hxxps://raw[.]githubusercontent[.]com/suffz/luna/refs/heads/main/Bootstrapper[.]zip

Analysis

max time kernel
253s
max time network
252s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 12:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raw.githubusercontent.com/suffz/luna/refs/heads/main/Bootstrapper.zip

Score

8^/10

discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 25 IoCs

pid	Process
4216	Bootstrapper.exe
2212	Luna.exe
976	MicrosoftEdgeWebview2Setup.exe
5052	MicrosoftEdgeUpdate.exe
3680	MicrosoftEdgeUpdate.exe
3712	MicrosoftEdgeUpdate.exe
2804	MicrosoftEdgeUpdateComRegisterShell64.exe
1784	MicrosoftEdgeUpdateComRegisterShell64.exe
4152	MicrosoftEdgeUpdateComRegisterShell64.exe
1228	MicrosoftEdgeUpdate.exe
2472	MicrosoftEdgeUpdate.exe
1116	MicrosoftEdgeUpdate.exe
4216	MicrosoftEdgeUpdate.exe
1716	MicrosoftEdge_X64_131.0.2903.51.exe
4196	setup.exe
1240	setup.exe
2688	MicrosoftEdgeUpdate.exe
3660	msedgewebview2.exe
4468	msedgewebview2.exe
3444	msedgewebview2.exe
4864	msedgewebview2.exe
4376	msedgewebview2.exe
868	msedgewebview2.exe
1408	msedgewebview2.exe
1816	msedgewebview2.exe

Loads dropped DLL 42 IoCs

pid	Process
2212	Luna.exe
5052	MicrosoftEdgeUpdate.exe
3680	MicrosoftEdgeUpdate.exe
3712	MicrosoftEdgeUpdate.exe
2804	MicrosoftEdgeUpdateComRegisterShell64.exe
3712	MicrosoftEdgeUpdate.exe
1784	MicrosoftEdgeUpdateComRegisterShell64.exe
3712	MicrosoftEdgeUpdate.exe
4152	MicrosoftEdgeUpdateComRegisterShell64.exe
3712	MicrosoftEdgeUpdate.exe
1228	MicrosoftEdgeUpdate.exe
2472	MicrosoftEdgeUpdate.exe
1116	MicrosoftEdgeUpdate.exe
1116	MicrosoftEdgeUpdate.exe
2472	MicrosoftEdgeUpdate.exe
4216	MicrosoftEdgeUpdate.exe
2688	MicrosoftEdgeUpdate.exe
2212	Luna.exe
3660	msedgewebview2.exe
4468	msedgewebview2.exe
3660	msedgewebview2.exe
3660	msedgewebview2.exe
3660	msedgewebview2.exe
3660	msedgewebview2.exe
3444	msedgewebview2.exe
4864	msedgewebview2.exe
4864	msedgewebview2.exe
3444	msedgewebview2.exe
4376	msedgewebview2.exe
4376	msedgewebview2.exe
3444	msedgewebview2.exe
3444	msedgewebview2.exe
3444	msedgewebview2.exe
3444	msedgewebview2.exe
868	msedgewebview2.exe
868	msedgewebview2.exe
868	msedgewebview2.exe
3660	msedgewebview2.exe
1408	msedgewebview2.exe
1408	msedgewebview2.exe
1816	msedgewebview2.exe
1816	msedgewebview2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Luna.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
4	raw.githubusercontent.com
6	raw.githubusercontent.com
7	raw.githubusercontent.com
45	raw.githubusercontent.com
46	raw.githubusercontent.com
112	raw.githubusercontent.com
113	raw.githubusercontent.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\edge_game_assist\EdgeGameAssist.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\nn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\lt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Trust Protection Lists\Mu\Cryptomining	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\concrt140.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ro.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\ta.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_lv.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Trust Protection Lists\Sigma\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Trust Protection Lists\Mu\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\learning_tools.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ca-Es-VALENCIA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\el.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\fi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\uk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\MicrosoftEdgeUpdateSetup.exe	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\internal.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\pl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\vk_swiftshader.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source4196_959430509\MSEDGE.7z	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\es.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\id.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\delegatedWebFeatures.sccd	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_en-GB.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\ko.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\mip_core.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\BHO\ie_to_edge_stub.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\canary.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\fr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\th.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\id.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_uk.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Trust Protection Lists\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\am.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\mip_protection_sdk.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\Locales\az.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\msedge_100_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\VisualElements\SmallLogoCanary.png	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1228	MicrosoftEdgeUpdate.exe
4216	MicrosoftEdgeUpdate.exe
2688	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe

Modifies data under HKEY_USERS 44 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766657576075806"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedgewebview2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CurVer\ = "MicrosoftEdgeUpdate.Update3WebMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedgewebview2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\CurVer\ = "MicrosoftEdgeUpdate.Update3COMClassService.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\MicrosoftEdgeUpdateBroker.exe\""	MicrosoftEdgeUpdate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedgewebview2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService\ = "Update3COMClass"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.PolicyStatusSvc"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C76C02A1-BCDF-4632-88E6-55698920001E}\InprocHandler32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\ = "Update3COMClass"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedgewebview2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.31\\MicrosoftEdgeUpdateBroker.exe\""	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\ = "Microsoft Edge Update Core Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{35725228-BF11-429E-B5B8-ED0F2BCABF82}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}	MicrosoftEdgeUpdateComRegisterShell64.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bootstrapper.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Bootstrapper.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4348	chrome.exe
4348	chrome.exe
4216	Bootstrapper.exe
4216	Bootstrapper.exe
5052	MicrosoftEdgeUpdate.exe
5052	MicrosoftEdgeUpdate.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
4376	chrome.exe
5052	MicrosoftEdgeUpdate.exe
5052	MicrosoftEdgeUpdate.exe
5052	MicrosoftEdgeUpdate.exe
5052	MicrosoftEdgeUpdate.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe
2212	Luna.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4348	chrome.exe
4348	chrome.exe
3660	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeRestorePrivilege	116	7zG.exe
Token: 35	116	7zG.exe
Token: SeSecurityPrivilege	116	7zG.exe
Token: SeSecurityPrivilege	116	7zG.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeDebugPrivilege	4216	Bootstrapper.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeShutdownPrivilege	4348	chrome.exe
Token: SeCreatePagefilePrivilege	4348	chrome.exe
Token: SeDebugPrivilege	2212	Luna.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
116	7zG.exe
1816	msedgewebview2.exe
1816	msedgewebview2.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe
4348	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1816	msedgewebview2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4348 wrote to memory of 4308	4348	chrome.exe	82
PID 4348 wrote to memory of 4308	4348	chrome.exe	82
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 3472	4348	chrome.exe	83
PID 4348 wrote to memory of 4200	4348	chrome.exe	84
PID 4348 wrote to memory of 4200	4348	chrome.exe	84
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85
PID 4348 wrote to memory of 2292	4348	chrome.exe	85

