Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24/01/2025, 15:05
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/LavaGang/MelonLoader
Resource
win10v2004-20241007-en
General
-
Target
https://github.com/LavaGang/MelonLoader
Malware Config
Signatures
-
Downloads MZ/PE file 2 IoCs
flow pid Process 174 836 msedge.exe 37 836 msedge.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation windowsdesktop-runtime-6.0.36-win-x64.exe -
Executes dropped EXE 9 IoCs
pid Process 5088 MelonLoader.Installer.exe 3504 MelonLoader.Installer.exe 4664 MelonLoader.Installer.exe 1680 MelonLoader.Installer.exe 4472 MelonLoader.Installer.exe 2720 MelonLoader.Installer.exe 400 windowsdesktop-runtime-6.0.36-win-x64.exe 4760 windowsdesktop-runtime-6.0.36-win-x64.exe 4416 windowsdesktop-runtime-6.0.36-win-x64.exe -
Loads dropped DLL 21 IoCs
pid Process 5088 MelonLoader.Installer.exe 5088 MelonLoader.Installer.exe 5088 MelonLoader.Installer.exe 4760 windowsdesktop-runtime-6.0.36-win-x64.exe 2484 MsiExec.exe 2484 MsiExec.exe 3344 MsiExec.exe 3344 MsiExec.exe 2164 MsiExec.exe 2164 MsiExec.exe 2164 MsiExec.exe 2164 MsiExec.exe 4396 MsiExec.exe 4396 MsiExec.exe 3868 windowsdesktop-runtime-6.0.27-win-x64.exe 2328 MsiExec.exe 2328 MsiExec.exe 1480 MsiExec.exe 1480 MsiExec.exe 5052 MsiExec.exe 5052 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0532b8f2-12d7-43de-95fc-7b87006758a8} = "\"C:\\ProgramData\\Package Cache\\{0532b8f2-12d7-43de-95fc-7b87006758a8}\\windowsdesktop-runtime-6.0.36-win-x64.exe\" /burn.runonce" windowsdesktop-runtime-6.0.36-win-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
flow ioc 38 raw.githubusercontent.com 39 camo.githubusercontent.com 40 camo.githubusercontent.com 41 camo.githubusercontent.com 42 camo.githubusercontent.com 32 raw.githubusercontent.com 35 camo.githubusercontent.com 37 raw.githubusercontent.com -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-rtlsupport-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Private.DataContractSerialization.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\ru\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\PresentationFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Reflection.Emit.ILGeneration.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-core-synch-l1-1-0.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationProvider.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\ReachFramework.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\UIAutomationClientSideProviders.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\ReachFramework.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\PresentationFramework.Luna.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\it\System.Windows.Forms.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.EventBasedAsync.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\WindowsBase.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Diagnostics.StackTrace.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-crt-time-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Threading.Channels.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\es\System.Windows.Forms.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Configuration.ConfigurationManager.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Extensions.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Diagnostics.TextWriterTraceListener.dll msiexec.exe File created C:\Program Files\dotnet\ThirdPartyNotices.txt msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\UIAutomationClient.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.MemoryMappedFiles.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Dynamic.Runtime.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\zh-Hans\PresentationCore.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\cs\WindowsFormsIntegration.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\pt-BR\UIAutomationClient.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\System.DirectoryServices.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\de\WindowsFormsIntegration.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\ReachFramework.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.FileSystem.AccessControl.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationProvider.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l2-1-0.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Linq.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ReachFramework.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Runtime.Serialization.Formatters.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XPath.XDocument.