Analysis
-
max time kernel
1500s -
max time network
1502s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
26/12/2024, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
Nihon.exe
Resource
win11-20241007-en
General
-
Target
Nihon.exe
-
Size
40.8MB
-
MD5
9e01ac23fff3eca3263ed72049e1c57d
-
SHA1
a1b2f23d5d1ceaa5e4658baf852fffc938fdea12
-
SHA256
255813551f03695ed2cbec4064656444fdfa41ab46c6876659b48170b5c3b4a6
-
SHA512
7424f5815ca9eef7d24fa40d5343ab7fe59d7c9d4f2c3ae915df2e23f1ecaca148d5085878c6386649246bc5610d9363cfbd8078bad6026b6db0412fc9bd5360
-
SSDEEP
393216:qQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgj96l+ZArYsFRlLIV:q3on1HvSzxAMNjFZArYsQjVA/Wy0
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\131.0.2903.112\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Uses browser remote debugging 2 TTPs 1 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 3320 chrome.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 46 IoCs
pid Process 4500 appb.exe 6004 RobloxPlayerInstaller (1).exe 3968 MicrosoftEdgeWebview2Setup.exe 4692 MicrosoftEdgeUpdate.exe 3452 MicrosoftEdgeUpdate.exe 1948 MicrosoftEdgeUpdate.exe 5352 MicrosoftEdgeUpdateComRegisterShell64.exe 3916 MicrosoftEdgeUpdateComRegisterShell64.exe 2916 MicrosoftEdgeUpdateComRegisterShell64.exe 6140 MicrosoftEdgeUpdate.exe 2328 MicrosoftEdgeUpdate.exe 4916 MicrosoftEdgeUpdate.exe 5484 MicrosoftEdgeUpdate.exe 4716 MicrosoftEdge_X64_131.0.2903.112.exe 1544 setup.exe 6060 setup.exe 1968 MicrosoftEdgeUpdate.exe 128 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4884 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdate.exe 5336 MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe 3068 MicrosoftEdgeUpdate.exe 3356 MicrosoftEdgeUpdate.exe 4220 MicrosoftEdgeUpdate.exe 3488 MicrosoftEdgeUpdate.exe 1396 MicrosoftEdgeUpdateComRegisterShell64.exe 3256 MicrosoftEdgeUpdateComRegisterShell64.exe 1220 MicrosoftEdgeUpdateComRegisterShell64.exe 5288 MicrosoftEdgeUpdate.exe 1968 MicrosoftEdgeUpdate.exe 4856 MicrosoftEdgeUpdate.exe 1048 MicrosoftEdgeUpdate.exe 5916 MicrosoftEdge_X64_131.0.2903.112.exe 2232 setup.exe 1116 setup.exe 5512 setup.exe 2512 setup.exe 5472 setup.exe 5544 setup.exe 752 setup.exe 6040 setup.exe 2660 setup.exe 3148 setup.exe 2588 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 45 IoCs
pid Process 2896 Nihon.exe 948 Nihon.exe 2932 Nihon.exe 5936 Nihon.exe 644 Felk.exe 4692 MicrosoftEdgeUpdate.exe 3452 MicrosoftEdgeUpdate.exe 1948 MicrosoftEdgeUpdate.exe 5352 MicrosoftEdgeUpdateComRegisterShell64.exe 1948 MicrosoftEdgeUpdate.exe 3916 MicrosoftEdgeUpdateComRegisterShell64.exe 1948 MicrosoftEdgeUpdate.exe 2916 MicrosoftEdgeUpdateComRegisterShell64.exe 1948 MicrosoftEdgeUpdate.exe 6140 MicrosoftEdgeUpdate.exe 2328 MicrosoftEdgeUpdate.exe 4916 MicrosoftEdgeUpdate.exe 4916 MicrosoftEdgeUpdate.exe 2328 MicrosoftEdgeUpdate.exe 5484 MicrosoftEdgeUpdate.exe 1968 MicrosoftEdgeUpdate.exe 128 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4884 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdate.exe 5332 MicrosoftEdgeUpdate.exe 4884 MicrosoftEdgeUpdate.exe 3068 MicrosoftEdgeUpdate.exe 3356 MicrosoftEdgeUpdate.exe 4220 MicrosoftEdgeUpdate.exe 3488 MicrosoftEdgeUpdate.exe 1396 MicrosoftEdgeUpdateComRegisterShell64.exe 3488 MicrosoftEdgeUpdate.exe 3256 MicrosoftEdgeUpdateComRegisterShell64.exe 3488 MicrosoftEdgeUpdate.exe 1220 MicrosoftEdgeUpdateComRegisterShell64.exe 3488 MicrosoftEdgeUpdate.exe 5288 MicrosoftEdgeUpdate.exe 1968 MicrosoftEdgeUpdate.exe 4856 MicrosoftEdgeUpdate.exe 4856 MicrosoftEdgeUpdate.exe 1968 MicrosoftEdgeUpdate.exe 1048 MicrosoftEdgeUpdate.exe 2588 MicrosoftEdgeUpdate.exe -
Obfuscated with Agile.Net obfuscator 1 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
resource yara_rule behavioral1/memory/644-997-0x00000295FC330000-0x00000295FC57C000-memory.dmp agile_net -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RobloxPlayerInstaller (1).exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe -
Checks system information in the registry 2 TTPs 24 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs
pid Process 128 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 63 IoCs
pid Process 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 128 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\AnimationEditor\img_eventMarker_min.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\AnimationEditor\img_key_selected_border.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\LayeredClothingEditor\Default_Preview_Clothing.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\MenuBar\dropdown-arrow.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\ExtraContent\textures\ui\LuaChatV2\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Microsoft\Temp\EU97AD.tmp\MicrosoftEdgeUpdateOnDemand.exe MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\avatar\heads\headD.mesh RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\models\RigBuilder\AnthroRigs.rbxm RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\fonts\families\Roboto.json RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Settings\Players\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Controls\PlayStationController\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\configs\DateTimeLocaleConfigs\zh-hans.json RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\MaterialManager\Favorite-Filled-Alt.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Controls\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Controls\PlayStationController\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\mip_core.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\notification_helper.exe setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\PurchasePrompt\LoadingBG.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Vehicle\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VoiceChat\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VoiceChat\Misc\[email protected] RobloxPlayerInstaller (1).exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\msedgewebview2.exe.sig setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\RoactStudioWidgets\toggle_on_dark.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Emotes\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\ErrorPrompt\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\ExtraContent\textures\ui\LuaApp\graphic\ph-avatar-portrait.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VoiceChat\RedSpeakerDark\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VoiceChat\RedSpeakerDark\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VR\hamburger.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\UserInputPlaybackPlugin\ArrowCursor.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\avatar\compositing\CompositFullAtlasBaseTexture.mesh RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\AnimationEditor\RoundedBackground.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\GameSettings\zoom.PNG RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Settings\Slider\SelectedBarRight.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\api-ms-win-crt-runtime-l1-1-0.dll RobloxPlayerInstaller (1).exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\identity_proxy\beta.identity_helper.exe.manifest setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\sky\cloudDetail3D.dds RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\TerrainEditor\volcano.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\ExtraContent\textures\ui\AvatarExperience\PPEWidgetBackgroundDarkTheme.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\ExtraContent\textures\ui\LuaApp\icons\ic-blue-dot.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\TextureViewer\confirm.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\da7ca581-03f5-4c04-affd-4f1611bfbc14.tmp setup.exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\LegacyRbxGui\Granite .png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VR\Radial\SliceActive.png RobloxPlayerInstaller (1).exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.112\Locales\nl.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe MicrosoftEdge_X64_131.0.2903.112.exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\shaders\shaders_d3d11.pack RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\Cursors\Gamepad\Pointer.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\DeveloperInspector\Close.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\particles\SquareParticle.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\VRStatus\ok.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\ExtraContent\textures\ui\LuaChat\icons\ic-add-friends.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\configs\DateTimeLocaleConfigs\de-de.json RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\LayeredClothingEditor\WorkspaceIcons\Center Camera to Mannequin.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\StudioSharedUI\packages.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\PlayerList\UnFriend.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\msvcp140_2.dll RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\COPYRIGHT.txt RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Settings\DropDown\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Settings\MenuBarAssets\MenuBackground.png RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VoiceChat\MicLight\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\VoiceChat\SpeakerNew\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\Emotes\Large\[email protected] RobloxPlayerInstaller (1).exe File created C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\content\textures\ui\InspectMenu\[email protected] RobloxPlayerInstaller (1).exe -