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://raw.githubusercontent.com/suffz/luna/refs/heads/main/Bootstrapper.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8b75cc40,0x7ffa8b75cc4c,0x7ffa8b75cc58
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:4200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2232,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3692,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4372 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4468,i,3767165951777608343,10051238819422936544,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Bootstrapper\" -spe -an -ai#7zMap17316:86:7zEvent23584
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:116

C:\Users\Admin\Downloads\Bootstrapper\Luna\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper\Luna\Bootstrapper.exe"
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216
- C:\Users\Admin\Downloads\Bootstrapper\Luna\luna\Luna.exe
  luna\Luna.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
    C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:976
  - - C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:5052
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3680
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3712
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2804
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:1784
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.31\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:4152
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUYwN0FDREEtMkM1My00MUNGLUIyM0MtMkQ3MTcxN0MyMjBGfSIgdXNlcmlkPSJ7OTg5QTdFOTQtQzZCOS00RDA2LThDRjYtQkI0OThCOUQ1RUVFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezI5RkI0RjMxLUY2MDktNEU1NC1CMEQ0LTdERUVCMTM4QUE0MH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xOTUuMzEiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUxNTI4NzYxODkiIGluc3RhbGxfdGltZV9tcz0iNzAzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1228
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{1F07ACDA-2C53-41CF-B23C-2D71717C220F}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2472
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Luna.exe --webview-exe-version=1.0.0 --user-data-dir="C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-features=msSmartScreenProtection --mojo-named-platform-channel-pipe=2212.2968.10722535601262365713
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - System policy modification
    PID:3660
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=131.0.2903.51 --initial-client-data=0x178,0x17c,0x180,0x154,0x188,0x7ffa78116070,0x7ffa7811607c,0x7ffa78116088
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4468
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView" --webview-exe-name=Luna.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1848,i,1534806311861619598,4342364728827158608,262144 --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=1844 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3444
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView" --webview-exe-name=Luna.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2056,i,1534806311861619598,4342364728827158608,262144 --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4864
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView" --webview-exe-name=Luna.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=2284,i,1534806311861619598,4342364728827158608,262144 --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=2412 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4376
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView" --webview-exe-name=Luna.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3644,i,1534806311861619598,4342364728827158608,262144 --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=3656 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:868
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView" --webview-exe-name=Luna.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4848,i,1534806311861619598,4342364728827158608,262144 --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=4732 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1408
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.51\msedgewebview2.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView" --webview-exe-name=Luna.exe --webview-exe-version=1.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --field-trial-handle=4732,i,1534806311861619598,4342364728827158608,262144 --disable-features=msSmartScreenProtection --variations-seed-version --mojo-platform-channel-handle=4832 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1816

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1116
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUYwN0FDREEtMkM1My00MUNGLUIyM0MtMkQ3MTcxN0MyMjBGfSIgdXNlcmlkPSJ7OTg5QTdFOTQtQzZCOS00RDA2LThDRjYtQkI0OThCOUQ1RUVFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QURFRkQ5RDItMjdDMS00MTRELUE1QzQtQURCMjBFQTMyMzREfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2xoVmkxMlFjazZTbDB1VTFPQjZZMTUyOWJSNmJzZXk0K2N1N2RIeHM2Y2s9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI0NSIgaW5zdGFsbGRhdGV0aW1lPSIxNzI4MjkzNDQwIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNzI3NjYxMTAzOTYwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE2MDA2MzM4NyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4216
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\MicrosoftEdge_X64_131.0.2903.51.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\MicrosoftEdge_X64_131.0.2903.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:1716
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\EDGEMITMP_B7E5E.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\EDGEMITMP_B7E5E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\MicrosoftEdge_X64_131.0.2903.51.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4196
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\EDGEMITMP_B7E5E.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\EDGEMITMP_B7E5E.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{C63A5FF5-AB9C-4BE0-9711-684BDF5C3443}\EDGEMITMP_B7E5E.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.51 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff631b52918,0x7ff631b52924,0x7ff631b52930
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1240
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzEiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MUYwN0FDREEtMkM1My00MUNGLUIyM0MtMkQ3MTcxN0MyMjBGfSIgdXNlcmlkPSJ7OTg5QTdFOTQtQzZCOS00RDA2LThDRjYtQkI0OThCOUQ1RUVFfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezJDNDdDNzAzLTNGOTgtNDFGQS1BMURELUE2ODg4M0I5ODJGMX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjUxIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTcwNjg4NTYzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTE3MDg0NDg1NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3MjE4MjYzMDIiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzI2ZDM5ZjliLTAyZTEtNGUyNy04NGUyLWI1NGIyNGRjNjgzZT9QMT0xNzMyNzk2OTk2JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUhhU05iSUFiSCUyZjAlMmZQVG0xYW8lMmJGSW9LdTN5SzBhZmNrYTU4N1g2TEN5S3daTVR4U1ZTNFFIR0hyWFRRUnBUVW9rd3BDMEtWNXFocFl2N2dTMkQyUUV3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc2NjA3ODI0IiB0b3RhbD0iMTc2NjA3ODI0IiBkb3dubG9hZF90aW1lX21zPSI0ODQ4OSIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU3MjE5ODIzMTQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NzM2MDUzMjAyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2MzQxNjYxMTYzIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iNTE2IiBkb3dubG9hZF90aW1lX21zPSI1NTA2NyIgZG93bmxvYWRlZD0iMTc2NjA3ODI0IiB0b3RhbD0iMTc2NjA3ODI0IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2MDU2MSIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.51\Installer\setup.exe

Filesize
6.6MB

MD5
e8ecc691b6b345c25ea749591911d934

SHA1
b54f8b8ece5c4221c4180edfdef39df38a36ba21

SHA256
e226aafcb47b85afe8962b885921dd982bbeb356ddd1c66e5a6f42be80dd052a

SHA512
9364268b3e7333a6d52e3ab1eedb15c9cee98d5139be0708790275ef05abba12f32c2a39546b4c81f799d7ee662d5f705af9de28b0fca12a64c72ebcccd4f066

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
182KB

MD5
1723c5e707061e59d769c492a95d5083

SHA1
3b535b7a0df2f7a4ab5e531956dad9892adfb5e9

SHA256
e97ab6dc0ed865aa8606f5c113fd62170341d1a3d63d5618f233aea969ec49ab

SHA512
a4e3bd9ec331a27338c123a9a3ae23619fc5a5b80fc9aea38d23d3b82ca015f47669e0f3e1a6f98e7f464e6bc21e92723a04f72805e45e0dfc81540a2d299a8a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
35a79bd6de650d2c0988674344bf698b

SHA1
a0635c38472f8cc0641ceb39c148383619d221dd

SHA256
a79a81da2b8dcbe39609a9e1b4e8c81ae0bc54195c0c854b77bebe7bfa7f10c1

SHA512
afe33d38785afe489845654ba1c3ed6648b36b1ebe5f98b3d5d4bf24eba3af9bb6676af5a79d2ec570bf2b4b6ae40d14fc3d4b872c5d4577aea40f6d1a26c0cf

