Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
240s -
max time network
244s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
11/01/2025, 12:46
Static task
static1
Behavioral task
behavioral1
Sample
mediacreationtool (2).exe
Resource
win11-20241007-en
General
-
Target
mediacreationtool (2).exe
-
Size
10.5MB
-
MD5
b2ef653a8575cebf20a4aabe17b70b6b
-
SHA1
a686304500e45ebf945c85b9de9085e6b58604c0
-
SHA256
ab9967c2cd345ffdbf3c4283d95bb23c77a82a2782f381634f5dfa48f2b75071
-
SHA512
dd293115d1f1b4474f5cdb03884529ea9e887f2420df8b4b050cb6f0e458cf8515c6dd33b977c20c680c088d6b4728f922df74f0f2475b2762f4f4377971f21b
-
SSDEEP
196608:A5bD7KOunIMtG90JfG9o1/9nxRnI2UHafMeF0pbhoFpS9oBDh:G7KOOtu04m9nxRI2U4cpbh00QN
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
pid Process 3364 SetupHost.Exe 4360 DiagTrackRunner.exe 1904 mediacreationtool.exe 1840 SetupHost.Exe 3840 DiagTrackRunner.exe 4780 mediacreationtool.exe 2428 mediacreationtool.exe -
Loads dropped DLL 26 IoCs
pid Process 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 4360 DiagTrackRunner.exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 3840 DiagTrackRunner.exe -
Checks system information in the registry 2 TTPs 4 IoCs
System information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer SetupHost.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName SetupHost.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer SetupHost.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName SetupHost.Exe -
Drops file in Windows directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\diagerr.xml mediacreationtool.exe File opened for modification C:\Windows\Panther\NewOs\Panther\diagerr.xml mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\diagwrn.xml mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\windlp.state.xml mediacreationtool.exe File opened for modification C:\Windows\Panther\NewOs\Panther\diagerr.xml mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\Eula.rtf mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\setuperr.log mediacreationtool.exe File opened for modification C:\Windows\Panther\DlTel.etl SetupHost.Exe File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\setuperr.log mediacreationtool.exe File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log mediacreationtool (2).exe File opened for modification C:\Windows\Panther\DlTel.etl SetupHost.Exe File created C:\Windows\Panther\NewOs\Panther\setupact.log mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\diagerr.xml mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\diagwrn.xml mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\Eula.rtf mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\setupact.log mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\windlp.state-old.xml mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\windlp.state.xml mediacreationtool.exe File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log mediacreationtool.exe File created C:\Windows\Panther\NewOs\Panther\windlp.state-old.xml mediacreationtool.exe File opened for modification C:\Windows\Logs\MoSetup\BlueBox.log mediacreationtool.exe -
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\Downloads\mediacreationtool.exe:Zone.Identifier msedge.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mediacreationtool (2).exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language SetupHost.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage SetupHost.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DiagTrackRunner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mediacreationtool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DiagTrackRunner.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mediacreationtool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mediacreationtool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupHost.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mediacreationtool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupHost.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language SetupHost.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language\InstallLanguage SetupHost.Exe -
