198b3628f0f187d751f2e095e1a1d01178189b5be83f21b8c0b0cbac99e0d0c8712663f0da849ec4e36a26bef42915983ec33a0387f46fe6a023
-
Filesize
16KB
MD5ea0ab1d5568eafb3d535d5adc68bd3bd
SHA17fa9dacaae08576228b8ad84fbe400aef2b7fffb
SHA256ab0c3aa0cb1133cfdbf091f8d1e57cdf4c64b32d3a21ad65f75789ee955db5a1
SHA512403699fc6b5a6decef00f8a737261afe9f21502d02e3eb9545f83d43df72e0761693b58550132877d06e31cf98a172de2ee0efc8baecfdbf51ebb10451af12e0
-
Filesize
14KB
MD5fcc3214b6f190225574013f12105038b
SHA16a24afdfda701cb193398ab806eaa58bfa2c1eed
SHA256111465e3f2880b2b1d0454c55dc709e59e9fe6671c0b444b7a0e592e8829e167
SHA5126247f704f980a11110b98eb9ec979e2467c866c081053572ee8f4be8bebef8d25ff3fa9000c0e0ff6e4ad9ea2585a6993a2eb7c24863e0495a587b6b70efb3c0
-
Filesize
14KB
MD50bd7ee1069fe2692b3b58c97f8327932
SHA1a82e29f0e7e81b9712ea16dd3cea10e3bffd0ebc
SHA2562237c5300ec578b772130f652d157451ff6a13c0affa382f8de77e40c49f00fd
SHA512a0e2a7b83f34339d81da80cd0c864c279b7d1c76e7994a78090df56df12258ec28ea721097bc19fc22886b3ccc7dde9002337bce0b395380d28942cb3ac1648c
-
Filesize
14KB
MD53926c2d9d99558a2db7435a9f54cae4c
SHA1912b1290e238fe70aff180e291d7640509228950
SHA25666227e8f730e41e46e75edef9375627dfc77c848dcb141fd975d689b470c078e
SHA512b99aeabc0bd18f8b97981e0ebf81f72a4dde5e4e51d6cbd4349ab37970c7ba2bc658b1fea67ce5ff7a3bdeffeead3a48a8106ff42542f44cb78eb605911d9471
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD50e780753fc773216ff6c1e30ad73a9cb
SHA1ce3cbd11290b0f9b5298327bb56acbc79292790a
SHA256e1220e566fbada28bda7aaef567a6bbfa21e55d7c082fb47e226d48d23bb645f
SHA5121580d9b1e2143d437c962b31abf14dc9a5a9212f88babcdcf68979c15bbbff9da7afe530179c39cc813691cb5ed2278d45fe5f16dd99290728340f2f184610cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57fe55.TMP
Filesize48B
MD543c744a3f47746deb3652a8051a03c52
SHA19d911330d515a7875575aa42e9208660707f99f5
SHA25673558e4a1f6060b48724eaab11cd789d8cf69fcc32523f00a53db8c03f4efc9e
SHA51277c88738b1c16f60446e0a970356871c7479f722000895492571be25e0ca316fb89d0492bd2ae0d07554de0eb925a9e476ce3cbb84bea8a5ae1d6d4e6efe2edc
-
Filesize
4KB
MD54c49f0e474d4b6ff91fee7a028f50170
SHA1cef51bb339d693d34926bc78fe83df58c931acd8
SHA256cb836f01ef87bd98b5b0686a138e330a2ea517ebf0b6d601f4a77b50342b185d
SHA512b18ee445a3a6ce4e610ac71d2104de87057c4f76477bb4995e0531f8a94d1a3087553eca25b5152a97897aaad4a1ae2bd4fa9be06fa09f55316de46e57d2cda2
-
Filesize
4KB
MD54d16a145c8d8690eb9124dc14b3150c5
SHA18168414f4cd8f2382cd1eeed62cf655018f92178
SHA256eb75bcf8ed7713f90c2b9ec1912a1be8d25d768bd0e12d5e2015dbf3faa9acec
SHA5126a5d9fc438c37458c6d6d735939e8fa2c543238309e0f043293b11f1138cd7230630e752943f5f837a26c060f90b6f0cf36e3d03dd45e51365ebe618c399487a