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
215KB

MD5
c55b37823a672c86bc19099633640eab

SHA1
da5e15d773c794f8b21195e7ad012e0ed1bceb72

SHA256
3df9cd2fecf10e65be13d4b61ca0a9185845f2cb04b872adeaf41ca46af39aa0

SHA512
1252c3fde4aa4ce239103e8df7224afce093a2cbe539bd40347601980a314ea3326ea6ce4c1ebc845c125845969ad65ebca319b9df35a809ef871bad14aaf33d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
262KB

MD5
dd30f3ff486b830211df62d20348f86f

SHA1
08c7d7407dee7ed20b50e8f1a2cb1b08a9282dbf

SHA256
9d57bdc8b97e75f8a04b93a1657dfd18d4e2f68607783c9bca42140233978fa7

SHA512
af3b48ced7018c7edeabdfa998e51356d57c2d7a846c76629fed0ff2e5db8db79041184c58a5a67a10ec627f53af8e3c80bbffacaecf5dae6d989cecb82e72e4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
39ac5a029f87748e964491b97936d890

SHA1
24777aad794a13d0e7381fc6f32f0e1bcdb1ba80

SHA256
ba861524fe648ccb47b7ac57421bb07a6231a7aab5eaea332548511cce6185bc

SHA512
2ecb9b208846f84cd37f37d2100f26358d6c37128efc4010b2e7efc10202dc37b621d0c0138a8b76b23d968da324c685a41b44f4ae30cbbe243581f1904e14c6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
2a9524cf8afae49394379d9d9be69206

SHA1
e43d4146f8abebbb30831fbd39a39846bfb7eeef

SHA256
e5a08731963e681b6386c4e85c16bc98452ebc13c4a7de3ff6979125c609d5f0

SHA512
a0111589960cbdcb10b55c17aa82555e44f0f0f173ebad09de6364881138cb35280596f1de6d86b31044427445575630c22079c3585e34729ce461599b8979b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
1903bc250fc269e79c9f7aada2979aff

SHA1
efbf76b1259217c02c138078c56f36b2cb8543ab

SHA256
228fa3e2fcacc78111a8152d6862de2302c024e81cc8b5e3f16e31caf96cfd04

SHA512
9db527c2e26ef691c089f5d1d010298e0f47e2e0420fba03ed18c7c2793b92c5860240b214b5233dddbc150413a2649e9cf4823239b9831930c2804b143ab538

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
b4c28669b9d4e56b094af6062f4db065

SHA1
4c492c03138c8a796cf0673866892b9e0c2073ec

SHA256
7fe494dd265f99f330b153ef69c51c0541016755ca1876788f7f0ede78f9cedb

SHA512
35941ab6f2dcf5f60824d172f75f9f7b8b93e65c7bd8bc441fc32e49cbb414a68d65a02e3479b096f728b2a34d3e85dfd868e8bf95ff9b1a57d10adc3da0022a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
16b0c8a664626da016a95fb46fdc9c0e

SHA1
c674b635cd8927511825847f3d86a5562b4155d7

SHA256
b059fc9713d3a41e9a83f0d61f8cce29546d3759def0a7b8e162a13915e51255

SHA512
ec39269fbd9e510d10d665c86b8a8161208b74f919e4fd128e365144d71f2b59d3c48c50b8f017b1d30c711ee4f63668f843539957b4643d2a488c9e17290e75

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
bf510bb9b7639af7da969f77620b480f

SHA1
17a6693a5d6aea1f3fa6f34abc46daf558cac645

SHA256
2507da222cf6c6dd608da9b569f89f8e11c47b6e16134c767cdc23b7c1f56bd3

SHA512
6cebe80005cb7759ee4fd8dd9ca41bdd073c01e969e1ebe03cb07616921e50516974019faacc2f9dcaaccdc0044eaae57a6a94f3a4a4ce044a781cd8091478a7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
4b23c7229eb43740744cfbf48c4242ca

SHA1
4938dcf6239e14db53c8f085d3c477905a9986af

SHA256
a7527b867ebc222114b679b2ac542cdc46a75f8bc24e5ca8b7ebc17b7a2963c2

SHA512
4bd8ed0ecacd3f2c69dcd0789ab8ee10dcfd6144b019dd8858c2234bebddfe42c83037fb8e2f934f3320f58796683bed5ab050ba897ba1fa409b6df60f02ec53

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
1e038b27661b303e15a39a55305e86bb

SHA1
35b48fe72d50406063f9145fea64c57f205f0084

SHA256
385665137d0dfee16ed8ef2da5ce28d826d210eb2bde1fa4ef13dac50e4b5364

SHA512
13fcfde6923b38acc2cfa530087d13725a2cabdd2e771d503f4d2f5cff93e8744f142e235dd484244d920d80cb3e7cecbbd731b473f6e509edb39159c51e9465

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
9afe531b6472cf9eb66028e9638584bb

SHA1
6212292867bd59fe376e79988c07f4db8ad26cdc

SHA256
383754fc147dc6ef5f1edd14b60bab6bebf32639dfea718aaa64b2b65ac98812

SHA512
352bec509ccd3ad15a274ddd3ccea43b76eaed885b0e7722235abd95aab8fec1c645722765d76865c1b32ed422a10e6666f220e3abcc5a24268ba94c5cc6b8d8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
5e06d311c2e24b94f378c4d3b3deb260

SHA1
ef7df63f63746eb197c21694ebb21cfb86c0b2b8

SHA256
d2052450e3a3272b302d80af9f2c46b766153267100bc902dcf03a78ec609b65

SHA512
8d73b5265735aa19116cf41bb8d2bdacde5b22b286a56af58068f9579b631b044c155e625f6e1fda12e505f621f245faebe126c2557dd2ec873d7d980f8ba552

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
afdafc9f56401b662f42cef830d92b38

SHA1
b56966370ec07cd676e35d93fad001e0f6b3fb8a

SHA256
03d7a1c0d8810df4b908fcc40c8491df0e3ce19db8ee22e6be79d02fd9df8f72

SHA512
884f9cd99785ea91c5c8e26200bbf0b010ff278b52c5ac590cb73712321a9cdb645e5448bf4cf62622cdb06543b8de4a8e6956a2f6b6677c0b9befb35589d8b0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
15ee7526536790bf77317975896542f9

SHA1
365bc54203b490daa0e24a1c9813d5d99c9de720

SHA256
5e2349af6e02da1c5d18f1b3235fc5099229d2d99e1c5cf2713c21472c151f8e

SHA512
475fd9c0879c8cbc418a66441e3dc026fca983327a95763eddd1537c1f44fdf272d212c69e1b06aad55d91c68379a2beafb2908659d58a61c740731a7d047406

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
8eff4531519a4b768005b9411d4a5f9c

SHA1
59b354e3f32f0a0da8755c27b903803994f4aa31

SHA256
2e9a230a8b8a7fa437a28e2115ebf01178f3209fc0d61eb90160f49c11a16cb0

SHA512
4426ae1e2937e1f6c7364d2f437aeb83d834f9997d28cb1ffb07fe1c448dd954083aa822ff439c886249a387823a23245640a0425dd8c42b75b73912733f11ee