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SetupHost.Exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SetupHost.Exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 SetupHost.Exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString SetupHost.Exe -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133810732232724828" chrome.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{896EB706-C0B7-4822-AFF7-9EBC2E0647AA} msedge.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
NTFS ADS 4 IoCs
description ioc Process File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA SetupHost.Exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 601305.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\mediacreationtool.exe:Zone.Identifier msedge.exe File created C:\ProgramData\Microsoft\Diagnosis\ETLLogs\DlTel-Merge.etl:$ETLUNIQUECVDATA SetupHost.Exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4120 chrome.exe 4120 chrome.exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 3364 SetupHost.Exe 932 msedge.exe 932 msedge.exe 4036 msedge.exe 4036 msedge.exe 2376 msedge.exe 2376 msedge.exe 3672 identity_helper.exe 3672 identity_helper.exe 2904 msedge.exe 2904 msedge.exe 3408 msedge.exe 3408 msedge.exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1840 SetupHost.Exe 1572 msedge.exe 1572 msedge.exe 1572 msedge.exe 1572 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 27 IoCs
pid Process 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeBackupPrivilege 4008 mediacreationtool (2).exe Token: SeRestorePrivilege 4008 mediacreationtool (2).exe Token: SeBackupPrivilege 4008 mediacreationtool (2).exe Token: SeRestorePrivilege 4008 mediacreationtool (2).exe Token: SeSecurityPrivilege 4008 mediacreationtool (2).exe Token: SeBackupPrivilege 3364 SetupHost.Exe Token: SeRestorePrivilege 3364 SetupHost.Exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeBackupPrivilege 3364 SetupHost.Exe Token: SeRestorePrivilege 3364 SetupHost.Exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeDebugPrivilege 4360 DiagTrackRunner.exe Token: SeDebugPrivilege 4360 DiagTrackRunner.exe Token: SeDebugPrivilege 4360 DiagTrackRunner.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeBackupPrivilege 4008 mediacreationtool (2).exe Token: SeRestorePrivilege 4008 mediacreationtool (2).exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeShutdownPrivilege 4120 chrome.exe Token: SeCreatePagefilePrivilege 4120 chrome.exe Token: SeBackupPrivilege 1904 mediacreationtool.exe Token: SeRestorePrivilege 1904 mediacreationtool.exe Token: SeBackupPrivilege 1904 mediacreationtool.exe Token: SeRestorePrivilege 1904 mediacreationtool.exe Token: SeSecurityPrivilege 1904 mediacreationtool.exe Token: SeBackupPrivilege 1840 SetupHost.Exe Token: SeRestorePrivilege 1840 SetupHost.Exe Token: SeBackupPrivilege 1840 SetupHost.Exe Token: SeRestorePrivilege 1840 SetupHost.Exe Token: SeDebugPrivilege 3840 DiagTrackRunner.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4120 chrome.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe 4036 msedge.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 3364 SetupHost.Exe 1904 mediacreationtool.exe 1904 mediacreationtool.exe 1840 SetupHost.Exe 4780 mediacreationtool.exe 4196 mediacreationtool.exe 4196 mediacreationtool.exe 4456 MiniSearchHost.exe 2428 mediacreationtool.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4008 wrote to memory of 3364 4008 mediacreationtool (2).exe 77 PID 4008 wrote to memory of 3364 4008 mediacreationtool (2).exe 77 PID 4008 wrote to memory of 3364 4008 mediacreationtool (2).exe 77 PID 4120 wrote to memory of 4040 4120 chrome.exe 83 PID 4120 wrote to memory of 4040 4120 chrome.exe 83 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2896 4120 chrome.exe 84 PID 4120 wrote to memory of 2900 4120 chrome.exe 85 PID 4120 wrote to memory of 2900 4120 chrome.exe 85 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 PID 4120 wrote to memory of 740 4120 chrome.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection DiagTrackRunner.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection DiagTrackRunner.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\mediacreationtool (2).exe"C:\Users\Admin\AppData\Local\Temp\mediacreationtool (2).exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008 -
C:\$Windows.~WS\Sources\SetupHost.Exe"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3364 -
C:\$Windows.~WS\Sources\DiagTrackRunner.exeC:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4360
-