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Collections.Concurrent.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Reflection.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\de\PresentationUI.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\pl\PresentationUI.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\UIAutomationClientSideProviders.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\Microsoft.VisualBasic.Forms.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Xml.XPath.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClient.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-file-l1-2-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\PresentationFramework-SystemData.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\ru\PresentationCore.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\tr\UIAutomationProvider.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Input.Manipulations.resources.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-memory-l1-1-0.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\api-ms-win-crt-string-l1-1-0.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Threading.AccessControl.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Xml.XmlDocument.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.36\System.Runtime.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\fr\System.Xaml.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.36\System.Windows.Forms.Design.Editors.dll msiexec.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\UIAutomationClientSideProviders.resources.dll msiexec.exe -
Drops file in Windows directory 50 IoCs
description ioc Process File opened for modification C:\Windows\Installer\$PatchCache$\Managed\79D2396D1F638B04C9CDAC38562B0100\48.144.23141 msiexec.exe File opened for modification C:\Windows\Installer\MSI4F76.tmp msiexec.exe File opened for modification C:\Windows\Installer\e592a04.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI35CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4705.tmp msiexec.exe File created C:\Windows\Installer\e592a0e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB5A2.tmp msiexec.exe File opened for modification C:\Windows\Installer\e592a09.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5277.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA0AF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA852.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA227.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\79D2396D1F638B04C9CDAC38562B0100\48.144.23141\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\MSI514D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI56CD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI69CA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4BDA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FE4.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E39B69A3F3677E14587CF1C3CC73FE72\CacheSize.txt msiexec.exe File created C:\Windows\Installer\SourceHash{61D4736B-3325-4D4A-BD41-8BD206C6A86E} msiexec.exe File created C:\Windows\Installer\e592a04.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e592a08.msi msiexec.exe File created C:\Windows\Installer\SourceHash{A9E32B25-994B-4856-A12B-0EBED3050410} msiexec.exe File created C:\Windows\Installer\e592a1d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9F47.tmp msiexec.exe File created C:\Windows\Installer\e592a0d.msi msiexec.exe File opened for modification C:\Windows\Installer\e592a19.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7D54.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\E39B69A3F3677E14587CF1C3CC73FE72\CacheSize.txt msiexec.exe File opened for modification C:\Windows\Installer\MSI5A1A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9E0D.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{C912E33F-956A-4921-9F55-CC11AE8F09AF} msiexec.exe File created C:\Windows\Installer\e592a09.msi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\79D2396D1F638B04C9CDAC38562B0100\48.144.23141\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\79D2396D1F638B04C9CDAC38562B0100 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\E39B69A3F3677E14587CF1C3CC73FE72\48.108.8828\fileCoreHostExe msiexec.exe File created C:\Windows\Installer\e592a19.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI75F1.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI41F3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI484E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D33.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D22.tmp msiexec.exe File created C:\Windows\Installer\e592a13.