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
11b92ae8fe94c784480d465a37935766

SHA1
f4ead29d4b20c57bb0e4d16a7488784f61a25972

SHA256
571b0cf8b0383e33393b8b8fa79d1632688ffc2bdde794fff62c85f5e1a3f161

SHA512
b636dec2e1d48916d0c83d2fe45eb24d826c027455cf22ec78e013166e59fbdb4780ebe69de3ab4b5730dae03652d253890917f53fc835aa73f9f75b01dc4f23

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
19a7aee0daf68fdc1a24e3228a8bf439

SHA1
1fc6ce227a11245787c80f3932e2c311de2d44bb

SHA256
409cce12be8b7a86313bd1d9e3c6d9154cf0c5735db61d94852a128a746dab99

SHA512
0051119311316d29dbc13ace84c24283aa2eaf1d46459c81ba7b31cc6178b43165618fd7bec17de698b1431ef2b33be179c2c8b1537c1000aadf849e2c888c84

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
ce66ef1a806c21949b75055f81cac760

SHA1
3719e4af114a3c0baceb133d152a02bc6a1fb9f8

SHA256
23f5414d554b96db0b93c7dbe27939d294b8061e56c19ab74d59fe9135e81c8f

SHA512
04d9575c866ac28db490a291be3da41f884d3ceadbc9b7077776ea7deb1819277aadcf9c9e1b5afede3e90bafbcb00e6ef0840166228d153be7e8d8d53975593

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
09cf47260852ff7b2c91c65d127b9314

SHA1
b3d362f3d08f81bd1b719a1c94b54f5f9c9610da

SHA256
eb4344676280f83e6023ddc604ffa42e96eb46e765a216fbc5ecbe49ddb3c920

SHA512
114a21296d8e7e054906139102617e6cd6008337a0877053721553cfed10183f54f890c8071b1cea17bd0b2535589af7aafe5bd1d161886ad7363f89919d7300

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
39dc20ae50a0e2ba9c55dda91256b3cc

SHA1
464139f11db3fd6ae77502b183c4b59f581d6c7a

SHA256
e1891a155be133e6dd82cab3f9437bb7f047f0f80689ca724ca4d1d90d1fef14

SHA512
08b8e19528ff007b904f55872935e0de9e06e7cbcb3f3ed751264e3e20a740b477b55c818bf2b0ed213c4ed9cbaba0c8953c19f427be3e8ab8f50c9c86a74bf4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
894b6ea4b49fa390bd70167a75f3ff7b

SHA1
4f834ef6567d02f28390d63c8ca9fd3c735b2140

SHA256
a8dc2b1e32d8d3d2c321c469eed3329f7661f4fc71d14696f97106b5aa6c532a

SHA512
9b4fcbd07dc7f65c34575aaabb7a517198739f7268133f084b101edf99f0b96387f3f0248de1be5252b2466db0bc59036d40e3990d4264bfab89aa01aace7ea6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
bcafbabbfc8f810220b2ebdbb8a76d19

SHA1
58703c8355f996f2ce8ae5fd1ce4dc29318fd414

SHA256
7fef9c85b5d7dadf344ff39d82794ed252066cceb2b6531be2a45ee3d84844b7

SHA512
b02820c3088ceae9ebf19ede77e3a406483a3dc13c030860d3818e6e8a163e9f54293fd058ec9575c196d12f1465211ab7feff145faf684be6a8cc251d1c0d71

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
3ccb8eab53a0b4c93507bf2adff6ced5

SHA1
25fa2435e97bd0e1cf986a882ce33e68f961c139

SHA256
8bcbd325374a8cc5c1c7ea774382515316473c200baec86a65ae21073fae33b0

SHA512
4f443ded84d74e150a0be3c32edc734ca01298817933a7b1f0e5c5cd93f26987f051c4c306848301e688b9334d134a12bcdcc0ceabe1fcaaca5c4d307c697bfd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
6b03eb5b302e72727977f2431ea7f30d

SHA1
ac5cab93d3c28e46f92d2719638c739c680cc452

SHA256
b5b51fe000e0e0ce42e8dbaf4b8343a5411e2e99440726c747196a02ed736137

SHA512
362e94f79b7726b277cc90c5158d3cc5a0a890bf32e11707f9901233414b3ff22816df78276afa67f0122fc7d6fc2d09dbb1fd8602e3a01f807f93b9423bb463

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_eu.dll

Filesize
29KB

MD5
ed883bbd9e4b3de4db68e356707f3e67

SHA1
e03dde660c15a614442552f8c4d2cc5dd8425fc1

SHA256
168eb27052a559561af3ed650bc170eb471e53f05b9065f0e229672d040ae1c7

SHA512
ae48fe344b2644380e56a95d98aeb0ffeff7ddf0c914f5d14ef518a4d40bb090fee9a7fd30f7178524bcdec1a2d8fc870b4b40d5d8437e3f2577320262236126

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_fa.dll

Filesize
28KB

MD5
ba417f44f7564f1aca70cca9166f3f44

SHA1
d8f064e25038e0076bffcd1a694b58063b7268d7

SHA256
56632098f623cbb58fadddc5c7a889fbc91954f661078501e62517709b8ba703

SHA512
c35ba956e92a2298268bb6ee7a753d6b7f94bdec96118c834f028a0fa45f18b67302b0e20a26d948d1720b04461d3074ae30003bb9028790d9d2d63cb80f4467

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
7f47c9b9bc9488754579935209291c55

SHA1
470e590c6f5263a44b95abbd6d0c158fae326d21

SHA256
f0d8c44d909aed479b3e770b556eb3792c0d3ce247defff953a4dd9f7ce4cc75

SHA512
6f81ddd06f6a1c796bbf21143737bfeed8f9ca0ace82a4de00ccf79d7288586376439e0564f1cb128e5e585eaba122d406af8c3a6e3969efdadfe0cf65c3ed4b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
20134024ed75deda002dc0839b352f84

SHA1
e67bbd13a320d2b4413b283e165385c44a65ea0d

SHA256
425e0834cb73365cf78a233a5b139e1897961e5225e9cc92ab365b3efbe30d76

SHA512
7dbab9a85d852546ab8c30b3452ab8b200874eb3aac0c862bdaf5c90cc882cec11de536851693f8f115706448e3323c66affbdd7e65257395baf24a0208dc537

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
08b6c8f26644370c6dcbee63e4abf884

SHA1
e4981733831c4d31715cad1749545d21dc29acf2

SHA256
916b52a362fddae79461d1d07ff01fd3bb4f7b8916b263d62572a8ad420946d8

SHA512
31f074e494a372a1b961fa9c053b561bae9e52182866a538a734b7589cad550a42b1d88649262a7d265226288084e5ba65e9e1d6d32ffd9292258a9f65e236a5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
cf3ff14718b5e6125b956d6d9e897196