-
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3184
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80155cc40,0x7ff80155cc4c,0x7ff80155cc582⤵PID:4040
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1724,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1716 /prefetch:22⤵PID:2896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2080,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:32⤵PID:2900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:82⤵PID:740
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:12⤵PID:1512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:1160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:12⤵PID:4156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4736,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4744 /prefetch:82⤵PID:1156
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4916,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:82⤵PID:2516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4948 /prefetch:82⤵PID:3368
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4908,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5104 /prefetch:82⤵PID:4820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5232 /prefetch:82⤵PID:3392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4460,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5220 /prefetch:82⤵PID:2968
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5340,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5316 /prefetch:22⤵PID:1428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4880,i,6754390799558892930,4952847605324086042,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:840
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:2020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4884
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:2980
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4036 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8013d3cb8,0x7ff8013d3cc8,0x7ff8013d3cd82⤵PID:1016
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:22⤵PID:1568
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2092 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:82⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:12⤵PID:3140
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:12⤵PID:248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:12⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:12⤵PID:3184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3412 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2376
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4920 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3672
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:12⤵PID:740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵PID:2640
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:12⤵PID:1128
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:2480
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:12⤵PID:4692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:12⤵PID:3816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:12⤵PID:2512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:12⤵PID:1432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:12⤵PID:5096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:12⤵PID:3964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:12⤵PID:4524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6152 /prefetch:82⤵PID:2524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6168 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:1916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:12⤵PID:908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6668 /prefetch:82⤵PID:3700
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7128 /prefetch:82⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3408
-
-
C:\Users\Admin\Downloads\mediacreationtool.exe"C:\Users\Admin\Downloads\mediacreationtool.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1904 -
C:\$Windows.~WS\Sources\SetupHost.Exe"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1840 -
C:\$Windows.~WS\Sources\DiagTrackRunner.exeC:\$Windows.~WS\Sources\DiagTrackRunner.exe /UploadEtlFilesOnly4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3840
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6976 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:12⤵PID:3988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:12⤵PID:2196