-
Filesize
4KB
MD557ef669a2d85cd0d458ebf16cf525410
SHA1d6ad9cef605d6a701c095265a76dd8a818ffc860
SHA2562da0d8573423e3538f90553c42c4fb1df2fdba6fc167a82fba8235f1e8611fe1
SHA512f0413d80936758e07bbe4f78af3c467b50529543325eb1d606050de42717e76f8612d9868cb0f62df9ee9fbf593db4cd39fee49bcd906b4cb94fa8563f2f869b
-
Filesize
4KB
MD5029a4d263261fc2b868169593ed89f99
SHA168ca325aef4946d5a1f30c0a8a29657e212bb436
SHA256fbf033d4b716bbf7fd4faac394c6830a7c9d14480ea7ab3ed9f03da5f6bcde95
SHA512b448f911d73a54eb37e9c64c70511a369f32411e3bf569920a19f16733d556b55df9ab8364862941857deda4d93f6330c43b57c0cd15e28c0b01dc234c54727f
-
Filesize
4KB
MD59ba3a01a90bd70559db1e58864b6a701
SHA1b168901380525a51f7a1a5f4833be50fcf4f8b50
SHA256d4ed6b9d57145a0b0016d04742e10d2d86b667127687ca42c27dba3d0f92cbb2
SHA512b360e5aeef921c5af4baf3201b5a49fb26287aef9cdd8ed077978c5f1aa8f0ddab5506b8d3335849c71ed912b736e9625553aa213f96eda295ed9e6bbff3e518
-
Filesize
6KB
MD51271830269fd0617cd93a3912df7d2a2
SHA1641b3d5de48005f61184e2a2aa5b104b8ab066dd
SHA256e0ed34df2558fb33b6c4ba768bc498ba203b1aa7879ac30356b1cd90c6a144df
SHA5125843bd7f67dfe854790513531c922128b9dfa670e00479ee98d63e12c418f15ac83d818e97a65d2210ac2ee161864e4615dd17940b0d2d6cbfa1d345bf989c5d
-
Filesize
3KB
MD5ec289a936455854d203c3b136ed9e711
SHA125feae6125ba2254ea8cc0a1d969204794cd28fc
SHA256d36819247d94cb8c322e3dd3f77d47e6a21afe15c4a4f63d6248ead64ee5c918
SHA512ad4e89fc1c323d1c03d95f4a7a8cf435bfd1b9ce88f2f0afcf2307a6cd39759411a96c55317834d9d1e1271c3a03cd81406aa110a6c508791a726b310b907773
-
Filesize
3KB
MD5785dcd8a802986b60762b57e225248bb
SHA1aaf525113c991f180d0d469444a398d388687860
SHA256e907ae03b005438f0bd2513fcdafa8962cb5b053708d9b63baab4f1a4d7c3ff9
SHA5123a33d00762d1f5904013f0846d68d2cbb9850c4c51e03d5149f52a68498f7c76cbaee2fa9e2514605fa382cc4186733a70b30026b2c215f59fa3d44d981a4527
-
Filesize
6KB
MD534665dde32e4c07d925727e542a3f1eb
SHA10bb2a39740c3e06d9deacb9f6d34f38bf518b4ff
SHA256ab68f27678d367acb00ec86eb931a352b4081344671985c8d4860f8905e9623f
SHA512ce00d3f74fe39c13718878fe80b79761c19639c07d9edc27c7e8d380e447fb2aa6b1865c200df34cc0b7ddbf24bfa90eb2f11214171a40b9ed8c87ad5155d664
-
Filesize
4KB
MD5ed0bc6d0794b2093dbfea21ddd8cd6a8
SHA13708eec0431944e8e054ed444c7347d941a65760
SHA25678456f3584961ad075d1d2e1fcb0a5c024d1c4c48117683723f26fff368ba5cd
SHA51260a8da603217130012db619ff8ae0d716ea98166cc1cce4ed46dd34bcb0fadd53b9271b1305ea221418c84709270f27bc81f88013ffe8c5546b3b49830d99447
-
Filesize
4KB
MD58352d73e1233b7692e3dc9bfbb3ca76f
SHA1fcb64e4c28a37c1924b7c5767ec00bdce7d6d5d9
SHA2563cbcb0dd31f8dac0db5db0d2766dc0ffa93542c28a0e15d77679cb0e4659b79a