SHA1
041de2587e03f6c52dba60e9d2459ce33b263eb9

SHA256
d75ece04e40e34beaaf50cce0fef63e52918b5939c9c267fbfd1e6cdcb2a82fa

SHA512
551ed975b1afdc75f464bb742c30f239f9d18aa99bf9140ec0620c938629868b38a952041288244b6e2387748c16546a8fe55a664a9903577b8e484856583ac4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
3ca8dfe9af49bdde95188002ebd5f227

SHA1
d18d7af889c4d03ea417c09bc56069f3f697c547

SHA256
6577e1a60f0fa340dcb70dcf625c877fc9502d122744782708ede0c53ceb56a5

SHA512
a61ba9baa6d0116b769c4add55aefc99a360bf85be7986ab099a424ff7a39ccee18d946128e74e39283629b52aa14821f36fe338c0e17de29694fff5138590be

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
d64f47e1971f1e9faba211ca984e550c

SHA1
6f4de57c6f174dd778788b138a9b25cf4725258b

SHA256
75fd1c674a460dcdafbbc1429a4c30c9ac28e58527c6f0797c3706012ec19e00

SHA512
722c9f1e5d27d6ac678ca13aa648aa22aaf1121b835fad5209ce3e482471724cf4920390f51c8df2d31c66898def51ad76b0c119f4de831011b56afead2fef7e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
31276d0895baff6976c94c549efbb47d

SHA1
4f0fe790cecc28823e6359fb3b78dde13cc17681

SHA256
d3bf99db747f3e6a2d541ecab380244c0a33ceef8655383d54e2daff37dc9a88

SHA512
413958104046b85772d4a32550ae3a7a3a50eb66dc35966554123bd9dd15fc7a76fa7511f6d2ac666d8a205a9b58042f68e2322189c2b34d372db6b180b70da8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_gu.dll

Filesize
29KB

MD5
bb4a1f9374f1c3e0cbc4788a3ce1d4c5

SHA1
30667d6dbaa689db9a08b42acacdf68435dac46e

SHA256
bdbd0882aba924075c40de48fcbbe951ea6a937c0b85541fd6f1fa5701b8e655

SHA512
d0a5260ae123d4698e2f62fdcf97a73aa038b69b200508948185bb5de5f5edb50d6859c9e6e21e84145ceebc144882d0ed5723ce1486e805c26737358ae77504

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_hi.dll

Filesize
29KB

MD5
274c267b7ee544d36698b2db119a6929

SHA1
27377267ddc09060254033c4aa9916a60a254956

SHA256
ac843711f010925cfdd60c396baafc3ead08584ed4b1b3df57b0c975cefd039f

SHA512
f9073912e9c314efe60f36dd9b2bdb4b1475aadde18e82bec971c447293a4f8dce46abe625bb9cec4dc48280fce3cf3d8175054b70b4e440e89a8c072f4a505a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
ca9abf92edc001d3c0cea4c926bd004c

SHA1
740513a325a5c15376f4b1aea402e9c54155ab33

SHA256
d6d9e064773b121fbf224252ef6c7d64f239d6b5013c119738a8240cc047e346

SHA512
7171143ee05b0e03bc936fbd98d3a37c3763bc244ffd8ae85e3229b85e13ec6262c3111b93b3a067f3d82f5fa6b6f691438c0e148efd14606cdf5a850e474a7c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
df2764d7bf9bbc6d4e96301c928566b5

SHA1
1f9adfed63fff6cd144515e8a7fbf8c4131d2f65

SHA256
3dcf3b4acc066674418e30239406abf59b85f9a00ba2a0aa7ca33036caee6514

SHA512
8c1eec6d813fe2266f0e03ce72f504f355f720e0112527fd411abd5e7fea05dd4bfa3ee9a878c882c16e8cd30224727eabc5ab38bd85cf146b21547ade988391

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_id.dll

Filesize
28KB

MD5
c80c6530280315158443cd04f89e9169

SHA1
fb87a9ff3696f0acceee6c8f1e4fb40795a8ae7d

SHA256
52957587efb4d995597541656f38e0edcd4545acfd92e3b81cc72578839021de

SHA512
bee22709e362ade03cf385c9b09d321923cc17a9e7c227fef7717da7405ea7bcc63e6f18b5e3e18e9dc19d5b0d9d4cb32c8548d9f16803959eb13b1189df9815

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_is.dll

Filesize
28KB

MD5
28064f47523b575c20fc85733cddf487

SHA1
0c5583888be256c8e09a396e333ad158b5f87553

SHA256
0752855a2e2a69e0f969af6c31102db513dbc390583f07d5df60746721ada58a

SHA512
d96656335024e0228a18148de4d27f354fdc90b62f977042ac20199714ef50bad271a83547d6c6823ec03422a9b598828fdc3b0f1ae81c760a57a2d1f2a543b7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_it.dll

Filesize
30KB

MD5
0da1fde56fc0bf63e17a891e99f559f1

SHA1
131d18d7329be3ff21c78a3921b88e910a3d5a68

SHA256
ba936fcce39c889a3cb41569f18019d99429a13e7dbd909d9d26e540ea650dec

SHA512
67aa088ea8c01b11874537ae59c150645b61072e4f2134719e833ca0c4c3cab835cb9c51bff97582280870227d99cfb72f3a0d2069f2a9a86a7f7dbaf29ad2d2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_iw.dll

Filesize
25KB

MD5
d92167a825c73bd6246483bfa1787c8c

SHA1
0a96d89226f1e694275922e5e2640bca3d7e7020

SHA256
d477fce0f7fbbe9cf86dbfb724e28c617c8c7c5bea664974593fbf0c032e8019

SHA512
12401ac374d3050f9540a3df6fae71ff8466ed3df2bf007b52eaddfea0d549601b5756477c141fd596bd19367ad30a607160957a8ad1818ff34e6da4125e530e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_ja.dll

Filesize
24KB

MD5
0ff69dde83bf61a768bc63870d687747

SHA1
622714cb8eac68b79021800f28f5874aa23176b5

SHA256
3a3a4d24498f0f533a5f5e4f1364e7e2a1f348dac95f649951131185c64d7bc7

SHA512
e1300b6f2dd5df3385c06fb43de5aa246f3f1da942e26b86023663e07b12104f0e74b2749d4ef2dd60cabfc8eadfe5f131a8bb5ba8fffd6374f9cd4635b4bc53

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU26CD.tmp\msedgeupdateres_ka.dll

Filesize
29KB

MD5
67eb1378381ad4d1a450bd26fe51f5e3

SHA1
ae0655d07a4d0b049ed258de646199f9004963ce

SHA256
b2ecba67a708b9fc75fc4574b72218f64517dea1aeb5ac26400ac554903cccf9

SHA512
1da5356bee3e18f9033b81927368eefb8f7a0742f7f02be9ddf0f3f309d9d4f1ceeb640acac341e504d54c0d0939f1da2bac27645adf404ed2ac48a2846a919d

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
ac9cbc3032d43e9c69c3b4d7e6f30e01