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2936 /prefetch:12⤵PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,749949789146367977,16718139913823153791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:12⤵PID:4404
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5040
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4192
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:1036
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:3500
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.microsoft.com/windows1⤵PID:4132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8013d3cb8,0x7ff8013d3cc8,0x7ff8013d3cd82⤵PID:4756
-
-
C:\Users\Admin\Downloads\mediacreationtool.exe"C:\Users\Admin\Downloads\mediacreationtool.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4780
-
C:\Users\Admin\AppData\Local\Temp\Temp1_mediacreationtool.zip\mediacreationtool.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_mediacreationtool.zip\mediacreationtool.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4196
-
C:\Windows\System32\DataExchangeHost.exeC:\Windows\System32\DataExchangeHost.exe -Embedding1⤵PID:2720
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4456
-
C:\Users\Admin\Downloads\mediacreationtool.exe"C:\Users\Admin\Downloads\mediacreationtool.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD5acb297cc72322fb2b3d0f24b0c829b43
SHA1a434036186dde1bb2c2a8864ee71a9b3b20bab22
SHA25698c437d7f250778a7a5c38b885f7e1994f088ca210ec944e3300a2896488648e
SHA512e09807beed476aa5f28ef94015eac5330f75fb4e15e09c49f690381d656a4acd5c12b3350f1b30ea5e7e19e7218b6dcb0e48c6a611568b8ff00f04fb598deba2
-
Filesize
901KB
MD56c3f6a6bc5ede978e9dfe1acce386339
SHA13b7b51d762c593e92123f9365a896ed64ee26a7a
SHA256b55d66f2943f1c63ea9b39dae88aa2a4f91775cefffefd263bd302866a7bd91c
SHA5123f87064354a0f55f36aa272c5918d208b8a77fffb7965e9b50727c06fd8d8db5e6695636a7db37926fe444c91e4a4a7dc892ef5ef57676ba9515216d5e5f94ff
-
Filesize
77KB
MD576f30a1e149792d2542a253b920cbef6
SHA19040e0873df5cc2a64b850d1b8159b77528ba62c
SHA256488cbc8330952dd13b797bb40e4e30610ed03483c25919c39555f7b334a3c159
SHA512ec39861a3f39f88aad52975974c988ae76376a09136d95f5d4fedd60ee7ec252736d882cef77298d82d786e0dad13c61148b29d7c5fb7ba7d7c74b05de9d7e84
-
Filesize
57KB
MD5ad667ce37e222222a71bf8da694bf012
SHA10d1fd0063a43f0c00126c626b9af25a6e66fb08b
SHA256255a4157c25da2db8a5e5a1505e3b7630be496316066aeb6e82f1ef671a21460
SHA51237807d8cdaafad7d7970d3b530784eda27573960446f32d25339d1a594390db291716d604c21cb4f26327ac94a9dc805d6c465d328a35bed4feb45caf50fea30
-
Filesize
3.7MB
MD55ff880b8888b3b2041fdf0ea70b432b0
SHA15705fb3a154e89761809ca447e5fbfac77e389eb
SHA256fd0000749c4f0bb62e7a1863a2c63d52a8e312722f4f534d48a75a4c6f799011
SHA51221abff0b9cfa637861062b0683435cbc07a528ed5235ebbc51a9b5c30e0912c148e6e5a9960a27a2a3f95f4af303356b61f68510a37d9ee7d4530c54828354e1
-
Filesize
192KB
MD58e351c1269f6e16ba989e21094e1b1b5
SHA119f212c34d17d71eb4480a866114119076740b32
SHA2568b8611fa7ccc94210aa37fbed8c4e3cbd57d0b41634ad52f7fc40076a2c7264d
SHA512bfd0a2e265a2d88b7a8206a7fc576c5c719d61dbcdcfb0da4f7a1371ea552a71ac26ef078fdde231b70d13f739019623357f67411a6f508bd4d7fa77d4db821e
-
Filesize
128KB
MD582084825c83720703d73ffdc24c4bf8d
SHA1bef7f5b1f2585448a14f372e11220ecb9b05afb2
SHA256145ff7e896c93914155e8cba8fe8212d5abe91d3ffe4478d102bbda10fc27bf3
SHA5128b13de9569cf9468a9eab093b28ef76e151e472195af04449c12c68a4a222647af1849e7ae18e07f2c5a3046344632034bef1bbb0876f3c90ad15859e49655bb
-
Filesize
199KB
MD5cd28b51516a9309b350607dc57faca76
SHA1c9f8e72f1184dac6ad40a94295a594a94b1e48c4
SHA2567fbf900fdd0eabe63def6c5b432b5d3ff51f8ec9af7d9e9ab3a9d7441d032c22
SHA5127c7cb19b814debcdd5a1717f2039492ef9fd018ddf5ff0647cfb13fcff550eb20f44960ce239033e8bef4bffc0d2668e9574f2aff3b4385606ab1aecc1e1de12
-
Filesize
460B
MD54f607776a1c8fd8d64bcd541502b36b4
SHA17a441983fc00acac6048e76a55110e1d32f3a750
SHA2567008dce109754e1b6b3f0c9d43c37271d69ca67ab581d11fb26a9abb49107f69
SHA512a07867b4c21649009779e6e4a94f6de5ab95c721ffef9d5dd44acf747012940325335ca24e91ae0e043eface05c7b551b43e20aae0ec46c2c709c47a88890516
-
Filesize
807KB
MD57647226025e2f1696a167d2a635aeeb2
SHA1410d51cc71fbb5c054fddc8a491938533917a656
SHA2568dbc67ea0c162517b55499b986946c55856610562a54fa6cbe851fe0fd865535