Drops file in Windows directory 48 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File created C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File created C:\Windows\SystemTemp\3045a690-f7a0-4aa1-8195-68f2851539d1.tmp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe File created C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\metadata setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp setup.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat setup.exe File opened for modification C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\SystemTemp\msedge_installer.log setup.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe:Zone.Identifier chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RobloxPlayerInstaller (1).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeWebview2Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MicrosoftEdgeUpdate.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1968 MicrosoftEdgeUpdate.exe 3068 MicrosoftEdgeUpdate.exe 5288 MicrosoftEdgeUpdate.exe 1048 MicrosoftEdgeUpdate.exe 2588 MicrosoftEdgeUpdate.exe 6140 MicrosoftEdgeUpdate.exe 5484 MicrosoftEdgeUpdate.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 17 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer RobloxPlayerInstaller (1).exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS RobloxPlayerInstaller (1).exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Kills process with taskkill 1 IoCs
pid Process 3820 taskkill.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31151979" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy iexplore.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio RobloxPlayerInstaller (1).exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0" iexplore.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player\WarnOnOpen = "0" RobloxPlayerInstaller (1).exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" RobloxPlayerInstaller (1).exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-player RobloxPlayerInstaller (1).exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\131.0.2903.112\\BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\131.0.2903.112\\BHO" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox RobloxPlayerInstaller (1).exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "24925398" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge\WarnOnOpen = "0" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge\WarnOnOpen = "0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox\WarnOnOpen = "0" RobloxPlayerInstaller (1).exe Set value (int) \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1" iexplore.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796683264674405" chrome.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\CurVer\ = "MicrosoftEdgeUpdate.Update3WebSvc.1.0" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CurVer MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32\ThreadingModel = "Both" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B} MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353} MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc.1.0 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine\CurVer MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\ = "Microsoft Edge Update Process Launcher Class" MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ELEVATION MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationName = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\CLSID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0\CLSID\ = "{A6B716CB-028B-404D-B72C-50E153DD68DA}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationDescription = "Browse the web" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachine\CurVer MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\ = "Microsoft Edge Update Process Launcher Class" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\ = "PSFactoryBuffer" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\InProcServer32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\131.0.2903.112\\BHO\\ie_to_edge_bho.dll" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ = "IProgressWndEvents" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VersionIndependentProgID MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-player\URL Protocol RobloxPlayerInstaller (1).exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Nihon.zip:Zone.Identifier chrome.exe File opened for modification C:\Users\Admin\Downloads\Felk.zip:Zone.Identifier chrome.exe -
Runs net.exe
-
Suspicious behavior: AddClipboardFormatListener 5 IoCs
pid Process 404 POWERPNT.EXE 5584 vlc.exe 5856 vlc.exe 5480 WINWORD.EXE 5480 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4104 chrome.exe 4104 chrome.exe 3320 chrome.exe 3320 chrome.exe 424 chrome.exe 424 chrome.exe 424 chrome.exe 424 chrome.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe 644 Felk.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 5584 vlc.exe 5856 vlc.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs
pid Process 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3820 taskkill.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe Token: SeCreatePagefilePrivilege 3320 chrome.exe Token: SeShutdownPrivilege 4104 chrome.exe Token: SeCreatePagefilePrivilege 4104 chrome.exe Token: SeShutdownPrivilege 3320 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe -
Suspicious use of SendNotifyMessage 61 IoCs
pid Process 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 4104 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 2572 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 4860 chrome.exe 5584 vlc.exe 5584 vlc.exe 5584 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe 5856 vlc.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 3088 MiniSearchHost.exe 644 Felk.exe 644 Felk.exe 404 POWERPNT.EXE 404 POWERPNT.EXE 404 POWERPNT.EXE 404 POWERPNT.EXE 5584 vlc.exe 5856 vlc.exe 5912 OpenWith.exe 5480 WINWORD.EXE 5480 WINWORD.EXE 5480 WINWORD.EXE 5480 WINWORD.EXE 5480 WINWORD.EXE 5480 WINWORD.EXE 5480 WINWORD.EXE 5480 WINWORD.EXE -
Suspicious use of UnmapMainImage 3 IoCs
pid Process 128 RobloxPlayerBeta.exe 2468 RobloxPlayerBeta.exe 4800 RobloxPlayerBeta.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2896 wrote to memory of 1220 2896 Nihon.exe 77 PID 2896 wrote to memory of 1220 2896 Nihon.exe 77 PID 1220 wrote to memory of 1800 1220 cmd.exe 79 PID 1220 wrote to memory of 1800 1220 cmd.exe 79 PID 1800 wrote to memory of 1660 1800 net.exe 80 PID 1800 wrote to memory of 1660 1800 net.exe 80 PID 2896 wrote to memory of 5052 2896 Nihon.exe 81 PID 2896 wrote to memory of 5052 2896 Nihon.exe 81 PID 5052 wrote to memory of 4500 5052 cmd.exe 83 PID 5052 wrote to memory of 4500 5052 cmd.exe 83 PID 2896 wrote to memory of 2744 2896 Nihon.exe 84 PID 2896 wrote to memory of 2744 2896 Nihon.exe 84 PID 2744 wrote to memory of 3820 2744 cmd.exe 86 PID 2744 wrote to memory of 3820 2744 cmd.exe 86 PID 2896 wrote to memory of 3320 2896 Nihon.exe 88 PID 2896 wrote to memory of 3320 2896 Nihon.exe 88 PID 3320 wrote to memory of 2120 3320 chrome.exe 89 PID 3320 wrote to memory of 2120 3320 chrome.exe 89 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 1416 3320 chrome.exe 90 PID 3320 wrote to memory of 2100 3320 chrome.exe 91 PID 3320 wrote to memory of 2100 3320 chrome.exe 91 PID 4104 wrote to memory of 5004 4104 chrome.exe 97 PID 4104 wrote to memory of 5004 4104 chrome.exe 97 PID 4104 wrote to memory of 2956 4104 chrome.exe 98 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nihon.exe"C:\Users\Admin\AppData\Local\Temp\Nihon.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\system32\net.exenet session3⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1660
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c ""C:\Program Files\Google\Chrome\Application\appb.exe" default 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000002f532f79299314daf8adae990e9daf7100000001c00000047006f006f0067006c00650020004300680072006f006d006500000010660000000100002000000059d1fbe7f2e361c2084f99c7161933ba0948f9f33d85a9e9768a0645499d7a07000000000e80000000020000200000008ca238355085d681a78dceb29c4969f74974b9e1c0c509e04b3c051da686da3b30000000b95fc883a330eeee1a7acf5eaa6ce8cee8e800574b24b7820f6de4f4da1f5f9b240c108f94b07d53c5d56a461c880bcb40000000df003417089b79105600568c601b879c818117c6172ef53181de142315c4fdc7af2bbb48eba957ccdc494baa56852badb2147adb98c423c5cfd094c308c78b3b"2⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Program Files\Google\Chrome\Application\appb.exe"C:\Program Files\Google\Chrome\Application\appb.exe" default 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000002f532f79299314daf8adae990e9daf7100000001c00000047006f006f0067006c00650020004300680072006f006d006500000010660000000100002000000059d1fbe7f2e361c2084f99c7161933ba0948f9f33d85a9e9768a0645499d7a07000000000e80000000020000200000008ca238355085d681a78dceb29c4969f74974b9e1c0c509e04b3c051da686da3b30000000b95fc883a330eeee1a7acf5eaa6ce8cee8e800574b24b7820f6de4f4da1f5f9b240c108f94b07d53c5d56a461c880bcb40000000df003417089b79105600568c601b879c818117c6172ef53181de142315c4fdc7af2bbb48eba957ccdc494baa56852badb2147adb98c423c5cfd094c308c78b3b3⤵
- Executes dropped EXE
PID:4500
-
-
-