SHA1
a0b087b226200aec47c407e2e5ac76184bd272c7

SHA256
01b061ebda03eda74a7a953e05a93f3e56888e5b9e81f0ae4acd1af33d162179

SHA512
fbcf0b38088e720ed2ee4f367bb3267e63906b5ecef44a95c530cb243406ca992dd7f5a23da8b57dc90b645373bf2753bc79b67f8192439738159dcbb41983d3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3660_1856264592\manifest.fingerprint

Filesize
66B

MD5
5bbd09242392aacbb5fac763f9e3bd4e

SHA1
14bb7b23b459ce30193742ed1901a17b4dcf9645

SHA256
22b55f5d9b1bafb80e00c1304cf5e0d6057a304a2e8757b4f021b416f4397297

SHA512
541e4c7998e91a5113f627c2c44e32b54878fe225b3b9476572f025f51f2b4ec4a44b102498adcc22b8fe388970645bacfafb6e7fc8a216df4d7bbfc8b0ff670

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3660_1856264592\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
81KB

MD5
57c090d27cfaad608ffaa71d52ec2ce3

SHA1
9f6729e65fdb00ade18cfd0d94672a4d0ffb7d90

SHA256
8fa840cd17a03f2659c6bceb9c4d14e04ea1794f150e5e1b8c54644eddfa24c6

SHA512
e5affc5bddaee6f57f402a9643a411071d328b43d0c2959d1876a28a17820588a4f778e5a5e34e3300c80fb026854538d84f49361a5ed18091c02bebcd6d31e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2b3478d9591eb29523e9af4a72ceee67

SHA1
926a8058109e375e2efcc42b57b2fffac98e6149

SHA256
5ea2075c7781116770babc185182aa634f9f49394c5f415f9e1faea6a1fd6284

SHA512
733942a8dfe3e10675ffff1364aa0b246387acaa27f4c8bfb13d043dcdb5ce82e16d21d8c7aa335afc2cad7735bf64b2c40561ec2a80a1e13a33373974e769b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
855ed24ea6ea577a6e0f81130ee6fc57

SHA1
771301187da57848f9de6ddbb4a75095cf0e0ea5

SHA256
c1f6671ff917318421a007ea110ca5b3cb576cb2bb1e9b462fa6ab1c7fa7d406

SHA512
44f640d425da3242f674e8fe0a9897ff45b47a3b213d1e06c63bea5d3055951560d66677f35b8b922e1eaab8a322054e6046dd216b7672da5676f2f54126a188

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
d61ba4e42ccce3cd3f6c38cd023cd26b

SHA1
1ab764d0ad451eafbc18f1242704c27f6ca34b37

SHA256
de8a5cda6d8b343936815fbe5767587f960257be79befb56888442bc603dde0e

SHA512
666352bcb1941ebd0017fa4445f08389c9533ddf8530d798808b6e7f51c6b1b9bfcff891ea73338dd7ec034edda5200b52535c83e703572eaef124779c4d874b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9522a04d5900967b98580602294ebba4

SHA1
ccbb5ceee6548bdc087b603540e5bd8280e5a41c

SHA256
4608218dd93c6ef66474e50a18e3a9acbbd4e630588cbbdf559013c5c8d6c3a5

SHA512
f8a5e5b5144f475c36b0f417752aa4f60daa8754e2b2c0b94369f60e4465d4327e7e99da002205e645e8844092dd624499174eb27cb96bd60a7dcd7ae71ee628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a04df2de2456f6c44447ad6b06158660

SHA1
19cc04714f42799519070aab80958ec43a81bd28

SHA256
79086d92d3890de485299c2f0c4600740eaa7717fbc619afce9c670c0e879dcc

SHA512
c36df4ee7e901f884d74cd05f98508f6152f64be4164672394b2b05714a2d3eabb7857d24bf65e478e6f513c708af74ec6da2cfb2d16ba42a28e8c62fa1cb6f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
02f0d81561c3bee3bb73bda3730b7b5f

SHA1
66ad23d7896ff3acb4273f6c99e12aaba3d715ca

SHA256
579d2f8122b3c9f520f9ac63ef5e82997fc1988633697ab9dec5bdb1b9bfdd14

SHA512
7a1efd65b8db2e503d229528e7417e82d7016981d41a60bfd65fc5d2b60b9dc969bfa54f6ae40b45a29f48ab60a26a1caec5e8dbb0b41f6766038a21e0c5aae2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a6909026f76bff5ab68452551f64aac

SHA1
353fb0c349f4f6af13bdf52b54c4db89ec925254

SHA256
a040c66026b5058a5731a712f18d6b8d8e7d518ad44fd9c182bc5edd5090b038

SHA512
5d7e629ee8bdc27af7b24dfb64bef226e2c6565a7e558522bc6f460e878e4c9ecb097cce92bb8f1bc6b8ffb65d4198986340e08ed5b009bb46c6adf0ea7f7ec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c99d5fa989f77d1745538cfdbf16682

SHA1
10ccbd16d7dff4fbe146e8cfabf198a26aafb75b

SHA256
c28ce404180393b4593e317cb8f9ebf2aff5d272b1322facb20c22049a8a3acf

SHA512
93b371db9e41d39734ce4abee32eccd35f006d2fa8a6f73185069f27e57662fbd40b53e50364687e442e4ea8d9372f6b288fbfab30449d195ac2a5efb3c8c18e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13908cf5eb0c3f70437b469244b2e0cc

SHA1
92a7a9e8c2b0f765e61fb9d8f6cee9631688da4b

SHA256
fa4ed8cefdbc026a45d483406572635448c5c0f1887694e96dbeaa9ad21e44bc

SHA512
2a193cbd3bf8e97d0048dd0dc0193de35c3b4fc59853f4dd0177c7d91f3b6671ec352279b3b443c230080916c614b49a581a24169cabf4f67603969bb28ada25

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4878766bff5389d9b28cc26d759aa54e

SHA1
e6c93ef2bbd0c83a2b8304af3828df8f38fbccf8

SHA256
022fd0424a875debc9348781a28bf47d015cc3055db44bed666bb73a3fa1a1ff

SHA512
982bb7a1a72ff2e4a61bb525c9d33acc402fb02a3e7dc16fac5bef71158e983b65cbd4373aabb32296c6c5fa7b2ed292c089d6570353c1dfd759522e0c630882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82b14d3ae2a41cb35791ae92f155e913

SHA1
a4270744dcd4bb37b3ff737cd360848fa6e68c1e

SHA256
47c6ef19d47b80cb50fcc79a343bf647bdfdf9bbbd5a6145753f2bc9e5b90169

SHA512
1c56683fcd6fd9f80e5caa0243907911fe795b6e721e884992cbf2ac1a764014c74d6fd2acdef27581fe9b575cf83725a0d62111fe576e209dbcdac9f7767dbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
351ba4871aa201b5c0105754e4dc61da