SHA51285a7bcaa201970cd6c3048838fa24b11903206d4205769a550857d9650bc84f512d89297ee58419db866ce69fe46ee4826ae72af1fa8ebacd1e63b9ff0e1392c
-
Filesize
2.5MB
MD549f73880545587129d0e76ff958ff421
SHA1758ee02c9a0b7e68a3fcb3ac2cd1a7b57c804b25
SHA256eb9d28baaab8cd902177e1db5c41975ceb926f56baa42876cd7b15410b320f22
SHA51213fbf6e2ed58772fbb34fbc823f9bf0c0175def1c925abb0db5e91003e186475b5970169dd050891909643537aa78df0ae18c997394b2be2826476f4ed29c35d
-
Filesize
697KB
MD5e4d5415ab31ed174ff7eaf707d006971
SHA115a624a55b71849f46ac1326fda1cbc3faca5ee8
SHA256f967f52583c71d6b7444e4bf3de31287f03f164f84ed56e3416c8b81a9c699d3
SHA512af8c31235955455ebc80e2a50e2bcad7589f9a075a08c0674b2f16f5e30cae3aee981ccfff50ab48b965cfb6c9ce4380402142d47b074b8dddb78f3dffa93e12
-
Filesize
895KB
MD58841dd93dd8cbc0104a0fa0be3ab276f
SHA106e3e4f198526a1cf670f8dbf9a16b9d07fec5c2
SHA256b25f86c8349de51bff360ce48a22b84056d4c35536037f443d304d2054ba8784
SHA51229c80526ff01d3d60243bac49f07bdd80c2f63aed1b1d2ba04ec79ae7bfe3f871aa8e88caa5cdb58bd5f36395c22a26b91b4be0f4d26ba301cd3e3d85905e681
-
Filesize
22KB
MD5cd678b1258ff4a0bc040084427934330
SHA162d06976e76081e76b6cbeb51d16b1416b7bbed6
SHA256602752bb1e5b1b0be45a187cea81362eba1010bac00b631d67081cfb6516d500
SHA512ca9c4be3e62fb92f4703b10f65e08b2045e52c781728b4757cd79e531edd5c3c468e1bc56edfd8f74bdf4b2d79d767c59dc18cc30c7e8515c89a1751c338b21d
-
Filesize
7.0MB
MD5199fc0a0977b155f6daf1fa88df565ae
SHA15b2c674b7213db1a66bd245c2fbf0827485af819
SHA25605ada1ec86d60c0a6bad54741d758a98f8c0d362f54f521f212d9e1f5cf81bd0
SHA5128dc11b297c224ce38d6cc350e18c5974a4d170e143ea2c1e1a7ab299dce440a78b449ab26626e2a2834c2cb5c1e2d2fe554ba76d7fecf2c21a9ac77bd1ab796d
-
Filesize
95B
MD5372c99091db217e258dd1fdb1aa6378a
SHA1e8fb4c1a7427359f939daf30619c53af6b3529ba
SHA256a53644e2cbd10e39afe1d14f7d9e0bb9a46052060210ada2bc34d522a7d4f3c0
SHA512eaff061b70106ef63647bd81ab780e16ec96c400264b98507af5f80d6d685eb05f078764a374d57b7e38bb2e84e08d8e7be0304666c72751d647b28732518b0b
-
Filesize
95B
MD5e13a79c22c8a2252e5c126ecce7eeebe
SHA19b3c35a11e7e9dfa18a59e7856f0261d20e438b6
SHA256a7a26b96076d2aab3297bd161522fe8cc250e35b902e4de1d24c1472229b9def
SHA5125dc489d36390d7331c351c93ac65dece4893e66cfb6699198291e87e33aaafb38e6bb00c33cab1ed3a35db57b94c86b0db9761feed8805e7323cbdce2f704486
-
Filesize
348KB
MD501419fed1286b656a8f7b4a17e751ad4
SHA193610a57188be9061fa24a57b7e2c7c7f8d2eacd
SHA256b729c87bd59af4d631538f080be29cb005fac00301212fd1719a33dd44632aae
SHA512fbd5dfdc6176a712ae4c1b908b573c1a544ee198420ff1a0fdac116c15c709004cba908d2d0746d77879fe803428b7307bbc6cc27431eb94d78341e46baa0ebe
-
Filesize
201KB
MD5c8e56f10d4fe40caa360d8ac5eb1e3d1
SHA12915ee618c77a2bce62f7dc2579fb8d792db1ff1
SHA256e83436e219af407cb1d725ca1bb5f3b390f42cc88ad7c2320e7fac1932ed9188
SHA512de023e42f067d29c28a554c18478bb2d3736d9380fcd2795890771f4060055de6d5b10dbe6da1ebdeaa49bfdf9c5226f57abf2070dfa36921dfddd36a9f92dde
-
Filesize
1.2MB
MD52b642417613dc061ca3003c831de3790
SHA1af556f999d146787e5cdf3bea98e419bfe778b56
SHA256e77f50022caa3c9805774fb078454b68b0692f1bbf96216d3af93e3501c688bd
SHA5126738612ab25c3e69b9c825fc299d36098aec4a9725b85c9dd5dee6dcad5b09328e3aee115d2b693492d2f1a65fd3758e913d684ef1a4f1775869bbbfc66ce90e
-
Filesize
112KB
MD5983de88fca9e5ffe647cb60e7aead3f8
SHA146b7f455d8641b0c9d90ce7ce41dba9b944f8ca2
SHA256bdbc66e911bb95b9ccc8c7d4ad74a5c5a050cce6d26f278a9e758768b2ad5f7e
SHA5121cd15970f33c6d5af0b6860cac82bc11991cecd28eba1712d4ba2a9b445099a378ea5e4429d4702c013e747c678df0970df02ffac900e9781dda3dc989e775f8
-
Filesize
226KB
MD55a71c3e7ac88b90aa793fe0556bbe59b
SHA124a345576d252184d831ff463facadfb6abf1692
SHA256c90e2e02256f59ad4cec7e16d0c519005a4fcdd6a78470a96bd9205f69d4dae3
SHA512f42b7220e347124e3e4c6f08ca0c30c97859ce0057227b1f12be055baace1d152e14793f814dccdf178a063658a23f1be030771bcf973c5580521fb98b91d635
-
Filesize
294KB
MD58bdcd3a20ae0f8d18f5ef55dc8658dc3
SHA19460f616a186ca91dd877dcf0dfffa2038f5b41a
SHA2562282903acd07406e998343cabba123b58822d86c3ad53edb6caed3b4d155a793
SHA512a3ed7f723206d6809958248064dadc657408a7d57e0cd2f06000559b96c0e252b3a11684aba4d4d9a762372652caef6dd17055b59d1d7aa407c3d4dda2926a8c
-
Filesize
859KB
MD576c5abfe6d7ad6f85c6c2c08f3f6d487
SHA1701df3c07adffd62d35aa6668d46fb50ab37f617
SHA2569c5b71b3e4d82d301ba36b6f3d94ffce6fbce393dbf1636bd07bb2a06a090783
SHA5120bf29c30af247fccfedfe00a0c2c494fce16023e92d707a238daceedbc9c06e2e911a2168cf5fa656acfd9b01dff3abec4f330e23056a5fc105798da6e221522
-
Filesize
637KB