C:\Windows\system32\cmd.execmd /d /s /c "taskkill /F /IM chrome.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3820
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9222 --remote-allow-origins=* --headless "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory=Default2⤵
- Uses browser remote debugging
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff82f42cc40,0x7ff82f42cc4c,0x7ff82f42cc583⤵PID:2120
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1440,i,10503956633778268960,3489457954044831703,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1432 /prefetch:23⤵PID:1416
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1724,i,10503956633778268960,3489457954044831703,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1720 /prefetch:33⤵PID:2100
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4464
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff82f42cc40,0x7ff82f42cc4c,0x7ff82f42cc582⤵PID:5004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:22⤵PID:2956
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1804,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:32⤵PID:3732
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:82⤵PID:1056
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3116 /prefetch:12⤵PID:3800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:12⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4252,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4232 /prefetch:22⤵PID:3412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4496,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:12⤵PID:4444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4408,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:82⤵PID:384
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:82⤵PID:1028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:82⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5216 /prefetch:82⤵PID:2128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:82⤵PID:3332
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5188,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:82⤵PID:128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5124,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1692 /prefetch:12⤵PID:3096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=3508,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4268 /prefetch:22⤵PID:3468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3484,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3496 /prefetch:12⤵PID:3420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5332,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3364 /prefetch:12⤵PID:3368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5228,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:12⤵PID:4492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5312,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4800 /prefetch:12⤵PID:752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3112,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5400 /prefetch:82⤵
- NTFS ADS
PID:2972
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5568,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5488 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=5696,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:12⤵PID:5224
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=3312,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1692 /prefetch:12⤵PID:4604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=5328,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:12⤵PID:424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5532,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5428 /prefetch:82⤵
- NTFS ADS
PID:5756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=3116,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:5600
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=3348,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6000 /prefetch:12⤵PID:5592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5156,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:3552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5880,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5884 /prefetch:82⤵PID:2596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5248,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6176 /prefetch:82⤵PID:3176
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5456,i,4312908714604865440,12201460103062896860,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6360 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:3712
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:644
-
C:\Users\Admin\Downloads\Nihon\Nihon.exe"C:\Users\Admin\Downloads\Nihon\Nihon.exe"1⤵
- Loads dropped DLL
PID:948 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵PID:424
-
C:\Windows\system32\net.exenet session3⤵PID:3372
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1936
-
-
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:3088
-
C:\Users\Admin\Downloads\Nihon\Nihon.exe"C:\Users\Admin\Downloads\Nihon\Nihon.exe"1⤵
- Loads dropped DLL
PID:2932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵PID:1844
-
C:\Windows\system32\net.exenet session3⤵PID:428
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:1736
-
-
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.131⤵PID:5512
-
C:\Users\Admin\Downloads\Nihon\Nihon.exe"C:\Users\Admin\Downloads\Nihon\Nihon.exe"1⤵
- Loads dropped DLL
PID:5936 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "net session"2⤵PID:5984
-
C:\Windows\system32\net.exenet session3⤵PID:6040
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 session4⤵PID:6064
-
-
-
-
C:\Users\Admin\Downloads\Felk\Felk\Felk.exe"C:\Users\Admin\Downloads\Felk\Felk\Felk.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:644
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:2572 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ff82f42cc40,0x7ff82f42cc4c,0x7ff82f42cc582⤵PID:1524
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=1784 /prefetch:22⤵PID:5752
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2124 /prefetch:32⤵PID:5980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2200 /prefetch:82⤵PID:5756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3300 /prefetch:12⤵PID:3808
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3096 /prefetch:12⤵PID:1420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4720,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4732 /prefetch:82⤵PID:5944
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4748,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4752 /prefetch:82⤵PID:2796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4732,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4740 /prefetch:12⤵PID:240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3300,i,8478030636179170388,6050476091869628241,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3296 /prefetch:82⤵PID:5440
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2268
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:3896
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff82f42cc40,0x7ff82f42cc4c,0x7ff82f42cc582⤵PID:3252
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=1944 /prefetch:22⤵PID:2728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1728,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2072 /prefetch:32⤵PID:2744
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1632,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=2380 /prefetch:82⤵PID:3272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3224 /prefetch:12⤵PID:4284
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:5592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4316 /prefetch:12⤵PID:404
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4500,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4508 /prefetch:12⤵PID:2344
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3836,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3360 /prefetch:12⤵PID:4456
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4904,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=4952 /prefetch:82⤵PID:5472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4228,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=3052 /prefetch:82⤵PID:5540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5216,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5196 /prefetch:82⤵PID:5244
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5224,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:3104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5412,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5380 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:2104
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5536,i,15232661013461817149,12389537819160957697,262144 --variations-seed-version=20241225-174432.450000 --mojo-platform-channel-handle=5556 /prefetch:82⤵PID:5688
-
-
C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe"C:\Users\Admin\Downloads\RobloxPlayerInstaller (1).exe"2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
PID:6004 -
C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exe /silent /install3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3968 -
C:\Program Files (x86)\Microsoft\Temp\EUC3EA.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUC3EA.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"4⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3452