SHA1
03a4b1a62c87885b91aa53fc81d08fe9f0b3d6bc

SHA256
2c582582b9afd4771af1ee304034069913b964f692d9ae5abe78e86d26eef61b

SHA512
1e68126fe2819e688894344fcb7e3babf5b9857d14fcd20bb624931b52023f99b54b3b699da2b57b8d0ff0de54954ad7b877f51b3f5e4a639f6c7459853cd861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1665dbefb3068f8e468742fc54415f78

SHA1
3d22632df32665aad64e88261baf3a6c24c0e184

SHA256
8151f03e9b4ad641ca18c62bd904b5c4a072668a1bcaca84959d0a7080cf4cb4

SHA512
900c02dc17452419cee65f97a14f3e0bbf8b4c71cdbc68694d9e8822daafbda513d67ee90ad8ed50d3e65c2d0260ca7fa72f47a2ad78d754bb69cd434132b72c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e74dd7733b50d1a7b615161c3d93f52f

SHA1
c05d19985ca1fe7e920a4e57bffff5035bbf2d57

SHA256
ab0c1d361762b7d2a46d3574a150c257e809a99d348217d7a761a961c5bc6b5f

SHA512
09afcc0d45b2192a7bc5ddd7068c7743c124405c1cae31c5e2cf4197f2be4571b82b9845ff75e5359b8bdaf6e1bac2f3777904441fa415fa730c96834b823257

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
02e4b1bd2acf90cb24b52e9bce6fdf8c

SHA1
f07fc087432298b4a758498110e1e0d9593abd65

SHA256
bb5b7c7bf468c4f7987ae5f733d67869d73d03ae9e83b33bf0f9aa28333dd99e

SHA512
f0aa51a4a47fc2e9d44754a6b4b5f7495bbcd068ad507e5dd361a448cd5e9384c1a46b7e96a281d27bf5b72f89ad28a9f598581651c05baa643debc4d82e64fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
598473967412c7a0758c38fb18ed5dbe

SHA1
50b20c4aa37fd7217a9715f1f1ebe3a29993f54f

SHA256
72d24f1cab3465a3ee79b4de6216523a5e9d919be5040233e3f54de74ba5ce7f

SHA512
42ba20c4c39ed02edaa670b4424d442f653d102a2b8af5a8b86a451f0af2610a6e72f26efd0559e4d5081cf7a7abcdb257b2a47f22fad900c61f209d0e25f273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
146da52b213569101b19a3eda66b5c5f

SHA1
7838bde74939e2884db2ffbec0668c3b25a1641f

SHA256
637f644894a79add3e151cb9504a0f89fb3b69fe64a2ab12180aff6fabed208c

SHA512
64435f540b56ce7c6b36640bc8cbc4a82f4682dfd85e700e56e40810e67b61c26021aa506440720fd189162d6402921bfdc2a27ab207590a71dc4b9c39caa7ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61cd25654ce065939e6422ecd798bae0

SHA1
39f9d9176c591047b7f16c105ca04dd80492407a

SHA256
df4b22c0e2e3de2cba619a1a565731959c1b1784396cca371f26698707970f8e

SHA512
3ddd087b9d793b5be5372dc0c11d805262f35edce609443b546a5e65b521121721d5c55a614a9478d62dbf14518ea17033105017bf1d9edefc44e8eba8002c44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6ae341045721cb7bef72a9819ef2713

SHA1
85d83318b3cec215084a53dfb2cf9a3e0594d30c

SHA256
d8a1c75fbd1d4f49e2b9d68c2f08aed7111b3d48094ff885b6ee5764d9d3235e

SHA512
5e81a44edd01057afa5cb125f3eeb33f13e57e3c8fa8fae98b84e4b7ea2f73b9ba30858d5ef99e8c842c9f424156fb1f06be203e2a92ae6fd98b7c892c159d5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
f024e4bfd58811d9b5e4183aab8dea39

SHA1
b9ec9a947cbb5d3bfd14f61d62eb7fc3feae9edb

SHA256
85b6cf3b597fcfca512b58d14159dc2d8b62f457c4af393968a659302548e2a8

SHA512
e4e671cca42289d3dad869d3afd39ba0335f546ebea2b3f54ca58f5ee1ebffaac6d03af0e36dfce93cbd841451842bf9fb57d3ef38ae60d71b5a41f3944b0189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
fbb14f7507da57d2cce9e7b2364e031b

SHA1
c42921d35df9da6b236d2c8c4505b89620870bb8

SHA256
0f1de51c5d346f65e674f98bf4eaf3b7dcc3ada78cdcc3a60f634710d00c57a3

SHA512
df9ae628ac350913262059df78693a204d1612d5aa009322044217c49c61e3c67a2bf5d33e75eaec32eaf539784073b03e4c61935b6422a57107dd5284742ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

Filesize
1.6MB

MD5
431a51d6443439e7c3063c36e18e87d6

SHA1
5d704eb554c78f13b7a07c90e14d65f74b590e3a

SHA256
726732c59f91424e8fb9280c1e773e1db72c8607ad110113bc62c67c452154a6

SHA512
495d60ad05d1fadb2abd827d778fe94132e5bfc2ae5355e03f2551cd7a879acf50cc0526990e4ccde93bf4eff65f07953035b93cc435f743001f21b017cbfdfd

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
b4860768d9c4bf177e47c33fca2b451f

SHA1
86bf6c4c157080edc17dc817c2036694c9e9ebda

SHA256
27705261cadcafa688021b857999e638536c71d8e9541c5c633ee8a98825e515

SHA512
4b4016742f80bfff7644bb2c086f3aae8ea289e3593352d152af37b3fd86c72cc286ed9c3358961e12f0106d33e60fb65863a80da4ec9f4912c946af9dd5847f

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Default\928e4378-5ae6-450c-a9be-d17204154271.tmp

Filesize
6KB

MD5
336b3f1b802aa0e94b6e1f63a30f0c68

SHA1
b707e1055b2d58ffb05127693c2558cb996fb05f

SHA256
8f33af454dc3c90080d100bc8473822c32e9ba700f2cb32fda8cc7c92827c512

SHA512
4c16b70bf79f35bc0bf059293af1684475f4ed9499332684cbef5f4a9be9791fdd0c7508e199963db5f6907d6ab84f2afe974e6b1fdbc4788b421207e654c34a

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
9da50f2bd768048a83acc478af142473

SHA1
d1bb800cf39c8e31e20474d4e584c79f9b61bb4d

SHA256
c2ec700bc397c948bd78df7e39690b5f1a972ac4018f0eeab49fbc1c65f7ffdc

SHA512
4b5b63406f3d221684a1b93f93db70fdb46b0852b4ab1385f2da102279474160e02efaa00d81f60b982ae4ff4704e4918e5aa4e0cc6597b8af4e2704a06e28d0

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
80d47c13b4a19a0166bf8a29813d6170

SHA1
41b8006ab579c0111e56ca3f8d44f17a38bd7160

SHA256
bb17bcab698f237a71aa8433fc29b7936046fad15224f342f23d5cac027e716e

SHA512
a342e2b9e9b1a2dc60b4893fb2741a01ae5f5422ca0825e096e273b4e688f1625f482480d65233952956ee19b23d7514b29847b46e4c9576349b7d5ca43e4c56