MD5890f414006b7b1027275fd72acf29d11
SHA1f1436472ab575cdd393429349da95e7e4cfba53e
SHA256a8e446dce8ab21c8efb42c9c98c1d695d82e1800486e7eb63996d0085fc7b681
SHA512dda752eb2a947c779bb682e7adb26c09c54664afd216fd2b5650ea4a8d8493fde5b34b69ab54335ca9b40f30ede66a89ace008aa65d6c411e7e95dee791b9e03
-
Filesize
28KB
MD59c068bc050d124d83e41f0a2d1289a5f
SHA17a7631f5494a1551cf21692532b6f23e9ea8271e
SHA2562201bccdfb68908ea5e9d543d32e1bac1bf2ee9ed7cdd05c1b50478a7d2db36c
SHA51275c9e31f392a901f2feb56d22ef40ff9b0b140cd643e76397685198731635ff3f0afb933926700237c364e924a979c39cc62cae69fc842f3ed733541def6bf0d
-
Filesize
1.7MB
MD5422836153cffe91fbe766a551b5c144c
SHA1274507329a6714ae93e673a9e4be6295588cd069
SHA2562145715a5e7b2698b84e72b0a9f7b847803977d76e4d1bf13528e1bf0c271653
SHA512b9d3463bdf2d92adb0333bec7a4bf02bbf315881430e007cb2463030776db3b9525b7bcc42da7d50604484206f1b06e5024d9a50e7f93ab3f754ccccce191a18
-
Filesize
165KB
MD5fec4e0ade7809898c1e5e47dfd4e272c
SHA1687560baed6ad7a45f47f78cea3a3e203e5f4854
SHA256c1bd94487e3d4f331ebc6614ab04409639aeb223939224dbd3f8bcd1337c955b
SHA512c1d57084be78ed00bcf21a0ee673b060897ebeb4be9c3a71bbb7545e35e304850a3c882aa021c10e2ac8d902037ec1c486437a5e98b5ae91cd58674252076b60
-
Filesize
808KB
MD5598878bda0cd9cd4c9e45813ee15a660
SHA15c92b6675ef1a3fe6c0a154d5d97b36e03719392
SHA2569e8e14aafecd40f1ec955be958a39906dd508f9678bf15a73c8478967c209dd8
SHA512a0ccf747591c3ecb4e49e3300fa0c5d31a1220d4a7e19a7b4886431d1f59fa18b9b279fde6021692c246fb654448ffe6ca1603f536a09582ac857cc5b9b72949
-
Filesize
30KB
MD54de8526a7473c40fd5d09f8f3e9acbc0
SHA1c9bc9d2bfae9f8bd134bf1d016165fb8682fa214
SHA256ba7d7bc704fd3250ed35e449eae366c168e76b7636dbd1889b958aa123642074
SHA512b8b2df94c015aa8b6f35713ae5666479f050090668f69958256e01bdd1b908582d83b7c646eefa0702b152c4364becc0296a1498e4e2283950cfe6289550a1a0
-
Filesize
238KB
MD5f8eb9622154b98ad11416bbfe7ca2542
SHA15e7f8b6657c071b35b3b3daa29d7f0f0c621edcd
SHA2560f86bec1966f94e261bf0232b6c2499b1fd546d90c0c80c3be075b5df8ba566b
SHA5122a671b85a3ed219d4fd1e017fb268a52eae5f9905d82ecf22e91efc7876f75cc574c9b2340cfb758df552ab3d2d78f1e00a2bcc56c644468603646562d2fcc27
-
Filesize
676KB
MD527bd588cd3b091344e024fb6872fe6c8
SHA114ab86dffa0db393b76f7f17ab7e6f7e091cd9b5
SHA256da779496765d62bea7957de515f425c0f83cac12a5fd8b1272b2e18296cbe119
SHA512840bb79349de33afbf8b20caaa2fbd7908e4f632bf6cfad3fd5e5baa79c18c863b7398e698374480b6b93fa126fd0fc9d0f86b9b93d7a12bd7b28f64b6905695
-
Filesize
1.1MB
MD58a9fae3d0884aba527273a5074077fad
SHA13958652c95e6bdcfec47ddffdbc8d5a5c796a380
SHA256358027eabf6e5d58a78efb96753a9aa1e758d996ee56b4ae5a832974801755ae
SHA51234be7636bd9fb035d84a614a1b05dee236bbb5ae0556c6a16589f04550d69a89435fcaf1be21d61b5f408d5c692473793bfe3f7ba6380849f9fb838e3c1136fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize328B
MD5db881a63036e1e766d79ddd2461dae42
SHA163d943a4971bcad6e3ba47b43988ec4eb7d4339d
SHA2565448197d87905c4317b60ca9dcd23c1464cd4723a72414837f43ab884f507a77
SHA51264c9c870991e6c46a54328b2784aee889fc0df661407eea0dfda6b8474319ded12e1602e8dd349d900052ecbe1958f0475c81f7f0dad9b555babd662f10f4fe9
-
Filesize
649B
MD51f865578293a4404452ee5b1fc68a96c
SHA19559a47a85d33fc8e0f87b9deb5c3e2a9469852f
SHA2564d6bdb6fdd473902f2c9d9a436bf44e186dedfc39d3bd5291e810c839a8dc440
SHA512430921ba23be56c29364447b7ae52ba9d7eee706da94b5a27f1ebc608de11bc79aa486d68a5db5ca66149efff09acf8f1b4a80f95510b270921ff519e5619ed7
-
Filesize
215KB
MD5d79b35ccf8e6af6714eb612714349097
SHA1eb3ccc9ed29830df42f3fd129951cb8b791aaf98
SHA256c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365
SHA512f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a
-
Filesize
216B
MD5b71b874ca2110ae4108a0d568dc4ae7a
SHA1e247e645a779899d1c82ae632e8c9baffa28ce1f
SHA256ae876dfc3f17a1c1f96813159cc98380a304e9749462f541cc9aba5e2fdd1fd2
SHA512f87162f748a4a585fe625980b031c5936e725bff804f665b7660d01dbb4f2fff9c9f495054cbfb5639d36f02d68afc16196605a0793a983446c706026fb6c6a9
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2KB
MD5dfdb03681684449cc067bed9c6c397a6
SHA1bb98ef87841830240d8c9b0e18ab0ec008fe3303
SHA256a8f361a0c6ec3b7a72193070dc6bb5b0914ee9a8a29c83f4ee9cdac22f4d5123
SHA51258c672a11c2ae035927eafa07c96d3a314dc9e7f751207b86bcc5d949e6df269a33342508e73daa72187b180e992658ea65ff478ea65acf20526c262f5ef8006
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5fc483a198012e435da577464739120a8
SHA124235baa93951b94c9eb13224704d7eabee55d03