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI30BB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI49B6.tmp msiexec.exe File opened for modification C:\Windows\Installer\e592a0e.msi msiexec.exe File created C:\Windows\Installer\SourceHash{D6932D97-36F1-40B8-9CDC-CA8365B21000} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.36-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.36-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.36-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.27-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.27-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language windowsdesktop-runtime-6.0.27-win-x64.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 17 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c msiexec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79D2396D1F638B04C9CDAC38562B0100\SourceList\PackageName = "dotnet-host-6.0.36-win-x64.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79D2396D1F638B04C9CDAC38562B0100\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads" MelonLoader.Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B6374D165233A4D4DB14B82D606C8AE6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.144.23141_x64\Dependents windowsdesktop-runtime-6.0.36-win-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.144.23141_x64 windowsdesktop-runtime-6.0.36-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\79D2396D1F638B04C9CDAC38562B0100 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79D2396D1F638B04C9CDAC38562B0100\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\SourceList\Net msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000 MelonLoader.Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\34E9844CA4C526252F3E0750AD7D17A7\B6374D165233A4D4DB14B82D606C8AE6 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\DOTNET_CLI_SHAREDHOST_48.3.31210_X64\DEPENDENTS\{D87AE0F4-64A6-4B94-859A-530B9C313C27} windowsdesktop-runtime-6.0.27-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\PackageCode = "A9EB650071030D844B6BB6C1A45FAE61" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295" MelonLoader.Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.144.23141_x64\ = "{C912E33F-956A-4921-9F55-CC11AE8F09AF}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A84090FB8635C505D4A4CC7DD0A0BB05 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52B23E9AB49965841AB2E0EB3D504001\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79D2396D1F638B04C9CDAC38562B0100\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{61D4736B-3325-4D4A-BD41-8BD206C6A86E}v48.144.23186\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F33E219CA6591294F955CC11EAF890FA\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_runtime_48.144.23141_x64 windowsdesktop-runtime-6.0.36-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\52B23E9AB49965841AB2E0EB3D504001\MainFeature msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E39B69A3F3677E14587CF1C3CC73FE72\SourceList msiexec.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings MelonLoader.Installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\497A7447E2AFEB24ABA9F5BC5DC4D53F\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\497A7447E2AFEB24ABA9F5BC5DC4D53F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79D2396D1F638B04C9CDAC38562B0100\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E39B69A3F3677E14587CF1C3CC73FE72 msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff MelonLoader.Installer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8}\Dependents windowsdesktop-runtime-6.0.36-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52B23E9AB49965841AB2E0EB3D504001\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52B23E9AB49965841AB2E0EB3D504001\Version = "814766693" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version = "48.144.23141" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16" MelonLoader.Installer.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.108.8828_x64\Dependents windowsdesktop-runtime-6.0.27-win-x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff MelonLoader.Installer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\Version = "814766738" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8} windowsdesktop-runtime-6.0.36-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8}\DisplayName = "Microsoft Windows Desktop Runtime - 6.0.36 (x64)" windowsdesktop-runtime-6.0.36-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F33E219CA6591294F955CC11EAF890FA\PackageCode = "577AC2DDD07ED8F4DAB1B20CB6D27084" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\ = "{D6932D97-36F1-40B8-9CDC-CA8365B21000}" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 MelonLoader.Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B6374D165233A4D4DB14B82D606C8AE6\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{61D4736B-3325-4D4A-BD41-8BD206C6A86E}v48.144.23186\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\windowsdesktop_runtime_48.108.8836_x64 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\52B23E9AB49965841AB2E0EB3D504001\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.144.23141_x64\Dependents\{0532b8f2-12d7-43de-95fc-7b87006758a8} windowsdesktop-runtime-6.0.36-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79D2396D1F638B04C9CDAC38562B0100\AuthorizedLUAApp = "0" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E39B69A3F3677E14587CF1C3CC73FE72\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2DDBF7219475B995939F6795C8ACCD62 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\SourceList\PackageName = "windowsdesktop-runtime-6.0.36-win-x64.msi" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\497A7447E2AFEB24ABA9F5BC5DC4D53F\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0532b8f2-12d7-43de-95fc-7b87006758a8}\Dependents\{0532b8f2-12d7-43de-95fc-7b87006758a8} windowsdesktop-runtime-6.0.36-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.144.23141_x64\Version = "48.144.23141" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B6374D165233A4D4DB14B82D606C8AE6\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4" MelonLoader.Installer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257" MelonLoader.Installer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.144.23141_x64\DisplayName = "Microsoft .NET Runtime - 6.0.36 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F33E219CA6591294F955CC11EAF890FA msiexec.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 300279.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 726974.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 836 msedge.exe 836 msedge.exe 1332 msedge.exe 1332 msedge.exe 220 identity_helper.exe 220 identity_helper.exe 2092 msedge.exe 2092 msedge.exe 948 msedge.exe 948 msedge.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2708 msedge.exe 2708 msedge.exe 2708 msedge.exe 2708 msedge.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe 2116 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs
pid Process 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3504 MelonLoader.Installer.exe Token: SeDebugPrivilege 4664 MelonLoader.Installer.exe Token: SeDebugPrivilege 1680 MelonLoader.Installer.exe Token: SeDebugPrivilege 4472 MelonLoader.Installer.exe Token: SeDebugPrivilege 2720 MelonLoader.Installer.exe Token: SeDebugPrivilege 5088 MelonLoader.Installer.exe Token: SeShutdownPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeIncreaseQuotaPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeSecurityPrivilege 2116 msiexec.exe Token: SeCreateTokenPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeAssignPrimaryTokenPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeLockMemoryPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeIncreaseQuotaPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeMachineAccountPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeTcbPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeSecurityPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeTakeOwnershipPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeLoadDriverPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeSystemProfilePrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeSystemtimePrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeProfSingleProcessPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeIncBasePriorityPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeCreatePagefilePrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeCreatePermanentPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeBackupPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeRestorePrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeShutdownPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeDebugPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeAuditPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeSystemEnvironmentPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeChangeNotifyPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeRemoteShutdownPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeUndockPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeSyncAgentPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeEnableDelegationPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeManageVolumePrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeImpersonatePrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeCreateGlobalPrivilege 4416 windowsdesktop-runtime-6.0.36-win-x64.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe Token: SeRestorePrivilege 2116 msiexec.exe Token: SeTakeOwnershipPrivilege 2116 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe -
Suspicious use of SendNotifyMessage 26 IoCs
pid Process 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe 1332 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5088 MelonLoader.Installer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1332 wrote to memory of 2536 1332 msedge.exe 83 PID 1332 wrote to memory of 2536 1332 msedge.exe 83 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 4728 1332 msedge.exe 84 PID 1332 wrote to memory of 836 1332 msedge.exe 85 PID 1332 wrote to memory of 836 1332 msedge.exe 85 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86 PID 1332 wrote to memory of 2872 1332 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/LavaGang/MelonLoader1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae5c746f8,0x7ffae5c74708,0x7ffae5c747182⤵PID:2536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵PID:4728
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:836
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:82⤵PID:2872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:12⤵PID:636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:3332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:220
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:12⤵PID:860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵PID:536
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:12⤵PID:1340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:932
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1688 /prefetch:12⤵PID:1964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:12⤵PID:1976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:12⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:12⤵PID:1116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1804 /prefetch:82⤵PID:1680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6092 /prefetch:82⤵PID:3852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:12⤵PID:4032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2376 /prefetch:12⤵PID:1648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6492 /prefetch:82⤵PID:4964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2092
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6576 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:948
-
-
C:\Users\Admin\Downloads\MelonLoader.Installer.exe"C:\Users\Admin\Downloads\MelonLoader.Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5088
-
-
C:\Users\Admin\Downloads\MelonLoader.Installer.exe"C:\Users\Admin\Downloads\MelonLoader.Installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504
-
-
C:\Users\Admin\Downloads\MelonLoader.Installer.exe"C:\Users\Admin\Downloads\MelonLoader.Installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4664
-
-
C:\Users\Admin\Downloads\MelonLoader.Installer.exe"C:\Users\Admin\Downloads\MelonLoader.Installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680
-
-
C:\Users\Admin\Downloads\MelonLoader.Installer.exe"C:\Users\Admin\Downloads\MelonLoader.Installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4472
-
-
C:\Users\Admin\Downloads\MelonLoader.Installer.exe"C:\Users\Admin\Downloads\MelonLoader.Installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.36-win-x64.exe"C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.36-win-x64.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:400 -
C:\Windows\Temp\{37D7BC9B-761B-4F45-A587-80E0C3243DA6}\.cr\windowsdesktop-runtime-6.0.36-win-x64.exe"C:\Windows\Temp\{37D7BC9B-761B-4F45-A587-80E0C3243DA6}\.cr\windowsdesktop-runtime-6.0.36-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\windowsdesktop-runtime-6.0.36-win-x64.exe" -burn.filehandle.attached=716 -burn.filehandle.self=7203⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\Temp\{91B17466-28C9-4795-8252-F88E8DCC0F63}\.be\windowsdesktop-runtime-6.0.36-win-x64.exe"C:\Windows\Temp\{91B17466-28C9-4795-8252-F88E8DCC0F63}\.be\windowsdesktop-runtime-6.0.36-win-x64.exe" -q -burn.elevated BurnPipe.{F0BA04B0-571C-4838-AA01-D6E7F947580D} {F0E44A03-B64B-4FC2-A371-4856D8C717C3} 47604⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4416 -