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1948 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:5352
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3916
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2916
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QURCODgwNDItNzIyNC00MzI5LTk5NkEtQzdCRDRDRDU1Nzg1fSIgdXNlcmlkPSJ7RTYxM0U0MDgtQUE5QS00NjBDLUFEMkYtRkJBMzRBNUQ3NTJBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBNjQ1QzE0Mi1CNDg5LTRFMEItODExQy0zMEZGMzE3OEVCMjN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSIiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE0My41NyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk0NTg0NTYzODUiIGluc3RhbGxfdGltZV9tcz0iNTg5Ii8-PC9hcHA-PC9yZXF1ZXN0Pg5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:6140
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{ADB88042-7224-4329-996A-C7BD4CD55785}" /silent5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2328
-
-
-
-
C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\RobloxPlayerBeta.exe" -app -clientLaunchTimeEpochMs 0 -isInstallerLaunch 60043⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:128
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3176
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4916 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QURCODgwNDItNzIyNC00MzI5LTk5NkEtQzdCRDRDRDU1Nzg1fSIgdXNlcmlkPSJ7RTYxM0U0MDgtQUE5QS00NjBDLUFEMkYtRkJBMzRBNUQ3NTJBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsyNkRFODhDMi1COTE5LTRDNzEtODNEQS0yNzI2MDMwQ0M1NDd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTQ2MjY5NjUxNyIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5484
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\MicrosoftEdge_X64_131.0.2903.112.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
PID:4716 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\EDGEMITMP_728C3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\EDGEMITMP_728C3.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:1544 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\EDGEMITMP_728C3.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\EDGEMITMP_728C3.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{6116F90E-3D60-4EA7-BB45-45CEE78332CC}\EDGEMITMP_728C3.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.112 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff7edfb2918,0x7ff7edfb2924,0x7ff7edfb29304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6060
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QURCODgwNDItNzIyNC00MzI5LTk5NkEtQzdCRDRDRDU1Nzg1fSIgdXNlcmlkPSJ7RTYxM0U0MDgtQUE5QS00NjBDLUFEMkYtRkJBMzRBNUQ3NTJBfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins1QzBBNkExRS1ERkE0LTRERDYtQjc3Qi05MEIwMEEyNTFCNjl9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMzEuMC4yOTAzLjExMiIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTQ3NjYxNjQ3MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk0NzY3NTY1MzIiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5ODA3OTAwNzY5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy83ZDljZDkzYy0xZDVlLTQ0OWItOWFkNy1mMWU4ZDZiOTA1MDk_UDE9MTczNTc5OTk4MCZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1sN3BRMG9ONHl0cmxmY0FTMDNmSWhTMkxQd2hGUVgzbHRHbFl2b3FMVDN0NERzVlo4c0RSOXhEQWU2Q2V0VnZoczlLN2s0TzluNlVRJTJmem9zOG1FWXhBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc2ODcwOTc2IiB0b3RhbD0iMTc2ODcwOTc2IiBkb3dubG9hZF90aW1lX21zPSIyNjU0MyIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk4MDgyNzY0MzAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5ODIyMTM2NDQxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMDQyMTM4MDE4OSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjgxOCIgZG93bmxvYWRfdGltZV9tcz0iMzMxMzIiIGRvd25sb2FkZWQ9IjE3Njg3MDk3NiIgdG90YWw9IjE3Njg3MDk3NiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNTk5MjIiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1968
-
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\Desktop\SuspendUndo.ppt" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:404
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5584
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CheckpointEdit.WTV"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5856
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -nohome1⤵
- Modifies Internet Explorer settings
PID:2744
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ResetPush.mht1⤵
- Modifies Internet Explorer settings
PID:1580
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5912
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\ExitStep.docx" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5480
-
C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:2468
-
C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\RobloxPlayerBeta.exe"C:\Program Files (x86)\Roblox\Versions\version-b71c150c7c1f40de\RobloxPlayerBeta.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of UnmapMainImage
PID:4800
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4884
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5332 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{31889E45-A5DA-4EA4-AA2B-E20946629158}\MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{31889E45-A5DA-4EA4-AA2B-E20946629158}\MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe" /update /sessionid "{B8224C0C-8328-4F96-AE7F-ACEF3A791A94}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5336 -
C:\Program Files (x86)\Microsoft\Temp\EU97AD.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU97AD.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{B8224C0C-8328-4F96-AE7F-ACEF3A791A94}"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
PID:3356 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4220
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3488 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1396
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3256
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1220
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjgyMjRDMEMtODMyOC00Rjk2LUFFN0YtQUNFRjNBNzkxQTk0fSIgdXNlcmlkPSJ7RTYxM0U0MDgtQUE5QS00NjBDLUFEMkYtRkJBMzRBNUQ3NTJBfSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7Rjc0MjIzNkItNkIxOC00QUM1LUFDNTctQjFCMUU0MDVBNjJGfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xOTUuNDMiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIwIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzUxOTUxNzYiPjxldmVudCBldmVudHR5cGU9IjMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMjc0NTUzNzM0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5288
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjgyMjRDMEMtODMyOC00Rjk2LUFFN0YtQUNFRjNBNzkxQTk0fSIgdXNlcmlkPSJ7RTYxM0U0MDgtQUE5QS00NjBDLUFEMkYtRkJBMzRBNUQ3NTJBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntCMzQ2ODEwRS0xRDkwLTRGNjYtODVCRi1BOTU2QjdFQ0I1RUZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTcxLjM5IiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40MyIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyNzE4MzAzNjQ1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyNzE4NjE2MTI1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzI2MDk1OTkwOCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iZG8iIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzIwN2U4MDM1LTk5YmUtNDVkMi1iMmFhLTE4NWY2NzA5YzQwMz9QMT0xNzM1ODAwMzA0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWNqMjI0ZVNCbU15dThMYTdGcEQlMmIydTNoRCUyZjRBTWRhYTkzYjdFV3cyJTJiT1ZjVjJ6UXp2TmtZd0FrWVN1czNaRzVqT05YM0cxZFhZcDBPNlA5QnZ5aFFBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMCIgdG90YWw9IjAiIGRvd25sb2FkX3RpbWVfbXM9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMyNjA5NTk5MDgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzIwN2U4MDM1LTk5YmUtNDVkMi1iMmFhLTE4NWY2NzA5YzQwMz9QMT0xNzM1ODAwMzA0JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWNqMjI0ZVNCbU15dThMYTdGcEQlMmIydTNoRCUyZjRBTWRhYTkzYjdFV3cyJTJiT1ZjVjJ6UXp2TmtZd0FrWVN1czNaRzVqT05YM0cxZFhZcDBPNlA5QnZ5aFFBJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTY1NDM0NCIgdG90YWw9IjE2NTQzNDQiIGRvd25sb2FkX3RpbWVfbXM9IjUwMDE2Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMjYwOTU5OTA4IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMjY2MTE2NjY5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PHBpbmcgcj0iLTEiIHJkPSItMSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5MC4wLjgxOC42NiIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM3Mjc3Nzk3ODI5ODEzNTAiPjx1cGRhdGVjaGVjay8-PHBpbmcgYWN0aXZlPSIxIiBhPSItMSIgcj0iLTEiIGFkPSItMSIgcmQ9Ii0xIi8-PC9hcHA-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IjEzMS4wLjI5MDMuMTEyIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgdXBkYXRlX2NvdW50PSIxIj48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7MTMzNjA3RDUtMkMwNC00NTM4LTk0NDAtNDkzODg3QzM5OEZCfSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3068
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1968
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4856 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjUyRkFGOTQtQjk4RC00QjlFLUE5MUEtQUZBRDdGMjE3MzdFfSIgdXNlcmlkPSJ7RTYxM0U0MDgtQUE5QS00NjBDLUFEMkYtRkJBMzRBNUQ3NTJBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkVDNDVENEQtRkIzMy00MTVFLUFDQUUtRkZFQkYwQkM4RjEwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7Y0JZRVlYODcxdHNHdUtKYW82M1hqVXQ1dkpFOVh4Q1RuRTdIMFBnVWpLRT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9Ijc5IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MjgzMDMwMzMiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM3Mjc3NTc0NjM2ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNjM2NzIwOTk3OCIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1048