SHA51239261cb992b5eccd5ec20a8b8a28b9a228581822f1b6c60045a89db41f6ccfa87a125975dfd9fe975953e14c5f1d41632dd7fb17419f42149a3ff5a6e74b5640
-
Filesize
4KB
MD5c40c84446478806d9ebb4f24975987e4
SHA117586e5a09ce29f31a9328e36a5f7fe474d5694a
SHA256bd334e51079734d28a340a5f379ea8fd59a4edef9eefc0d5979ee4485c38f08c
SHA512cba706eedbf20b20526fc388cf38d3b627584b57524b726cf74edbd9df316926219016c97d0dde681d67ccd2f8aff2053287c15f2491e1c5566a9c55ed251631
-
Filesize
2KB
MD5c4c306eef6621db810b380f1f882dc3e
SHA1b27def2f0f6d2e307be979e3d9793124bec2a161
SHA256a7d1395b8a51c1f2be069c3edab5c07df1b1127fe6ad1ab819b46bd294c52c5a
SHA512a57675a9593fe2cb652eb7811b575ff0baa32fec50e1c00eaec0279ba5cd00ba66f0a64813d3ddb483245fd754b9c1f3b4d9f4c82b5cb1ceec3e3fdc309ed789
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
11KB
MD5c26ce3575b2aca2166821d581554e808
SHA1280bb8a92876deb1cf5a56f05c37d844d5037810
SHA2564bdb04616d7077b382fa540fefa24c88e7852ab79db70b5f3f3c55259a062bc8
SHA512ffe0573e48f1d70cf6fbb051564b3423db02c959d5057c7a0c2c958f65c92f767b53eef336271e737dc90178cf35456169d8acb7b2772bf840a6a199f9205f7d
-
Filesize
11KB
MD5776c090bf75af427a0c2395f5125e414
SHA17ffbb3bde9e9a04b51d49c1282e57d860a742a75
SHA256c643d7be7427c90dad9de8f85da3845a7f8ded9f49345579c04038860e20834b
SHA512e979761830abce45a6f06e2700e94bddd42b435dc157c62ae713712ba95b4d228604a8d4a623a4ba1daa8df25c22cfb9651bdec6a8ee7478ef4a69a24e327c1c
-
Filesize
10KB
MD55d760d987c41eeb0fec9dddd6f693c56
SHA1b20a10ef3f76f3f9f562e8a146d705e89ec70d7f
SHA256f34b83ef04cee397c528c6b91ff7c824b1c5a9e82d437e3b73e92bebdc579e50
SHA5121093edf33cc6fcfba5ff6fa041391b324f270c5e629a39fb59edeeefbb1a36825d4abd42103590ce85bdc14c2d3dfef23209dd3a355e17334a4379a01ad81735
-
Filesize
10KB
MD59379c58205dcaf84d1f2bf0fa432c7bb
SHA119c98a064709f12774708eb26bc0d057d24bd204
SHA256d614530781d1da7fb20666ec6dd181aa2b9bf63810079220f877d72535a1559d
SHA5125207ba9284583910f361bbb92a46f4ef488fcce72f9566c0e857cfe3f754f5d951fd1305752a088d1b16cd5d6d4055b76b824495439c3cd41cb4ae7a53e344b3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD54b4306b51f9333a897960648eb364460
SHA1c219703aa794f0c77fb22b0c0fc2ff428d3ae28b
SHA256214d5c388d9f3f0e3e1149181f8cc1eaf2c6188058d1b8a6aa54f608a96599c8
SHA512e0a59a575b2fff3c18f0ac560043130817a36ae7f719916f0c7f5058dca062e66a63608c254e32b5daea1cc581c92b7fcb4f2b619a3ae4ea8c2e5bf628d1a362
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD55eb03e82fa0709aac67ed648347dc4c0
SHA10a520107f2337a3f4d3a91ae98932d55ffbd1a3b
SHA2565af7905f0a8ac99c02e820e0e2f8aa629ed0699d01f84b8cfe838f65a77ac917
SHA5127fcc24a0490f1754b8e6f71b8c5e568b9837ac257ee179df9f06e50f4c56ef3b066720a3acb6ae98b34512736bf48a8cae9a5c1f447164a893c3b6bb34c9fef7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize10KB