SHA25677123c57064f2a87fcc2c04cbe1b5dc83802681e6e5d9bb64e7ab1e7507c1858
SHA5120646975be38fef4d866ee93ee873ca27d0d02e4947301c3e1bee835e5d0fc95dbf220087d3fd74a4797ab469ce58e50107735eb71e5b731c8e8151b57e8d6bfa
-
Filesize
356B
MD5cdc09f09e2d774d8176754a0122185db
SHA136ea5e8e103797c3b972a4e97c2356d04dc8bc10
SHA2568a1b30965b72d86ad7efec812a760f9820ab0cc5ec05573d096de14d7f7f4978
SHA512a560d1437d563fd35cc7603b1b6ffd00fe8b63ddd76743d3fa7753027e25cdc954102aa013d1d19bda50b6d46c0535ffea3b159ccf228f6130c68748f9056a87
-
Filesize
9KB
MD598c2a7de17fa3a0c1bedc0b0e87645d7
SHA10948b3ff8cfde1590b2eaf63f4d9732b30056611
SHA256a17e69d4ff668d0d9b712297b608dcf340787c42df7d443eb6719bc407cbda97
SHA5121227caef89447b7e20d2ea4d445c8a84465412149c3057b18898ee96acb2d30b88ac35114e311978e65368acd7cd34712bbedcc4dae7a636bc0aab5fb4a565e1
-
Filesize
9KB
MD500dc315af28ec8dd66c6544ee15564e5
SHA15be7dd8dd916cf59cf3e9e0ceb0f06603a7fbd08
SHA2568d57bfad8d777513f107d8b612d806e0a3961a9eed630ae76c17e795b1a93713
SHA512a0f0e227c505f38dd3437acadad955b01cbee3b0631e120fc20237ff391ed62740d4cc5f8fb2abb25527b9351c0f79df066caca17ce1a3e7aae9e6ffc5fc9552
-
Filesize
15KB
MD572699efac6bf4749415a71ce45395bbe
SHA1d6963db87ea7209ef36c8fc539ce359a802b2b7e
SHA256fa7571cf3fd74318fd2390bc409d1923507200d28546e37789f08c3ada419b6b
SHA512945c6ecaa69553059c8e82bf061698362b9f039d828bafeba19dabedb9518073111be72ca8cae4fe5da0b40a9128a678fdd56cf3b797ab6b12dd86d0f4c708fd
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5f5104140dc7d60f576f27264953cb943
SHA1eed2ff59a4ecb5880beae3b4698623dab14eb1c7
SHA2562648bc496a50926e2fdfa3dcc9001d8f61b0b8e02ddb8749bacc9bc7c8f5371e
SHA5124aee622906d6241313743e3a26b1cd7232099c93ec11826d88f1fec48a62d831e9917ff328232ff49830f82e2e04d706b49cdba752b173be04bc4192deb17069
-
Filesize
231KB
MD58eea20a25c6f482842ba3793bd750d9d
SHA17082282e5b68138c6c62ff250787de38426d8e5d
SHA256835ddb02cbc7e423ee8b25507637efac4051ac560a22e1fd7d24e0ec59d4e5c7
SHA51275095354be19c40103ed8c31296eb820de83bf5aafc8d582149777c740b27293175121ae23322ae1bbaa6395bad139a825f459d430dd637f80d4b9b8c8e42037
-
Filesize
231KB
MD5f7549a824e1fefe42d63a9dd4984ab6c
SHA15d9a265c97623a8d6c83b806555972d0bcb50f4a
SHA25629ef8fe3a4e0136c4ef0a0eb1581a288cefcac5cd299f574a99799485f059d86
SHA5124173f61543a6f892294082e78a56b3cb420961fa85cd1ef38f87876979783e0bb5ac1fda176779b25fab5e505001c6f5255c87aec412eee464bf49bf12268a7b
-
Filesize
152B
MD5a28bb0d36049e72d00393056dce10a26
SHA1c753387b64cc15c0efc80084da393acdb4fc01d0
SHA256684d797e28b7fd86af84bfb217d190e4f5e03d92092d988a6091b2c7bbbd67c1
SHA51220940fee33aa2194c36a3db92d4fd314ce7eacc2aa745abec62aa031c2a53ba4ff89f2568626e7bd2536090175f8d045c3bb52c5faa5ecc8da8410ab5fc519f7
-
Filesize
152B
MD5554d6d27186fa7d6762d95dde7a17584
SHA193ea7b20b8fae384cf0be0d65e4295097112fdca
SHA2562fa6145571e1f1ece9850a1ac94661213d3e0d82f1cef7ac1286ff6b2c2017cb
SHA51257d9008ccabc315bd0e829b19fe91e24bab6ef20bcfab651b937b0f38eec840b58d0aed092a3bbedd2d6a95d5c150372a1e51087572de55672172adc1fc468a7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\64c683bc-9793-4b19-94c5-5a24410a636f.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD514d4c8bfeaa350855f36b6120eb47861
SHA10e95c581987bfc65e4f2b0a896121f49bc5b8b2d
SHA2560fbecb749911819cb011d3e84920eeb0a0b5ed15ecc55765a92dc1db47c74ea2
SHA5128a1c134eef9962c035b1ed83d168c2c7aa496243ac8886a9ac50a8102a08db4a0c7ec7e000551518b9150617840805160992c323a2f2bf91f704430c890a9405
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD5dbfe9ebcf4d36d43d183f75b80f00f38
SHA1bff526b716eb7fa735347e34d33f5c258a71094d
SHA2560bbe7e12533091755a2ba99f2fa7992f6e6cdcefa0674fb58967d58a6afe280b
SHA5126c7b3105472dcf1c61fcefcd34eb270cc10006cbade0abf2a7affc24da94821f1d7b8c26c76e1ccf058a98d47a5791a3b96a8f13803d8fb898f051ed3b0c4689
-
Filesize
2KB
MD56eef78f553be85ccb4b08fc46e3ea3ac
SHA187d45d845440a25af340f8455dcbfbf30f6fb8c9
SHA25640e8695722f12c4258137dbc110ea44ee70f1f6754d58c7275e582134fe4b89f
SHA5121a9d73ef702dbea62321025aa2247ec47e131c1d461a0f0ce2a872a92bfbcbdc5412edc437f5c058a7f25b2fd023dcff4a3fd3872f06ab4ad87e1335328ddfb2
-
Filesize
1KB
MD584c467f6547e171aa70fd5c6e3fc77d9
SHA15a37a436fb238efdbfd2a88fbf8282a84e3b3ff7
SHA256bd94c657224fb9cef85c3ac66ebae6c7d7c0c14dc6bc68709f8474ad8f230eae
SHA51292031bd15eee5be00195dea02889ab28c84092aacd07a09bd377bf643656c460c9f725d0f1bfa9803540deac8f8f07da65abccaafc7c58d1ab3334b027e8bb58
-
Filesize
7KB