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\MicrosoftEdge_X64_131.0.2903.112.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5916 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\MicrosoftEdge_X64_131.0.2903.112.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:2232 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.112 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7c66e2918,0x7ff7c66e2924,0x7ff7c66e29304⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1116
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:5512 -
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.112 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7c66e2918,0x7ff7c66e2924,0x7ff7c66e29305⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2512
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Drops file in Windows directory
PID:5472 -
C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.112 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77a882918,0x7ff77a882924,0x7ff77a8829305⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:752
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5544 -
C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.112 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77a882918,0x7ff77a882924,0x7ff77a8829305⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2660
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6040 -
C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.205 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\131.0.2903.112\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.112 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff77a882918,0x7ff77a882924,0x7ff77a8829305⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3148
-
-
-
-
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjUyRkFGOTQtQjk4RC00QjlFLUE5MUEtQUZBRDdGMjE3MzdFfSIgdXNlcmlkPSJ7RTYxM0U0MDgtQUE5QS00NjBDLUFEMkYtRkJBMzRBNUQ3NTJBfSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins0NzhFNDA5Ny1CQ0QxLTQxRDEtQjcxNS01ODhGQkUwMENGOUR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjIyMDAwLjQ5MyIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTk1LjQzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9IklzT25JbnRlcnZhbENvbW1hbmRzQWxsb3dlZD0lNUIlMjItdGFyZ2V0X2RldiUyMC1taW5fYnJvd3Nlcl92ZXJzaW9uX2NhbmFyeV9kZXYlMjAxMzMuMC4yOTcwLjAlMjIlNUQiIGluc3RhbGxhZ2U9IjAiIGNvaG9ydD0icnJmQDAuMTkiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjY1NjkiIHBpbmdfZnJlc2huZXNzPSJ7QTQ3MjA3NzEtMERGRS00NTMxLUEzRjctQ0E4M0I3NTBCMEI1fSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5MC4wLjgxOC42NiIgbmV4dHZlcnNpb249IjEzMS4wLjI5MDMuMTEyIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM3Mjc3Nzk3ODI5ODEzNTAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2Mzc5NTUzNjQzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2Mzc5NzEwMjMzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2NDA1MzM0OTIzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjE2NDE4NzcyNzA5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxNjkzNzA1NDI5MSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjgyOCIgZG93bmxvYWRlZD0iMTc2ODcwOTc2IiB0b3RhbD0iMTc2ODcwOTc2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMiIgaW5zdGFsbF90aW1lX21zPSI1MTgyOCIvPjxwaW5nIGFjdGl2ZT0iMCIgcmQ9IjY1NjkiIHBpbmdfZnJlc2huZXNzPSJ7QjlDMjkwOTUtOEU2RC00RkE2LUJENzAtRTg0NTE5ODA1MDYyfSIvPjwvYXBwPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIxMzEuMC4yOTAzLjExMiIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGNvaG9ydD0icnJmQDAuNTEiIHVwZGF0ZV9jb3VudD0iMSI-PHVwZGF0ZWNoZWNrLz48cGluZyByZD0iNjU2OSIgcGluZ19mcmVzaG5lc3M9IntEODQ5MjA2Mi00RTcxLTQyRTYtQTdFOC00NTVFRUM1Nzc3Njh9Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2588
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness1⤵PID:5148
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Modify Authentication Process
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Modify Authentication Process
1Modify Registry
4Subvert Trust Controls
1SIP and Trust Provider Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.6MB
MD5f0dc48bc6e1b1a2b0b15c769d4c01835
SHA166c1ba4912ae18b18e2ae33830a6ba0939bb9ef1
SHA2567ada85f31a3b501eaecd2aa37b8df1f74b470b355279b5db2d1fbc0bb7de4889
SHA512d2ceeaf987446f7463e84a6286dc1c8f50a80466af641f77d174826189ff5a56b048e616ad8d97ddb12a2f68e182af80309be717367224605c06dcf74a84cc0f
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.43\MicrosoftEdgeUpdateSetup_X86_1.3.195.43.exe
Filesize1.6MB
MD583f7907f5d4dc316bd1f0f659bb73d52
SHA16fc1ac577f127d231b2a6bf5630e852be5192cf2
SHA256dac76ce6445baeae894875c114c76f95507539cb32a581f152b6f4ed4ff43819
SHA512a57059ef5d66d3c5260c725cae02012cf763268bd060fa6bc3064aedff9275d5d1628ff8138261f474136ab11724e9f951a5fdd3759f91476336903eb3b53224
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{4499A5CC-4D88-4BC4-A173-BD4B33EEBD65}\EDGEMITMP_F2D70.tmp\SETUP.EX_
Filesize2.6MB
MD52ddec22bd2a90587544f7b60d07a87ab
SHA1e98d492b63b876009298c7e90e2460d8ee59c4bf
SHA25671f93ac62911d1e1671cf7f15e0851d4c9b98e4783ec9b0fa0ed5ee12a4d483b
SHA512a11a37c73d54e818fc38b263123351b4418ee3674e1398cab11b79e4d7b895b411dfa02dd26f22a8781786e7e0d6ef44a0f6ba099a2ee3dc9dc224a5d968e678
-
Filesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
Filesize
3.7MB
MD536b7362f96427168eb66c692c65a1582
SHA10a9e517d93a94245c765be2205ee71f079dfff76
SHA25605deac8d5c4add3c6aff545944965abac2ce1e4fc3dcd1cd2528c101eed1b0f5
SHA512c5ba4a18198236089bd13e66eca9f80a449abe29829b7d1c6c646e76c3c24e17d1bc3ffffe55973652470ac06385166ec794f9759827555d79138dea20923eea
-
Filesize
7.1MB
MD5dc0a0de94ad86e22785e385a4fbbfe2f
SHA18dcd6f06fba142018f9e5083d79eac31ed2353d7
SHA256a4e80eba29eec1e534950f605de2bba0a174e9eaf56c82fd6f4d221e93667f92
SHA51239582cda82f479e5e25fc2021878d071261b71efbb68f827599d4020de61698273a2cde3d1dc323d14205615a509687ad1e04f1e25626c0826c6f297f5a75dce
-
Filesize
33KB
MD5a75626d5042f9b8fdecb168bb7005bc0
SHA151d56b7568367dbd2875a35781ba3225b7b775a6
SHA256ecd7f59ef10e8d0380be3a2e0c1a8a6ed9b76a762b2363faca56a174e2bd2b5a
SHA512f7f833b178e050e3361c9b8fa80ef484b10403aeba28a324c0479ac77efcf4abd0edcb98ac92aa86defaa7eff67d442b6c9fe905ce8cd386bf7537598f7343f2
-
Filesize
14KB
MD5215fa5f0f374f20507f197319ef408ee
SHA1f717defb55152586db69a602fab76fc15c1f594a
SHA2561adbecdbb3b68e6d8f359990a6f288ee2e6b597de7fbc236a3644bd3b281dada
SHA5122d09accee7933def6fbd2a07d1d721a3d38c2ef261f9d3cb4f33e9457a1509a9ba1444cb70c3f3fbc0ba8582792da0719baf90ee0be3ff96fd49a741ced19fdc
-
Filesize
64KB
MD5b5ad5caaaee00cb8cf445427975ae66c
SHA1dcde6527290a326e048f9c3a85280d3fa71e1e22
SHA256b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8
SHA51292f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
1008B
MD5d222b77a61527f2c177b0869e7babc24
SHA13f23acb984307a4aeba41ebbb70439c97ad1f268
SHA25680dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747
SHA512d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff
-
Filesize
40B
MD576025b9fb7201faad57e95ac873e37eb
SHA125c01eb7d9a63723eac365d764e96e45e953a5c1
SHA25603bb8cf70d96e562ff19d80ef9a01f8255aaa1a6ffa2005dbc004bb718e05269
SHA5126f5c8680823f3fc01c4668585518a1a535959ec456bca88f81eebe0484dc6cf6bbc40044db4ac7d18798529a20feca039bd986f243db817f27df220a7917a28f
-
Filesize
649B
MD539dfaf25b806a437c8947e377086631a
SHA13a0b8732623656ecc44efeeab974cae1c4348e36
SHA256cbf97964cac465bac60d5212e24ecf3f0e2b4a572c5f4348e37c71f79a2fbcdd
SHA5123fafa3de5b32e553703934c2933802ae140b15c374ec9e0c08323e737b6b4023bb7c695a1e9dac705a515a64b7f988bead1b8cd14e27e9941732cf39f8d3ca87
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
4KB
MD5db269b93aaf62472d416d780e12a6c31
SHA128dd754419ffb7f7e9fa3fe7a8ed990826482f38
SHA256615e419fdc7ad2ed820da5ac0003fb5673384e2ac62e0f66a03ac8b4adec96a8
SHA512299be7bf905f2216cbae4ccbb923790dfc9174bf5d197dbdd01589dff92b35aa85704a3d6596a7e17f502bfdad32f1617b07e29477cdebc779bb0f0ec2555d09
-
Filesize
816B
MD5373a8b1ef546837bdef9fc047d6997ba
SHA18efa0de704b9c460c0023956094893d65f1301b6
SHA256f1d2db629d37b4c95eae247befe3538e2b15c6d8771dc4ce83384a13fe1a81fe
SHA51223a2724abc92b6338ddf3b5792c7aa5dd25cd5894573904fce34235980cdd0159aa61e438da6d38c0071360570eb8d54b845f3ebdf32978fa2f377f397e77af7
-
Filesize
744B
MD5f675e5f8ca4d18b6b25cd11e4e28f87d
SHA134ba32d611d4d60083eb02309a0b0e92c01f41af
SHA256935f79d0fcf7524a9362df946c4c31c8945008d3f5e176b8bc4985992dabdba3
SHA5125955a1c4ff450946b03fd541650bc616580c9f088b2818c3334394408753840bc08d5a510389e5fd0d5550e497620d7fca164fd50ecaf2ebc8df2cd6c14a7995
-
Filesize
3KB
MD52d8819076925b655b41dfb305ed2e866
SHA1be316b018afa825589652604eddb9378f77358ed
SHA256bbd0aec55b796f08aeac504cbbe369b0f8677ef08f1f74ecaef2d914504a08ef
SHA512dc21dad98aeedb9fbc6c067f0aa1fe6ec73a8ded6cc9eb19ce182c7770c03ec7cb27483c59158bd96f8de44fe1456cf36a046447909b8435c94abff28e5c76e0
-
Filesize
264KB
MD577a286091d7dc9b3e8941b7c38bf60b6
SHA1607664bb434efced0531dd285e947aff94dc2324
SHA256ddb66aeb40d2a20d8b09330daa09d8b608237dcd51f19baf698a0b64da679594
SHA5127dba1076f3288d8c5c98b5071af8ad0be8ff34ea4aec19974d235ed7f452d5b4662915fb0ed90ce1839f429a2402faa1b5f5a50610db92b00a88383a3a12ed07
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
44KB
MD5076a42196c631daff4dbd0f29ae5679b
SHA198514e6313400ac6fc36847ec8825bd07df8361e
SHA25664b152dd08317d0312d2f40022ea7736affa5df80410c1b0d18f573d74ba1122
SHA512e105b59dc595cd7e353e1323b416fd8f0b102274aa08019370354306f50f5b75984ddfc1653aa4eccb256786ac9d1fa397762518b50dfcbfdfe8e586bf3d0389
-
Filesize
264KB
MD56380ba491c5786d8c8031a0fb0a769c2
SHA16ab05335dfef50db106928109bf2311cf8c4b4a0