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe"C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={0532b8f2-12d7-43de-95fc-7b87006758a8} -burn.filehandle.self=1204 -burn.embedded BurnPipe.{73DC4C56-2CAF-4B28-A3BA-802D014F9D72} {90AE9664-B5C2-4FD2-88AF-4CCD793C44F2} 44165⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe"C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={0532b8f2-12d7-43de-95fc-7b87006758a8} -burn.filehandle.self=1204 -burn.embedded BurnPipe.{73DC4C56-2CAF-4B28-A3BA-802D014F9D72} {90AE9664-B5C2-4FD2-88AF-4CCD793C44F2} 44166⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3868 -
C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe"C:\ProgramData\Package Cache\{d87ae0f4-64a6-4b94-859a-530b9c313c27}\windowsdesktop-runtime-6.0.27-win-x64.exe" -q -burn.elevated BurnPipe.{8302B99D-B776-4222-9C58-C544B69C20EF} {8BC7C641-3BED-4CB9-8565-EAF5202F81B2} 38687⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:636
-
-
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,18083607502221897981,3369204020166763518,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5864 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2708
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:964
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5084
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2116 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8FFB43F61151568F36D6FE9C292B799C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2484
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 48E74BD22F856C26D841403019DA8D802⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3344
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E7EECD286DF88ABDD7EE88EAC8423D232⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2164
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1EA22054F36B018D20BB7FEDFEC3E5882⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4396
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DC0D745FC819522EB7B8B8F1F75D05562⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2328
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 089829A33336FC0AECAB1AE93DBF5BBE2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1480
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C166474C805444D0DC4D9A94597F37A82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5052
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
56KB
MD525b2104a656eeca5e501ee6f7822cb2d
SHA14842cf58b98e4caf421a23c3bc8fd057715d86f0
SHA2564883be0cb8edcfc936aec229fa4de8153a0ab338e74cb78b73b7107aca9d81c7
SHA512097fc9a3e61065d6134c345f24f258a46bad346660fa251e3f0e25b7ab758ecdef0ea6ff767fdd3dddcb1b45108832eea43c9ed5b7788b34155408ac7bdfc358
-
Filesize
9KB
MD5b7b617716719ae658396a652eadb1431
SHA1a33fd70789f73a58284f5b1365ba2066bd6527db
SHA25605235cb00bb8d06e5e4e462d84d969b53557d16fd55ea5c962618dc6137ae8c1
SHA5126f4c95f102829b417802e7a1a9f5cf4263daec3dfea41d98a6a84584c44f088948367d32c6e4225d31c6b84c4992434db0c5e9366883ee2a74dbacd251b6cb3e
-
Filesize
11KB
MD5cdedc21681031bea676937bbf575fe7e
SHA16678014afccf5e868bdc68071b4fdaebbdb68410
SHA256a3e92332da5d44e16bfe1e68c80c76049f396674f6bca760a80d508ec3ac5ef9
SHA51246725377ef9b261a95e1af977847c4b35e9fec07563033a60cf07563c6cde38560c81053cdc1477589695fea1c46f41b2cbe1e5b20117406f8fa4d9c5a8c31de
-
Filesize
8KB
MD5c9f21b37991d1095440532f83669fbcd
SHA1c6022fd2af136a078a3eaea2e013051d7f0e5e96
SHA2568754b25d22bc4d03e20c78e66f556f1cb760a6c8ba0e4d88812c99df81d66e6e
SHA512f691af8a9f456301dde85594321d16b1845cb0333360f0520437fa6e500e35bd9cabd410ed01b0fad3bca26275432bc6a8cabe9c9d9c3aebd103d12821633b63
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
87KB
MD5431fdb20dfbe6c5c9b1d2e43b614b3b9
SHA1d2b7d68f882f4da5f416bb1d5ccc3c8d63b3e888
SHA256a8d545dfc8d37e642a58f96ef16934ea1c66edb816d3ac0a4d0cb648614e8a14
SHA51220de936dea59cc2ac4ea34ed36f4ed0ee41e513e7feaaa3cf559987ee553e4d9bcd3a60d166ba28633bdf9060231deb0117b722c16da61e58ab928172cd388a3
-
Filesize
132KB
MD5a515f90c1323496b4503482b44a7e76d
SHA1458b2cce4ea6d1369d786c8da0114408a1fa3a0f
SHA256bc307d4e47baed0054d4ac01adec6ba56e46902e57c553458b67ac5d867d85e0
SHA512f30dab6b8396bf6ee0d92f7e111670c0705437a2145105849bd9e97b5bf2a079f9a736bdbe3221a030a698c6bf5a0f17cb80117f72a9460f1b5b0e5b61da5f51
-
Filesize
8KB
MD57ab3875fda8c3dae0129b2b9d3acbf04
SHA1d480f1b691aef8b29658f33ecf78080a8e057481
SHA25641934418b2c504e802df489956fbc018f0d7761ea77b8e17ca037ef1692ffbb0
SHA512daa3eae13cd192367086bf46e616b2838d1635d606e16e61e5342a3b0cb82e3b3731dad0adf02974cf5852fa7d869dbec53e46dea6e12cb106e8b30d777b793b
-
Filesize
102KB
MD5ef96ac72d22850a969c4c3b128d24c0f
SHA1a536a8582dff7bc939faa2c4b8b60f7d07b1d497
SHA2567982df72cea52874b61b3757ac15ed2604cf747aed587e4b922b4d686c7950e1
SHA51299a3f3414f7e2a5a91e6679f59c5fbd71ba46c8f7b5b0f31bf59479ef478e516975a447a39b51119f444d95869b19a8e250c8d87372d81bef9939b09b21da319
-
Filesize
78KB
MD5f77a4aecfaf4640d801eb6dcdfddc478
SHA17424710f255f6205ef559e4d7e281a3b701183bb