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Default\Extension Scripts\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Default\Network\Network Persistent State

Filesize
1KB

MD5
2aa4312b624766ccd6322da43e721497

SHA1
759eddf4127bf0098c962da1dcf518a2f48146ca

SHA256
9bdfa0d3c1f39b87c37fa63a44cebf7ea6c041305326954af5d7426c4fd2a438

SHA512
25959c63b29a219bc9c6bcdde4a5658db1444fb7fb022d9982b9b006f97a52d192220c6af5c5318fbd9249e46f64b39387f63d9a7022cf5fce9c982d8dd7f29d

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Default\Network\Network Persistent State~RFe5b1663.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\GrShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Local State

Filesize
1KB

MD5
af9011f0074b72a9a0950e16dbdc76c8

SHA1
c12fcce944ee7b5e95b75d2c28d61162b3afa60c

SHA256
45fa9d413fbdcd4ac63e727a1632f1a8687b134b1582985b6d1e2259c92413cc

SHA512
a57246171d32d9acc40d2cd18560c8ed631c346f899d656d99f8a9acb13dac7ead81838d44da88c4d7278fcdfcb1613cd0c1d59c4534bf95942a6cb29cdcb009

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Local State

Filesize
2KB

MD5
46863b40e78175be82904fd4712e914a

SHA1
f0d2d57ba1bc8989a2353462881fd25e9bf78fa5

SHA256
0b4c8d4a84bf0b3751b4f2864ee40583acbb5e0b7cc9ac2259a962308cb67152

SHA512
8aff877e4eed953c655e265de18f214bb1d0168899c68a01d687cff17bd88392d7078817748b7166b508fb3e0883d802dd052cb692e6ee9b4541bcfac46a4ae5

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Local State

Filesize
3KB

MD5
eed2ffc62b8e9dc6326341a686993e29

SHA1
0c474121f39e3602b2d6390a4af5ade3ea47e06d

SHA256
21dcddf5e0dbe654d61ffc72b0759400bc215f68ce37106cfcbb6aeda341da7a

SHA512
c20dfd64932157ddff99d66d326f3f5719d361543aa9ce26a151d4bedaddbee7ea35ce3a9eb3a3988d9030fd8eba7edfa091b2d49762e200fe000ab4bad7f8c8

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Local State

Filesize
16KB

MD5
81d347570e86ede9d282da8d3e789ee0

SHA1
a826fb1fa7ca1210ba4ddff513a23a875ffdb43f

SHA256
b09d63af7570cfa639fe6c3040f244103d8a110429c675001f243ba07ccc1d06

SHA512
c2abb586fef8ec99aac9912a2b5701aeaaff7ca4b5a8d000e50896021921e85e1f393ffd0e276633f60089282e0284f0cb2f2dd399817e846df2f99bd02657b0

Download Submit
C:\Users\Admin\AppData\Roaming\Luna.exe\EBWebView\Local State~RFe5a0253.TMP

Filesize
1KB

MD5
45e9ba602f407513cdefc5fb739e9d92

SHA1
21286176cc65010cbaeae1cda9a1d58e6cc29ba7

SHA256
a3e5873f406eb118f2be1c24cbe1a860b5447d9a658e446f63e72de273b8c33e

SHA512
315bbaa9b762fdfd506ce16f47c2ff9930c4c4cfe50a8a411fbf1e2795a5d60c534856538c58e5232813d7f747934ca91ac61c061b1658d40494451f4c414a5d

Download Submit
C:\Users\Admin\Downloads\Bootstrapper.zip.crdownload

Filesize
5.5MB

MD5
9ba94ac44294258328b5b23e6fbcaf4a

SHA1
3ef50da71c5800f02680733b184bb11bb0ca309b

SHA256
a9e76b770fb8a61f793a61ca6701e1f76ea95282d5a3647d8dfccf1b560f401a

SHA512
52e3118e8e40d621275d0ce3157138bb0e9a4d56c1c570666930de60e46e8050af8e0c377aea2e5ccee2ff78c427576bd4954226a0f800eac6cabbaa70f267ce

Download Submit
C:\Users\Admin\Downloads\Bootstrapper\Luna\Bootstrapper.exe

Filesize
9.4MB

MD5
f2a6133b7f38fc49f792ae799d1b4750

SHA1
6bef46ddde325f45a0e9ff123112c96bbd47c795

SHA256
37bde6655e1272e159b9c2e3a7eee3f4e9a837c0f04240645d3991d112287f8d

SHA512
f9611bed83b4bce1841868880a42dacb6b8f7e8859be1d85b3c8d3a365a0244566cbfb12294c7b2c82b15d6c0e47095d8246a95d522c3a064a0d8511b2411254

Download Submit
C:\Users\Admin\Downloads\Bootstrapper\Luna\luna\Luna.dll

Filesize
1.4MB

MD5
d3418af778a91c134b8361c10fd16be4

SHA1
1654ab09bcc1ef4d168088518adc165e0c6469a4

SHA256
d21975e541c3838d2f83bf6faf360d7a7417da2106a610489a768b382ad3b91a

SHA512
128e8741bbe08bb90185d0c1c352572757e2848773ec39f21c8744ce4eb0bf9095ade326174f9164e94f568a00714be8bedc197f36a46c6fb16a880f2c6f9c8d

Download Submit
C:\Users\Admin\Downloads\Bootstrapper\Luna\luna\Luna.exe

Filesize
16.2MB

MD5
bffd87503832012f3feaa2b358e3b28d

SHA1
fc7e4208b1921292399b63d007b20dd89055c388

SHA256
7c2751f93d3c65548bb07ca0ab17ea7501901b857c5b661b43aa15b74b5f25e7

SHA512
788e35a4c2d30ead2cd5cc72b162ad47e786d69b2b93a0a4ce8e3c00c39a2f65542b5a9d33aaf1305045b440f436e49c969f28f3ac17cd43207e25e66508d3b9

Download Submit
memory/868-514-0x00007FFA9A270000-0x00007FFA9A271000-memory.dmp

Filesize
4KB

Download
memory/3444-428-0x00007FFA9A270000-0x00007FFA9A271000-memory.dmp

Filesize
4KB

Download
memory/4376-462-0x00007FFA99320000-0x00007FFA99321000-memory.dmp

Filesize
4KB

Download
memory/4376-469-0x00007FFA98C30000-0x00007FFA98C31000-memory.dmp

Filesize
4KB

Download
memory/5052-408-0x0000000000ED0000-0x0000000000F05000-memory.dmp

Filesize
212KB

Download
memory/5052-267-0x0000000000ED0000-0x0000000000F05000-memory.dmp

Filesize
212KB

Download
memory/5052-298-0x00000000751B0000-0x00000000753D6000-memory.dmp

Filesize
2.1MB

Download
memory/5052-268-0x00000000751B0000-0x00000000753D6000-memory.dmp

Filesize
2.1MB

Download