SHA2565f614ce4cf475524d6f8e65aef66559e24a3566b8cc15b9b6375d6d33aa157e0
SHA512edb3880ba7449cdbe063d9a6824c606901024a9b8917b160071ca5cc14ad0aadbefbc8114b969a2fdf94ecdafd2e7afbb641842c66e7a745325636b2129fd2fa
-
Filesize
4KB
MD5c2e4f6634073997b025d90734fe9a7cb
SHA175bc27358fd15bee50a10a45c705a27b98cd96f4
SHA2561df3c718fbdae66e81ec380828dbfb0281b881c35666616eccabb77ce41e7f3b
SHA51204658197331515b085c0110e574ddd625a2c2ca557695d8efac51ac24d161ca3e5a0352eef377a1dbab393d0dbc552c2af4b15003f13564b8d068171549576f1
-
Filesize
7KB
MD53aa7ff3dfca28f1dd285bc4227057d5b
SHA1e05740125613662ec1cb3dab149c2765c68ac87e
SHA256c695f66c1d62762712f45fa7bde0890eacdda6154464ce9a7438075223f23555
SHA5120743e3afd2868efcc3d926a35110ae26ffd37d340c11b361f8c32ad1e62f693ac23369c82748459e48ef43a04d5798b301b72ffee5cf00358e7ef2091050cdce
-
Filesize
4KB
MD57a51d4cf83cb387b441e616b10a43f92
SHA1bf08cb9e805741b5c2372d828122383d116384e7
SHA2562360ada9d4409406f11a2237e1aae166611fe2bf5900935b55480b39e76463aa
SHA5121cd8f55c71fca65cb93e842f1eaf9443d20ec0b245b3af37d05bcaae5529a7c1163072d27accca552cfc93b2a3cebff6389a86ae2029eb25fd1c4bac649e8324
-
Filesize
5KB
MD5c04a0cdcbf9801fe9145e45c77b21596
SHA12af9bd12e460f7a49856eb4e70e5e4bd7d3ae91b
SHA256343e8f633d6da14b93f9921dac4e44762532fd05ebeb3b65bde523fedbc45597
SHA512674c3c756fb537444042beb51f04dc29dcb84fab63c2f1009c1122fb36f8a2e32dc7b68877bc93229be2ea7880e8dfd1906c5ff3845f2fac525fb408ce51ec8f
-
Filesize
7KB
MD591b59d8e9398e11dc8291b37072f4cef
SHA169e3e23d4eae1e5db8c1d3acc1d0af3761b960f2
SHA2560032d76225dc75217e180a8efbd10cae7d8a04729c0b312db7886df54fc396a1
SHA51212e53f1352ba83a011ff5f9226a593cc41411e97d7c8f54c02073f2f3ee6ec18fb2ee48dc65498cb8b91f73e4590d65a483ac15e0ab0743d1492fd0c1780ed0a
-
Filesize
7KB
MD5f8de7b1a124ca3aa440a5fc995a46537
SHA11c9cd18e73e7dd99dcad27f8d01ab9fca745a053
SHA256c483e2f988c570afa1d347625cac90fa0d3e42e39045c514a34f76afe6bf044f
SHA512834db37c3bc79d7b77ab80758e147442f0d17ef1bdbfc559a1f5df6b205851837a6e502dc18920aee038e50580ef70332ff8210f5a2ab12400eafe8a9a802089
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5da7651c1f704031f1ee8c7ec75647dcd
SHA1f803669329adaa35f01b0684023a9c5373c70479
SHA256af0501c23c632ff71b3f6053e7eb0400efade722defbbeb4d6dd0693b29a6ba8
SHA512d1490c61026250abcb6cfa845ca5aca6bdf438debadc6c24bf28c3b420e3d92dcced2b00d6930df3d2b3fa11f61c87583fd959bf2f396601f23c4633f1687a84
-
Filesize
858B
MD5001053c8548f9f33f736b329d8f9596a
SHA176b251bfea67e5e80f65ba26fb34dc004ca2f95e
SHA2568753b966113ff94159233501fa88554cfb04242ab60155212287a4364b67911f
SHA512ab67a443ec8c3d3a56f0c16270bdfbe4269316b00bb26793303944a91b6ae14af95f60a5f8bbbc700af36d98d97d1821d79af745a6d0535a013851ec205a0a9b
-
Filesize
690B
MD51379b3a2343fcd8480b74d8eb4947feb
SHA15908d11b2fd37fea8b139b00cf9555969989a005
SHA256ed6cf3449539ccaf7f89bd3f3a026f17a6d420d985aee6137d4fa73e73499c8f
SHA5129337b587e107e3d31e45cfb3c18e79bc076f2b5823d52a4e2348e73c826cbc3ac362e6dbc6f7c442efce6aaf195057ef099a13d30afc42681eb4b8098a846b02
-
Filesize
690B
MD515e36400f987be961d9d3e946d7d222a
SHA142ad9a2f41f3b19034b6371d5b96747e2067fdf1
SHA2561807d21807d8433358f72875a507a42c72eac5ca3659be61f4e709f2ccfae360
SHA5120680fa77bc9b9a669b0ea6d7ff52d585e25d9b839a10e027b3c41e6d582c4542f01c4ae0cd30d03037c85270487feb9dca63b224c50e3f8af1f79b0834f61ac6
-
Filesize
2KB
MD57a7ae4c790621aaa68621a61fe8d2e16
SHA1ed5a9215cfa8ff7922245af22248f0f461df4b85
SHA256ee6abae391f05ee82a4c3fa61cc428e0ac8912d495a28a1bc048c9898d5044eb
SHA512bb61535333a4869e589bf0b84d3d3801b2c505673348c8822e905190bab7dbcdcec627c86006ca310c8f219cf86eeeb240156edbfac18bf6cc1b39628913d821
-
Filesize
2KB
MD5ae46210e2f678bca99e68c8dc6ce2266
SHA1b1149511b3c10fb1c3359b70352f402815a02294
SHA256d6fc45d7e75900a60bf742a2426659fada4fcabb174efa05ca117353f1bab6df
SHA512a94ac4650d7e6c585426f897c95477af7228a8de19dc3506396f54a7c45b0a0ab24d6a4076639767732a79a340880f41640889586dc4036a138435f3d4ae3b91
-
Filesize
690B
MD53cf7ba678510ae70730fbeea95ccf32c
SHA1c885c28ff4e3f35207465588a818fe633369ffe4
SHA256d79123e0eafc4e228f7c9206eb871b13f80649f3e50db9c727e505eb11883155
SHA512bc3e6f30265624afb1802ba217c51164af816d45c22db6de5466a3bab8bba503eb83c7dee9010893f2f966a494d4f60e3fe5825e8bf36c618cb7090e7ff4e5ba
-
Filesize
2KB
MD51af4220bf5f516200cfaf85f6a21925b
SHA13900747a04e2715b713710dca2be2719c31c436d
SHA25653582d03acaab0b47774828cabfba41071bd58cb64ef981cb4adb443714165f7
SHA51258b96b7e4eeb178cbb28a5f8feca35884e414123676cd71dd91ac1034334d10ee70e35ed6d11bfdc8a284ae49d1a9f59d232af3fba082df4cbe175b89f541119
-
Filesize
356B
MD507726d3ae4bae9dd35eb1690882ed281
SHA15e0b299b155568c872f43eeb31d4378ee726eca0
SHA256a5ffaa7d5b7d75ce0adf6d2f3d637ddb63644a8f28d413aff4b29088150438d6
SHA512bdc46fce9f037bbd8dc7c5a21d247d66d295014379769fcc08f27b1c81a83ed5de91165b34eaf2f7e2eb3eb7b6fb013baaf590cc9444f0264941f48190e23fbd
-
Filesize
2KB
MD5d061c0b6039aebe832dd51f6d91f4d84
SHA1dd2e1c1eb3f304b5d03a9dedfba87696c1e5fe6e
SHA256fd0877e7c0fe9da31c962c6b77aae56902b1936c1e5a26b584f74ec41d90906f
SHA512c39bd2a36ffed4582971caeaff0c03add5dc3ded0ec6050c1bff88277fc23c75fde75aca6bfbb9e31f6141a76fa2df25370b9ab12001c3540411de8ded336938
-
Filesize
2KB
MD525022f3e89aac2b05a5195c34f6052d9
SHA18601b87c3008d404328dcc12be0aee79354e4d34
SHA2560d0c90fbffb9018330db24a914cd565f43b756225df1684d66323c7ea6202696
SHA512f3e0a1e7b6f7dc8d4d538a22d35adf47ab43b9e4c5114951ed69a954cd2d1d4d9342105685fe0a00b90dfc46ef27aa5aed5516dbb1eba2cf80996842f68463ff
-
Filesize
9KB
MD531657a61b0f269a1083db777c30001b0
SHA19a8c362183e91421802906485b6486859f83ba20
SHA25691738a4394dc96049eac88a14fc3bc91dfbe746921e24e65c28c6105d39b83a5
SHA512646b414b8ee33d47afdfd4cc18257b754eae2014e6541f0cb4a0a19e5edc4b7d2ce5f6bc422e331eb8d486fc19841913e901037067b66f17bb32d2d63182bbc7
-
Filesize
9KB
MD5be88654a5cc1cf0b6fcc398fc93453b3
SHA18f2b43201eb3a8275f79304d8ea07f90aea2a888
SHA2560f4157299867d8e0e879e8c205c4e96e001415f902f5fd93d8423cea508a445a
SHA512018052e10cd897799eaf6a62751c81ab8f1c2f7586232714ae81d7f9397f6036d1ab40e832d04f3aeafb75bb5e1228d8fac8c247395ea2ca750e67afe08d7459
-
Filesize
9KB
MD59c3655e08778ed3f90d78c745a976071
SHA1cf85ba0f44c5f8930c8a8c642650c29e7df383a6
SHA25621ff607ab5b049b6cc9a1a743e910583299a8c84b2c85558ed878c09f0ee1843
SHA5128929b90ddeb411a3668bb18ce153e3ef79983bb19f65490bbaa2bf6dcca0c445490048df82c5e78714d5f26503c7df8cb305e544bb0447b4112c62e6e7476ae4
-
Filesize
9KB
MD559ca7f9990e49819c5b8ab3f072cf67e
SHA1ab38ff34c92db5216ca5c1d1af58aa791d163503
SHA2560f5ba07de886a4afaec57eb70ef64640f8e2ec23a67255cdb5e671d7343dcae6
SHA51269cb16a6426baab010fccac792313a1d55a2c2a60dd34bd8ac588bae006a4a4c406ced666c66d4cd80b464e589ce0cddbae87220a11d1508a3d5093888a02d21
-
Filesize
9KB
MD531283b72dfcd766b4624405b6d81ef8f
SHA13ec4760e9422328b41032b09aa11ad44ad14a25b
SHA256e1fa04cf4c858fbe493ac8d4f3c22a0b73f1667c526d087cee57ffdfcb15338d
SHA5123ee832abc5ba47c8922b7412ad76aa4af6f8b9bf63c320004a52b86e6d7ce6d0ba6a7fb51130c7689d8be0ec553ace5bcaa92c4fc8cd5cb88173620d4dc17eb1
-
Filesize
9KB
MD5e286b6f2ae677c4b72782143eda54c7a
SHA1a825b97a8e51f74065dc6553e0b7c35cd9204be9
SHA256f1237db34b8dcedc8204e2f5f74be52e3c300dfe3aa16d2d70fdfdd763f1c547
SHA512b929e1d737a490fca557b587c75046ddee0b2b03f997d358545fdf34dda74b8f2d1d0d55b7ea420f70f679c7f3f4e85f59f925417493b4e4f262cc8e169dd9ef
-
Filesize
9KB
MD58a25de872215891b8653f8529e131b24
SHA1f39271268b64ef2e3e0df5c65ad2e800cc2018e2
SHA25652f09ca9218a36d041446a85d9bdc3f2da7879496591de842cffa23521b05823
SHA512339366cdb647fc268e78df3fbed4998f9775d78626babd1dbfd2fe72ff458d5267ce12ad26bd298aecd74ff6796a3ddf051a6965a6b80c72817ffb8c2c227992
-
Filesize
7KB
MD5f3ec199e148695204ccfbc61979f859a
SHA15684fb6c4a636d27d152150bb68cc0bed0d113cc
SHA256b66e6d61f6372ec8cff0110dcf8d01bf8b05f2df5d18e03250db05e51e207647
SHA512c387e3dc0e702a1c10cf1b761939c2042826cb85095b1d8be9ef9d625b3ac5404a5bf4d96177f449ec05dc2d44403052f1ca06576aa18283bcefd0d5f587882c
-
Filesize
9KB
MD5870dd8f7bbba29442da09c37d63b7c50
SHA19740ca493888139cc7e0e24c3f4b92089df5f9fd
SHA256e5bc94fdb570bb2acd5975ea551e22126bc9de61c6588ddcf2add944e771a515
SHA512ac8b0a9e3088b6451759ac8db89ac665002e70e9bad3d320cf7aec9d9044d2320c7d9491384cbc70a9f6333687b1b8d7536f8c551ac4b931bda58ba4829b6274
-
Filesize
9KB
MD5755a03969cb61e9ae6d012ba1cb5b94b
SHA1e7035e95b7ce11c910c500e49c31f0a950ac829b
SHA256a2d51e9234d0852edc704d1c3f1fcd835efb2539680a822266c5ffbbc38d2745
SHA512575caf593e1d315294aa0cbf106395690602fa98aab88006dd975e7a74e819c78ea03a698257af10c92136c4a67374704b561bd7e10446615cf08e4c0b7b65d0
-
Filesize
8KB
MD58b7daf547e43c2ddbcf1457609a37785
SHA19ef5b0aa870720d85ce769972fd83789fd3d49a5
SHA2568c47c17aefe520c0085516ed08d1bbc0313499a1d7c6657980b581ea0b54534b
SHA512c680a73e32e9780998b15ae839446ed1d94592c845b798af01787053cea5089812846c50fd77398ed373cbc106974e5c7be25daafb4c884b053d9c5d856dda69
-
Filesize
8KB
MD5d0d6aa102efd300716b9dae8a3e7ce21
SHA1b39eeb11901bb876864ff5918246121666defec7
SHA256f35ddc2817e94f17690df72900103968d80523533b087ec1f7130e79bf1f6c50
SHA512d848904a70c57400e7390aa75a83950cb49de3a29d4341ed3475d22f1f18846997c073839392cc3d86afad46380da281ae1c3b6e91556d9a2a72fe0e521ccf1f
-
Filesize
7KB
MD5e7d5edb75ae20429a692d7d0d8734931
SHA1717336939ea326af60b3260ed45b39bc28eee31a
SHA25655f8bb71cb753d1153028cee0481c6fc4288d3eeda48d8117a625cba3e27bce9
SHA5127387e5c3e106969aa3ab4cf7d8c9e0407424ce9db7363924e4d9ad0555137343c65360c56caed23593f7e10f25b6b17340508c27cac507a7ad55b6ca80512e74
-
Filesize
9KB
MD5c32155a4c737da1d9b8a4e2dd7653c7e
SHA19284db8f7633f472c5729d1736b953bdfb01cc8c
SHA256f3cbccf50d7c3f9c3aa3532125bb55beffed96d62bf81d36d57a7f78855425d0