MD50e0c4d4a647d417a0986b33331a93361
SHA149a858a5ca7a7ab4e9691b9d251581b1af66b64e
SHA25626582a34e91f561d50b72ba9e37b552639a4f6e689f078f1f23a4cc0015d0ed9
SHA5124f959c81203e2fc5c41f8aeeacfda5e18efc96dd3d3a8689f5040819dc197e8ee7830966588f0235fa2cd8e1a5f7be70784b1fff910752de1e962dd81b246e85
-
Filesize
5KB
MD5bf4151f5c83444c142da5575a0ab3d86
SHA1bba50ec733fc3b7037172ca23119edf8f9b031f9
SHA25632e2479e7dad2d538d33326855695d9a731942e0a4e6a2d6d7611ea8284e885c
SHA512064a0d21ed6eb0dc3ea67c636e7a83748aeaad841e793dcf7288688b398f50f81e2a97b7051e71da628295879c9621ef5381b9bfdd009b205231ce63c18c776e
-
Filesize
5KB
MD5f8e51593bd76f4cee7dd62c96a71b85f
SHA1dfd1734dfa3224f20ed952d889ff1f3d3728fd7c
SHA256cdec7e8ee82af311d3f9ea3311e9258a8b371eaad2ae71e8094f8cc78d744c9e
SHA5121f8506ee666c31d286ad9e41d0502ea1d80d488ab5c3e116df4ef49c7175b7d18275b8cce8e12b0bcf64f3aaf8f84170b69f1af67bce5bd85ea3323d674e3727
-
Filesize
6KB
MD53d0ca2fe734ebd6806acfd33138d2d0f
SHA14ef8c1fd4aa78218ff6d3f35a43a71aa0098579b
SHA256391b2ba14d217f48b141c1f393a1e72cc3ab994f80f5ed509ccb6a9b1d8f3e7c
SHA512011d3bd10b3c7d84883baa2dbe182b296d0b60f771537815b1d2bf2317b39be6852225094830388b865470c3135c23c42e1587fb92feed885369bb7254c7e330
-
Filesize
2KB
MD5cd360aacb0df05cfaad43c45fb1339ed
SHA138cfc68fafd79bd928e80ef3a120dc782f948591
SHA256223146d5152c17106e6ce07eec298a1eb7bc14baea15f4694a6235217da0391d
SHA5121237fda449b82025c1a9e0df29851cbb04ac8a57c575cd2982c6332a50e4811a7062b049fb433c2cd9cb6b703911146b28ab4bf260643bd249dc85b0a6447b81
-
Filesize
2KB
MD5debbe5b1ac7603719ce253ab9bcb7f2b
SHA19b65afd300804f03570837474e849f8678477f84
SHA256ec892ea9c8f253ba93c16660b923f2941e08fd35b923653ad550f5ea39270001
SHA51221939d2bdddaca709addf94f4dbb2ac6dad2a2fbb79d6215ae97a1ea3f804843aeca0d41b67d1e81df487deb37dd42cc045c2ffbbe29b7f2cad147334dbb7dfc
-
Filesize
2KB
MD51364904569bb3bbaea2f410a6cdf61fa
SHA1adeec7eb14af0881be3fc25abd2a674caf3ed0b0
SHA2568f75e50e2045196670a02e5caf57bd7daa73af769a6fbcd919f99ecd4691a684
SHA512128c194fe05950ca2f41e73e08b42207249f11d497c50dcec72e6b37c2179e3b402558bafd2676bd40bac157b5957a9dc3445d26561f1a26b5b0a5afe4554dba
-
Filesize
2KB
MD5b3a04f7d675622103303dc39190740d7
SHA1c1d7a553fbad0ebc2a47cf1b586df062167809fc
SHA256b53ab385b8444d221ab9afd3a9942538880e102e1a7d86bc4d4a56d7c67c0b88
SHA51206d53b41a99d3d3bb83b057b69c46d19b1018c7d2432c5572ab13db4858d3359680fdcaff9a8816fee492748c38c6c9e5b509f89ff9b7e27ca7fee72b3402924
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
11KB
MD51c36c508db3b36f1b2124a663c3d33fc
SHA189106c697d43725859ce922ab16b50061d169334
SHA25602dc0c5a0959764a76156f68e3f66686db042a9886424883caced265233469cd
SHA512c10325a445d82e65c9fd365436d897437d72b7e5cd9795064f3866d657beb5434f676c77a0d87dda176696c8fe0ac5dd4bd254eb20eb057dbbfdd40ad577190f
-
Filesize
11KB
MD5352d0c5d75360bf327dd03d60722db21
SHA15fd9f16a09fd306c07e509bd6f9e5e58ad84c5f6
SHA256e6449d72b80cd18ee31a38adaaee9b0f8e4ef5a331cb1c8e74de02a12aa31371
SHA5121e9378a2c50aeeaaf4b10d4c255201f7b554c05ceee0d3c3946fd322571ea96572c682ccd82b40583711325e5aa7463dadff6cd16966754f9865466fea7661ac
-
Filesize
10KB
MD56261f695c397b2217284726ce4d780d6
SHA1cf01081ee27226804b3937f96cc3090a5105ba01
SHA256c4399c39b55ad48f0d5b67cc4f82bfd9cca3826547208ccf3983243c66e85d20
SHA51217a2c1b086715e5f69bb2461883203be07084820430517ce4b20b964ba3d25c9f118b12b3d96b8c54c055f6326c7b697ab0b072a55edb52ac29d8168e2975ee8
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5ad7a569bafd3a938fe348f531b8ef332
SHA17fdd2f52d07640047bb62e0f3d3c946ddd85c227
SHA256f0e06109256d5577e9f62db2c398974c5002bd6d08892f20517760601b705309
SHA512b762bae338690082d817b3008144926498a1bd2d6d99be33e513c43515808f9a3184bd10254e5c6a1ff90a9211653f066050249030ad9fe0460ec88335b3d423
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD518ebbe9c5b9d1f57828cb23f70ee4358
SHA13bffe5a39ea4b5dff89e2e051911dc366d6d517f
SHA25632feacc1e37265de0ea41d7113a91ec4ea7a697d92941d747adf814039111df7
SHA51299ea34ce3b016720a2c5d651e68eb4bca122f8cd05d9b18e4e0225b836a576517a691914c00472977570a24a9360a2049d7150d8392abbab76cd5a3d6e3fa01e
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
10.5MB
MD5b2ef653a8575cebf20a4aabe17b70b6b
SHA1a686304500e45ebf945c85b9de9085e6b58604c0
SHA256ab9967c2cd345ffdbf3c4283d95bb23c77a82a2782f381634f5dfa48f2b75071
SHA512dd293115d1f1b4474f5cdb03884529ea9e887f2420df8b4b050cb6f0e458cf8515c6dd33b977c20c680c088d6b4728f922df74f0f2475b2762f4f4377971f21b