MD5bbf7488d063c0ab5cfdcb1ebfb0a3d8e
SHA1e0ccd9c981a4636b36630b9a45dee3562196f387
SHA256462d2d0125e0e476329886acf022ab1a043d2f9821582f99ed1d040f19cdd755
SHA5125ddf7e95f8e333b414bc9b37acb202a52a199d48f001bfe7aefcca059b8132e0da9e2e795510398deb8bc8b56ba323c405fea47e215d73623fe22855b354377b
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
9KB
MD504b33f0a9081c10e85d0e495a1294f83
SHA11efe2fb2d014a731b752672745f9ffecdd716412
SHA2568099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b
SHA512d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685
-
Filesize
2KB
MD5fbfcbc4dacc566a3c426f43ce10907b6
SHA163c45f9a771161740e100faf710f30eed017d723
SHA25670400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce
SHA512063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e
-
Filesize
8KB
MD5f62729c6d2540015e072514226c121c7
SHA1c1e189d693f41ac2eafcc363f7890fc0fea6979c
SHA256f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916
SHA512cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471
-
Filesize
635KB
MD535e545dac78234e4040a99cbb53000ac
SHA1ae674cc167601bd94e12d7ae190156e2c8913dc5
SHA2569a6c005e1a71e11617f87ede695af32baac8a2056f11031941df18b23c4eeba6
SHA512bd984c20f59674d1c54ca19785f54f937f89661014573c5966e5f196f776ae38f1fc9a7f3b68c5bc9bf0784adc5c381f8083f2aecdef620965aeda9ecba504f3
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
800KB
MD5f706d550cf905648ccb55b47e1364022
SHA13c382bfe0c4c14c1ed6cbe88d6a69ad6be28a08f
SHA2567be2d324f0cb063be8335982096f17ed4f08a7592130e04459ae818824016589
SHA5123c946d88447504c94227fec259bbeed7ef458a0740c12345e425821644f8e0d9358b68582a1f6e1b74597b5dfd2976f328b706a72df30e3c76c899cd435a349a
-
Filesize
180KB
MD5df1b1ee46deb824a89f18e228f8a4a41
SHA1001d86480ce0a9e1b2fed8c48296bb3384dad793
SHA256ff8884498c3174b7d2bd35bd1a43d75d3538dca2c0821ca5876fa45eb2c8a47f
SHA5126587452fa6ebef2eac6634cd3c6d8629cdcd9f214a5a13cfbebfd232318a3a5d3cd5d3c9baa721270f5283d3127d36475d40071132ba063bdda49bc48cc21fab
-
Filesize
180KB
MD57c87329a66d4c22f03acea4e817971f9
SHA112a2134fa09fd7df026ffc20bfe58a7d30d6ae73
SHA256c78bc45113d0270c2154930761c3b74db714987a16c0fbe5e7a05fa3a853d0c8
SHA51273f11aa3f9b3dbfba157a0d47dc61ff2a22509b61339882a9c2cee53ee335b18820700d7a413b81b426e71c83443f0d99bea8b3638b8b87ee9a42f01f404f955
-
Filesize
634KB
MD5415e8d504ea08ee2d8515fe87b820910
SHA1e90f591c730bd39b8343ca3689b2c0ee85aaea5f
SHA256e0e642106c94fd585782b75d1f942872d2bf99d870bed4216e5001e4ba3374c0
SHA512e51f185c0e9d3eb4950a4c615285c6610a4977a696ed9f3297a551835097b2122566122231437002c82e2c5cf72a7a8f67362bff16b24c0abe05fe35dddbf6a1