SHA512411c03c1dd10202bcef5bd208e644eae65bd9159d92c689f4852d273f7559a1d33c5e2f1d860157a6e1f3b78112b5e81a02057049cc392cb44a07a48eefff2e2
-
Filesize
8KB
MD5c93037c72b4afc70fc754fe8f767faf9
SHA18393a4424128cddfeb7d509a609134455eef8686
SHA256df994a5997d62ea319fd82cee004e1b248b6979e34c1fbf620162281340baa91
SHA512f1f8b8fdd3b6c714ee64a99420e67a2fc794d8a1c2a3da1e75d43d3707741fce1eba8b17e57f7d8db85b69662fe932c6439db8535251aa9f3cb230a61ab7f62a
-
Filesize
9KB
MD5416471d486dcd557300f745e58b1f204
SHA17ab8fdab25a0b4a36597c878443f109746c76516
SHA2569d2ef4e7b533c18f3e07e22f3cad15b9b740d6a758957558b3c0346a10a20cfd
SHA5121d734848f3bec861de5e1d839b072d783f8bbfefabb41183fad730df398001ec0242e6361a6b159c47eabab09961e4c52cc65e3e2e07f10a840d1dc5afefe8fa
-
Filesize
9KB
MD5a1830c25943c8495989a8c7b44626941
SHA1590fd68081c3bf8b7581a7c3346157fa76d31e59
SHA256b50486dc0cc7dee5bcf7d5131660709af0452b2a5a18a6ee583d346dd701140e
SHA51270870f5a411f2f8647f656e9d7956e32f651e168425bad2934eb89e0ececc478ab5ef7c0b3904e8aa2481fc58855a3b1aa355249db02b05688cb3635b5ea5178
-
Filesize
9KB
MD59bdc9b4de39069372513fd1217fb7ced
SHA116f70eec0c3d02f68d3ed8de29a7ae6a506abf69
SHA2563ef6f3bab558469bd7f5202608823da3311b90a01757988eef9e86dc28c7f4da
SHA512a3e3d3075494060cd27b04c2b5217c9b927a22d7d92976a7f22cb48cd1cd609f1ae70235b813e08cce3106b932fe1d22aef316bb949121fd01979f8168115182
-
Filesize
10KB
MD5da1d5d68f5df6134be80afb8c341eaf3
SHA13b4d54e2a999149d69649fa6dbf18bf590ef94aa
SHA256b8a2aecf30d26c7d185eeb6c238a32a08236662cc48df04d2c164569b49ed608
SHA5126f53b6d6faae2b6b118249fa164826d78530d00b85311cb5b0d426b12470e8d56d84b341232b2aafeeccf45681188b74778fe2caffbb70e9e080fba7ef124e9d
-
Filesize
9KB
MD507c0dd2aa463103b76085dbbb476823c
SHA1183aaad8821987f8ee21c11f1cdadf3c90b7d336
SHA2566d907b1a67caad7aa2709200a2fe6b4d673c287eb587ae81a36f8529b6ab92e1
SHA5125fe5620265122dbf9a22014964f201e42ff1e7ac300f57a3f056216370ab8be8fc92a5f6414d3192a377237c212dac20474a7d5b9d2e1c61692f8d761b5c2feb
-
Filesize
9KB
MD53680801a1872a1bfff50f61cda3156fb
SHA1c51406d84125522e1f2b1d7bf8db7c2c87a68e68
SHA2565c8625333bdaa89a6e1f25ba772e88c11f36f1df582cc34cbafaea18024aa043
SHA512a41ccc815ea7d67b9490dcd1e7e04b867828565fbaf125033200a8228883e5a74ffc87de5c6cdc01283f851d2feb425be48f078fdd9b3f3e39486c16969e3119
-
Filesize
9KB
MD5a97f31ceaea646df98984737987088ee
SHA17f0a568a0452f2acb141b6edfaf742d8aa4692d8
SHA25613a8b979f9bc4630d60b48e3064048c7bbf2e2c6d916a641a576289890416a7d
SHA512a388fa12a5a3a6b66dffbbc6cafc6bebb2d5a5cd973ea23d9bed94049fd1a3dbb724a9e7e74f098cf41f7db5d84a85a041f32be232e4064abf3bf74a85dc3cd2
-
Filesize
9KB
MD5bfa620ccc4a01b8825a86bb81f76758f
SHA11a604bbe1bb6117b1ac2209a0f1015163547b894
SHA256e1805a9ef3bfb3eda373c54ddcbe5b88ab6e6f33039389360d9530c73fc7fab8
SHA51276d4e4839ae6e3e7fd3a535d0971c13877a0319d0c416a9e90c8a97cc41a8782ac806d7c656f3b8dfdc71b9c60528b5de35db9bea1e51a1f33af8f49f63b0580
-
Filesize
10KB
MD56f7fe91ebc86bfca13de2b50a220924e
SHA1327efc8682959ba6f3ac7b6fb3250af7e990e4b9
SHA256340a0bf8c3013a0f8fcb4e99b353c4d26205ad0fc813eab9c6d0acd63ae334f6
SHA512da99a337816c58152e49b43b8a90b59937f8b89f875e7233de82ea5e5de18f4911329b78bbe3ad6eec457f6ddffe25615d6687aca73aef3f4d4a3b4263829029
-
Filesize
9KB
MD5d50fafb67aa8ca9bd5fcb7e766ba87de
SHA18514380e4dd5f93889df206f4760c8247dcca22d
SHA256a6ac8e03150f95027119718603f91bdf98ddeb0ad7bae8ad5c2ea916e25e3a83
SHA5127ad3f53f292386a64d111e493d70780fe26acaa7901d17e857247c7afefae3aff8e3a5b84fdd111bc04b7b78f39d5ad468ada99f9513793acfa171309c0b7a97
-
Filesize
9KB
MD5462ec498ee75e4a490da8dad05f83160
SHA14f95505f7d741a158408fc1d06e7cee85ea3cd3a
SHA256f5c043480d8ca775a7e275bd84f8c824e044848852bcf121f6e6e6d8a75a7c0c
SHA512acade47dbeafaa18123c3e6e6722a144816b42a162dcb5692ffc13181970da33510a77760a3761967a911dd409ac5287cdd5379bfde31bd729654b37a1ce5ca6
-
Filesize
9KB
MD5e0464296d9b61ec8cdc045eafdb8024c
SHA1de195873aef24fb8afaac21e13fd780b1af280bb
SHA256fd5653083c9fc5f75b38d2dcd338427ee9dfbd727da70038f168c941d5ac7153
SHA512559f9edb22b84ef6c766991048a1ba9426782b5c4cc26f85792b26b4e30b4ec11f9090f2f57eec866c2829c61be21b605522f11ed148fd7254582b4c266af523
-
Filesize
9KB
MD5591d8643675f0f361f74082ad57ae6de
SHA1200741dfc0c91e91b298e4610d74edc34b163c8d
SHA25618e23964cc875cb570559a08ef4cf46cc9554b5239ddf6e24b4855058919a66c
SHA5127c54947fc4b1e04b334258972d19e64b872e15f9a82f6e252d04b0ba5c99eee8ef6c3ea08adc0380721757d546a59300f374250d5970cbba8368a568f06792b4
-
Filesize
18KB
MD5b3d5a2e87f1a1315bc0bd1d026a9d946
SHA127cd7ce89c56915588d7bb1cc5db3aed217370a3
SHA2560346194f1460d78815f1e9fdc7a2f2c508c5bdc9268a8ce9fe830304ecd9b042
SHA512c97f3c8c869e6547e7ad7919be1b760b900898dfa7a3c9ee063aaf5712ac5fe36c44ffe3be6214162c966ffc8dbc65cb0c237a8afb4c97dcef54f87c679f0939
-
Filesize
15KB
MD521b7619ba0418ab0843c8092c2ce589d
SHA16a9ab55e695e1211c01400062c03e5f3ecfb0025
SHA256fa5ec370cf9133edba4cf46a827b166555d97b8e3bfed25a3307fa97bc2cc377
SHA51251c96d90105000eda5884f5c349fa70ad8bcb89abbec4a229aa6707e28073213fffc1c8bd0f838e1d169b8d5a0f45f3cb709c04ec8fc776d60ab733b4fde567e
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5d337d31821f092e3994a4a4cb30debcc
SHA1b24f7f412c1ae1f1445de4b0115ff101de5eba22
SHA256947c8c3a8ed8653008881f64c8971c2b060ead55883c71bb809c4f2525350e3a
SHA51262d090e378ac0e490df691632c53295bde84d8ede4548ed8e58b003cb7ece41235e08b59190755013e012dfa378629040637f518d73633f3690929175065658e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5f8714b0d06fa4be6700cad2523aa76ba
SHA193b8f00c7661a0f5995fda782e35d702ed291380
SHA2563d47acbb89999325219d8e3248fa160d6efff09ca0e141e6635ac2a67afb4e39
SHA51290ddd01cc1b7195e062a34155cc5529d6c791b99c389337c6be3bc737aeae2f485165322d85b7a1a5bd1023f442f478bbdbbad3938c8c97db76871d2c04acb00
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582edb.TMP
Filesize72B
MD5db5b079c79b420eb2f294db562919464
SHA15f5506ad5358360a7b6ff81b75d09612062155ee
SHA256cdb24973ccb336a72a3b89c523c771ce504dd496d1f4cfc19c7f8daae2abd1bb
SHA512a858853739adc8b2df30e1f32d8e394c31e087ec984f9d53d814592828eeed575f5bae9fcac31cc51fdc8773f413e666de4883168c11ef7205abb4ef7e988c3f
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d9d0584d-a058-4f14-a117-9460d565d365.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
231KB
MD50c1cedbbf80c195e8e891b21142519bd
SHA183a90629fcbf9a979d1b21d6d338cbb70bbac558
SHA256be4c4005dcb5ee1c5341b03009697c4fcf400f5e53d389e9b7448b6ff091634f
SHA5123df786764228511bf353228819111f20238c682bc0ba3530b4ab21170377c799ffb9a56f6a3ae45d78fdbc14611febef32881668db4e2ccea7e9a572cc581a5b
-
Filesize
119KB
MD5d1c42c3ca593542bf015c49bc8babccc
SHA19aadc9072840d6a46e3c07ed4a242a1b5ca29895
SHA256032fb9422c1dcb5d055d9ac3284178b56f9ea3d79b869f83731980f7b4437e99
SHA51259e7ef108b8d672c138dce596d125925fff604982e201b260fc51d14aeaa93ff3f190ca8b8ee04287bc9ca8972ca901280c877c21926b383d90d13576bc02ef5
-
Filesize
231KB
MD5a6e12cba6b80ad72578073f255f6976a
SHA11921aebba77076da3a6c7fcbccac13d9a39d155c
SHA256f7c0dff2e3ec71206d1b8cd1a7231cfd543540ea05fb43571217e51bed7e9779
SHA512313c6e7b94864258e122e21596cca5058e0c8cb03417059da2c86a3a83e334e70321514e1381c840387d28435fd2c6a5fafcdacf90b581c736a4a92d69a60f40
-
Filesize
231KB
MD57783856658872e89db5dc2783b9b3197
SHA113ad9f100ff90143a340818b39f027abd8afe535
SHA2568de3533599e6e0dfb2815d76f2b7cdd26d013343bdddff5465716218cca214e3
SHA51268af69d21b0d9e4d0e05503e9c5811513ce80d0d668dd5a44f538c333c9d9478c4d663c532ba255d36d97d9660484e6d2f59d7a3255cf2e41d431182b44379ba
-
Filesize
119KB
MD541c6547af62385eeee07c5547c7a603c
SHA1132a3ac10d998a0418554a6b6c8e407ccbda08dd
SHA2565d6bca4a3979333a424ffb7c1ba7ecb147de3210363065cec40f6be4e6d9abf0
SHA51293d20392ed466b3af7d2f320dd5ebd1c9a091eaea6a7d03745233891754278939a4b287f4193f78ada2ce04e2ca0f0d0970103d39d6ef70a8dca269eed36aec5
-
Filesize
119KB
MD540d0230ab06d7e29bf748db70651e81a
SHA14f351f0da7a7efe64b7f1d509eac2146e019b616
SHA256eca1ddb05d064301349a86538b1429b2405f72f831dda4b9175418d34d6851f2
SHA512aa69016d579d8eba408bc027fa606628ca0256f3f38af35cf2b735828b384b575a243de1530f05cff24f02a321d3b9301879e7543d8960e3ff091efd6f7922f5
-
Filesize
119KB
MD51fc3507a966d75e40ae6fdb13d869f49
SHA1cb4a86a5ff7f28e20d458f88db82c239015cd8b6
SHA256ae33a7d666bb40707c71886738dfb65f9b1fbcf46214d60a76ce059e77654e2e
SHA5129aaa3433be58b9eb104f96d406117d30032f7cc2122b2b2e6dc61b1635366b3d6a9bea30fabe77ace1be281c0cf31b5f938a644827e97cf0f8647bd6c5daeb2e
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7a1a4acb-4b0a-4066-a62e-cca3f206db74.down_data
Filesize555KB
MD55683c0028832cae4ef93ca39c8ac5029
SHA1248755e4e1db552e0b6f8651b04ca6d1b31a86fb
SHA256855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e
SHA512aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5ad7a569bafd3a938fe348f531b8ef332
SHA17fdd2f52d07640047bb62e0f3d3c946ddd85c227
SHA256f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309
SHA512b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423
-
Filesize
7.4MB
MD50589302f91aa343fbe0005be96fccbe2
SHA1e522005b2f17a5e1686ec12c78c59f9ea97bf3a2
SHA25624a86d06e182f61060442200d2e197a3bf1ae0757ccb60ba65137b66e63fe236
SHA51263e5f206365b59426f9bd66bbed78ad0e74018f5d9485f69793fa1fbb78beb8baf3f182814c4938a123a6ea993b91f39a3d070e676bf146e622e99a4e2874279
-
Filesize
142KB
MD59c43f77cb7cff27cb47ed67babe3eda5
SHA1b0400cf68249369d21de86bd26bb84ccffd47c43
SHA256f25b9288fe370dcfcb4823fb4e44ab88c7f5fce6e137d0dba389a3dba07d621e
SHA512cde6fb6cf8db6f9746e69e6c10214e60b3646700d70b49668a2a792e309714dd2d4c5a5241977a833a95fcde8318abcc89eb9968a5039a0b75726bbfa27125a7
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\binding.gyp
Filesize1KB
MD5b18910876afa5be79dc709e0b314108e
SHA1fbd12aa3a25eaa0ea9883c49282029bbb9a9b1ad
SHA25682c0fffccc54ef10231be8c7e190feb8feea44efc01b4ecfe12e4d8a0ecfb20d
SHA51220a8ef66ec345d0f90416acf2a288d22c3f7b44b1e1a747c5ad4c9196cbbd6ca51683650d90afea97f33f847c8fd5d8fd9221ce7e0a7f4494e58288f8d80bab7
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\common-sqlite.gypi
Filesize1KB
MD50ad55ae01864df3767d7b61678bd326e
SHA1ffedcc19095fd54f8619f00f55074f275ceddfd6
SHA2564d65f2899fb54955218f28ec358a2cad2c2074a7b43f862933c6a35e69ae0632
SHA512aaee895d110d67e87ed1e8ed6557b060a0575f466a947a4f59cc9d111381e1af6aa54d432233716c78f146168d548a726fed1eab2b3f09bb71e0ae7f4fdc69e3
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\extract.js
Filesize224B
MD5f0a82a6a6043bf87899114337c67df6c
SHA1a906c146eb0a359742ff85c1d96a095bd0dd95fd
SHA2565be353d29c0fabea29cfd34448c196da9506009c0b20fde55e01d4191941dd74
SHA512d26879f890226808d9bd2644c5ca85cc339760e86b330212505706e5749464fafad1cb5f018c59a8f034d68d327cd3fa5234ceac0677de1ac9ae09039f574240
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\sqlite-autoconf-3440200.tar.gz
Filesize3.1MB
MD5c02f40fd4f809ced95096250adc5764a
SHA18398dd159f3a1fd8f1c5edf02c687512eaab69e4
SHA2561c6719a148bc41cf0f2bbbe3926d7ce3f5ca09d878f1246fcc20767b175bb407
SHA51259ad55df15eb84430f5286db2e5ceddd6ca1fc207a6343546a365c0c1baf20258e96c53d2ad48b50385608d03de09a692ae834cb78a39d1a48cb36a05722e402
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\deps\sqlite3.gyp
Filesize2KB
MD50e4d1d898d697ec33a9ad8a27f0483bf
SHA11505f707a17f35723cd268744c189d8df47bb3a3
SHA2568793f62b1133892ba376d18a15f552ef12b1e016f7e5df32ffb7279b760c11bd
SHA512c530aba70e5555a27d547562d8b826b186540068af9b4ccd01483ec39f083a991ac11d0cc66f40acaa8b03d774080f227ee705a38995f356a14abe6e5f97b545
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3-binding.js
Filesize59B
MD58582b2dcaed9c5a6f3b7cfe150545254
SHA114667874e0bfbe4ffc951f3e4bec7c5cf44e5a81
SHA256762c7a74d7f92860a3873487b68e89f654a21d2aaeae9524eab5de9c65e66a9c
SHA51222ec4df7697322b23ae2e73c692ed5c925d50fde2b7e72bfc2d5dd873e2da51834b920dea7c67cca5733e8a3f5e603805762e8be238c651aa40290452843411d
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.d.ts
Filesize6KB
MD5ef8ef3bd8e4332d3fc264f0adf877b8d
SHA17e4d52f5e397ed1d51dcced24ace9a5e00f91500
SHA256a39db87a3a3aa954ac3f6553b9fbfc642eb22bef7586cc1f0559e676aa073fa8
SHA5125e456ee839f988fed95f816278a3da6998c8757403b98351c4bc26ca197146747b7a20e0c1a702818053547c4d9f9bcf9607bb778c88ca7cf22f21d9c9b4b091
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\sqlite3.js
Filesize6KB
MD5275019a4199a84cfd18abd0f1ae497aa
SHA18601683f9b6206e525e4a087a7cca40d07828fd8
SHA2568d6b400ae7f69a80d0cdd37a968d7b9a913661fa53475e5b8de49dda21684973
SHA5126422249ccd710973f15d1242a8156d98fa8bdea820012df669e5363c50c5d8492d21ffefcdfa05b46c3c18033dde30f03349e880a4943feda8d1ee3c00f952b0
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\lib\trace.js
Filesize1KB
MD5e5c2de3c74bc66d4906bb34591859a5f
SHA137ec527d9798d43898108080506126b4146334e7
SHA256d06caec6136120c6fb7ee3681b1ca949e8b634e747ea8d3080c90f35aeb7728f
SHA512e250e53dae618929cbf3cb2f1084a105d3a78bdfb6bb29e290f63a1fd5fbb5b2fab934ad16bc285e245d749a90c84bdc72fdc1a77af912b7356c18b0b197fbe5
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\package.json
Filesize2KB
MD5d0d759c39758174eca4580e6a04a2c15
SHA197366bb2fa9d63bb9660b3d130efb6d37a6b80ef
SHA256c782c19485b0026e209076a236484a62885cb3a0828322a2936043230ed1ec41
SHA512b1f728883023d93ea46e72278a4dff96bf6489e37471f8804bd7d6c52f21b7ee284803cec589c941701a590458671f7c53d63f0f75500843ee25d8d4e60629d0
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\async.h
Filesize1KB
MD5e8c5e5c02d87e6af4455ff2c59c3588b
SHA1a0de928c621bb9a71ba9cf002e0f0726e4db7c0e
SHA256cce55c56b41cb493ebd43b232ff8ffc9f5a180f5bab2d10372eca6780eb105f6
SHA512ed96889e0d1d5263fb8fed7a4966905b9812c007fbb04b733cadbe84edc7179015b9967ff5f48816ff2c97acf4a5b4792a35cee1f8fce23e5fdc797f8ee0c762
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\backup.cc
Filesize13KB
MD53e21d304afe1783bdb88122c5563e36c
SHA110f57a35b7d217226019dbe2278524bf3e447778
SHA256960e50580d2f2e668ee79b0c2ef99eaf006bc9178f438c4bb4e278f80f3d8960
SHA512a96ab73f424abaf806cbd4c0537dc23772709753050ffab58996435df33e5ff1bcfea24193b0abbdec1ba2e22e91d8a74ce82cb034cb6035ade760b7d7730c33
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\backup.h
Filesize6KB
MD529dd2fca11a4e0776c49140ecac95ce9
SHA1837cfbc391c7faad304e745fc48ae9693afaf433
SHA256556ba9af78010f41bc6b5b806743dc728bc181934bf8a7c6e5d606f9b8c7a2e9
SHA5125785667b9c49d4f4320022c98e0567a412b48a790c99569261c12b8738bde0b4949d3998e2b375540ede2ff1d861cad859780ade796b71d4d1d692e1ed449021
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\database.cc
Filesize21KB
MD5d6f67f29966b29034fa0058d59a51794
SHA1e1f9f8c20b654568e65036d2928ea5dd6e3bba6b
SHA25640ea909433a35a95a8463c49231ddca040717681fc96ee3ba6f10840429b4ad6
SHA5127bef1762cd869375b589dac5e780406baf7b477f14713540940ca177247943642f61c4b2084a08c808ea4f007ede4bbc1bcf2f19425cb826efb8b101be445ed9
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\database.h
Filesize5KB
MD5de31ab62b7068aea6cffb22b54a435bb
SHA17fd98864c970caa9c60cfc4ce1e77d736b5b5231
SHA2568521f458b206ed8f9bf79e2bd869da0a35054b4be44d6ea8c371db207eccb283
SHA512598491103564b024012da39ac31f54cf39f10da789cd5b17af44e93042d9526b9ffd4867112c5f9755cb4ada398bf5429f01dda6c1bbc5137bea545c3c88453b
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\gcc-preinclude.h
Filesize861B
MD555a9165c6720727b6ec6cb815b026deb
SHA1e737e117bdefa5838834f342d2c51e8009011008
SHA2569d4264bb1dcbef8d927bb3a1809a01b0b89d726c217cee99ea9ccfdc7d456b6f
SHA51279ed80377bfb576f695f271ed5200bb975f2546110267d264f0ab917f56c26abf6d3385878285fe3e378b254af99b59bdb8bbcab7427788c90a0460eb2ee5b77
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\macros.h
Filesize10KB
MD5b60768ed9dd86a1116e3bcc95ff9387d
SHA1c057a7eebba8ce61e27267930a8526ab54920aa3
SHA256c25be1861bd8e8457300b218f5fa0bba734f9d1f92b47d3b6ab8ee7c1862ccbe
SHA51284e0670128f1d8712e703b6e4b684b904a8081886c9739c63b71962e5d465ac569b16cb0db74cb41dc015a64dcc1e3a9a20b0cf7f54d4320713cc0f49e0f7363
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\node_sqlite3.cc
Filesize5KB
MD57d033e9b15e4f2230d8ef59cde708c69
SHA19b05c5cf3f4fc9b2c20ba46420002bb48edceb21
SHA256e80fae190ace1a5153a397ae9fe55d6d28651471fb7bebf9bbb5528095d70f44
SHA5120e709a8c58b73cf6d90f99ce2e0d9f2dbd8defe8dc8bc8919f82ab8ce66e7b4435dacb25b919e3a75030777e6a91beb2132653424b129f12d1169e6a28ab163c
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\statement.cc
Filesize28KB
MD5f4e74d3038becb8b3093eed0192b7a27
SHA166a845cba7c2c478879238cc79f21df40dd4575e
SHA2562fe8c826256cb1b96e26c74aeab465a329a307e7e1107ba296d059a07cc0f948
SHA5120b3dbec5d4a098fc551f8516ce87eb4da292063a2f0c61d7279bc207e33d0d83a2df9db04edcf58b6a0cf0914ba5b51c0e4ca38a17553dde464b2c37bf7e38de
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\statement.h
Filesize6KB
MD50b81c9be1dc0ff314182399cdc301aea
SHA17433b86711d132a4df826bae80e58801a3eb74c9
SHA256605633ba0fb1922c16aa5fbfffed52a097f29bf31cee7190d810c24c02de515b
SHA5129cf986538d048a48b9f020fc51f994f25168540db35bdb0314744fdec80a45ba99064bc35fe76b35918753c2886d4466fdd7e36b25838c6039f712e5ac7d81b3
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\src\threading.h
Filesize388B
MD5f2a075d3101c2bf109d94f8c65b4ecb5
SHA1d48294aec0b7aeb03cf5d56a9912e704b9e90bf6
SHA256e0ab4f798bccb877548b0ab0f3d98c051b36cde240fdf424c70ace7daf0ffd36
SHA512d95b5fda6cb93874fe577439f7bd16b10eae37b70c45ae2bd914790c1e3ba70dfb6bda7be79d196f2c40837d98f1005c3ed209cab9ba346ada9ce2ed62a87f13
-
C:\Users\Admin\AppData\Local\Temp\scoped_dir4104_1136982861\404d225f-a7da-44fb-af18-1aaef2a9d4be.tmp
Filesize150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
336B
MD512f7d41f45a59a55df4eeadd592d7fa2
SHA18c21e476f90858d6235f241c7e4031b6706fa42a
SHA256b1dfd1dbe8e1846492de230ec9d2af09fc43ffe94ee7dd1a8a2fdd2163fd36e4
SHA5129f9f3606a29500cdb8e7f8c26241e57acab24edbd61bcb18456ce0dec5493041e7bc52bed5aee5daaea0ff9961233abe5c9bd184d5cf9d933984ce8a3380f39a
-
Filesize
10B
MD54b62de32582f8582b2df55c221906afe
SHA135e2c5292fca6a316c7f88e2e9a837f9f75f73f3
SHA2569b85224ee5e795d297b9125f7cf0f3185d18cd3fe75cf183b473dd6120a7c890
SHA512bfae546db15f098298925cee6bbe294bbe2e717435209ce6ddf18ff0d0f45243952ecab619753fd61b7a473dc645f3368452289a7e6024a174962733ae0b2357
-
Filesize
304B
MD5781602441469750c3219c8c38b515ed4
SHA1e885acd1cbd0b897ebcedbb145bef1c330f80595
SHA25681970dbe581373d14fbd451ac4b3f96e5f69b79645f1ee1ca715cff3af0bf20d
SHA5122b0a1717d96edb47bdf0ffeb250a5ec11f7d0638d3e0a62fbe48c064379b473ca88ffbececb32a72129d06c040b107834f1004ccda5f0f35b8c3588034786461
-
Filesize
17.9MB
MD5eadf838ca01287ed60c25357286f948a
SHA14a76e9e221508792fa431b7705c324aa6cf9bd5d
SHA256d32615e3a3462791c4dd521f686cd616d70868e12c0081f2f0ea8934d19ea351
SHA512c7c0abf5f998eee0997e7f69a580906eec7e3660ebb00af11f6f4fec986dbee47f4c132b9b203e6face90b7d6d4761413d1d00f5d9098131027c75d0720d0b51
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98
-
Filesize
7.2MB
MD5a1c0810b143c7d1197657b43f600ba6b
SHA1b4aa66f5cdd4efc83d0478022d4454084d4bab1d
SHA25630f233f41ec825806609fb60d87c8cb92a512b10f7e91cdbb4bf32cee18217ae
SHA5128f45702da43526c04b957f571450a2b53f122b840fa6118a446972bc824c8ee7acd6e197177b54236ce7f428fb73a7cbe4ed18d643c625c9f156463d51ee038a
-
Filesize
280B
MD5823c874249190676fa1f140360ccf983
SHA14249a5cb2c498c179b9322dbd6b3c5bf2b54be2b
SHA256395768b9b6ca0bd7f162978b6b2b0f3c2d0581c2f99e5595049142ef8d26f535
SHA51256a1f22a4b2fe318ca3060fb53d0c482450d77d73113d6fb6cbecd4ee3ac9dd139705a1b7878a9bbb420e7c53d18b598dc9766b9ac6e216ba0f0dca1c9465e95