SHA256d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7
SHA5121b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b
-
Filesize
4B
MD581a8f45208574d6d5114c9985f47e438
SHA1e8934d5d7422618c541cfd35cb45de639e73f7de
SHA256eb863c7252fbc2bc00f3fb97f6ab91888cd7096b22616d289288de23bb049a85
SHA512ba7b627c51e76aadb178804071229b8c848bdf7e3e321d15efe792b6902555c46ca696886acd4dbded9063e32f38198fa75d02b1d4db1d7126c00603ae67b8a7
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0ecf20cb-9b1a-4aaa-8b36-783304bfed23.tmp
Filesize2KB
MD58cb30e19a7b5693b407e6711e57a357b
SHA1a4400773cc3e967a62ab9039b2fad3ceb8016512
SHA256e410ba2e8460c4865b3ba4fbe0cb607b9942a4c7e62c3687050b446616adab91
SHA512c68d0f2860324dca28957ffadb947c52e074e937e77bee615b86e555ebb37df9aeb88128af086fad90a1703c842dca7a482baf96e483f7c9b56fb4a0802fde55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\29e5ffaa-c0b5-4510-bb80-8f5e853377de.tmp
Filesize6KB
MD53bc4358a46c67b658a0b2e8920aaa3d8
SHA119700fd0fa72072c93bc365e0a25d3b5a0509634
SHA25691bc3aba516ecbf2a1bcf7cf0ae4907e1a4ff13dd4d43f2c715793259ca55a75
SHA5123033d060f8305b5838f9a3b5765910474dcba0d6628cb10491eee95bf480da41ab7880f810667ea856e3fe0113cc8854f0fa8682f826c820d84984910682c1c1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD575f000de40bbe4affaf1d89f93645456
SHA1cecc67ca7bdb0e3cd0b9b9fe205d4e5446892a8b
SHA256f8e645656a967a4db8f630547d85c3cb8329998c4400d197603c52c191616e89
SHA51222e066f99fa98e7b2c98b31ecdf26765750b88a362398e0eea4a5f2d7c204da32c6f572528a088a1fbe1a6199ca975718886d66404e38b0759d72f9c60fc9b8c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize2KB
MD57642d5d5593a30a1d3348221b0e389ee
SHA1f317910948f2da4ef5ff630c786f61cd8efa2df9
SHA2565deef2217f6c9fd3b629c097058ae38f82b62dd6252c793c67a9ccef45cd2826
SHA5128ee436926bdf69a09d77d2e1055e4ea0d7b77a9eb133a18c0853732eca59b5396b81d206eba21b999c9c8bd9dc111e6ec05f3fc58aaa4749a1add6cf3a16bc97
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5eb59cc8775778fd8462af5f7b124a049
SHA1ebe4e36c87977b873d6b2ab60f1f2b36135b5a10
SHA256fa90049d74f0d7adfdce59684e9c1a6be2c34428eadc60c61c092ace42f501dc
SHA512a936a7cf7beec6b9fa5e1beb33e6a3290a966e9bc631f32b66005ea35eea23bd3b832be522575e5acdf4b6d03657301732c1afae8f8a8575c63f87197cb0f37e
-
Filesize
2KB
MD53b162e695d807559083c1a0b634a7062
SHA1382ed0c50d621433b2103e0fd2e8a189b1d33f67
SHA256dff6cca80a7b1f0e78afc9a9fd57474e55110f525ae78ae4e7dcf6fcb51f828d
SHA512985e1256e1c7b0de674504161d43c2a79d5fe5c06af139c22e3595da230a3d1ed4693f07815d4dde744857c33ce6c2abe20aea938dc614be31a0bb4e3cd65cf2
-
Filesize
1KB
MD518508d8acbd6a48e3b6cfd22452083f4
SHA1b47687cdd1daa77d1f7c1a442b59bc2ae66ea9ef
SHA2568dcaf2b97ba59953062901b7262ed114f76977cb2c4b5a09c796c9b79e744ea1
SHA512fe4ccf0b64e16d57aa77c3615ce229bcaeb49ffa13c351cb489cf209b5b84a58e1b505648443db6098ea10d557bb3264734bd0cf8f0a83600b5e8d014c5f0aa8
-
Filesize
7KB
MD5a88c77d7237cdc41aa4c8629fe274f0b
SHA1b19936cf4d3f0cb0ab3b8fc2457404df691a1b02
SHA256050a50508b5b5ca78561f9a4346b0d39a36f8c747f49beb33b8bd6e550657834
SHA51286672a2d628b3f71150b7a280da8f91f1700841406c3a6cdb008e8f84042751d3e132d6705b1a01c468510363afe29865fa50ea8667890279217a7cf8c18ebfd
-
Filesize
5KB
MD525ad762b54f00ae438d94bf1b52fe910
SHA1a7a0364cdc8fe7f69b950a1be8bd3117a9c8ef3c
SHA2568a509a826dd56446905ca09a16e9f5a434c9236437b99aa98be86783ee5c43e5
SHA512324a0af3aa29290ad3d9381ea6bd133787e031bb1bbbe378508b597220fecb5ee2397c255b683e5e538bcfe81d3db7193c2802d4a395f3718db756fb461e84cc
-
Filesize
6KB
MD5c1837a85ca6ce012cc96145f6697f24e
SHA1b3e81160cd784a247234694224f01c72d1dcdce3
SHA2560da51ce65a3641fdcddccf8383ceedf11d4f73933d5e73a2c5caaec71c16b78b
SHA5120e357342173bcd0644121f3b2b2dfd15cc319ab12f938b782c0c065629c1473efb1d143a8d90ce34e3f6bf89c3cd71e75fd20592badd978866dc1d633fce61bc
-
Filesize
2KB
MD5fa45c38e92d45f856276a366477c0d76
SHA1161bc415cfb4f873e40e4ddfb267ae24d5d293d1
SHA2566cbac513c2604dde70286ba86de8ad77f2c5a067b80fe60090d1c13ebb99489c
SHA512774ae9c39328483cd6191748f725b07d977d15af4dd0d6b57febacdff9c96d454038d50b26279253b88d779d905ede46e715186d232c5633fc6e731fecc55393
-
Filesize
2KB
MD570cf1c6a60e7b3107cb5b062ee8a02f0
SHA14da578a402ad81824e3dc7bb8cd795367fac77a8
SHA256773a51bd89b4d2c13a1094176ff1b63fd5a640c149598713a8e3449fd1fe5252
SHA512032859f5b1c2950a69066f8707394b86b1795d783b1cd845479a40c5f6dbf9bb04d7bc525fc354f0025dbe611411da86ffe0ff939f8b6b78c955e7cc4243aec8
-
Filesize
2KB
MD58c09236279ea5c8306c7e0799a722456
SHA16df93b870bd90ffe2505eb29742a75de6581c55b
SHA256f86a0eeaf3da69601d2753c14f581e52625a6a5603db8c555b1294bfabaf4411
SHA5126829bd1cc0fbb689d91f818e327d4cb1bf2f85207e74db78b25be0a894add05b700679f9340e303c23fd06be166ed1e7875b82ca361ce9af27f194c09703056b
-
Filesize
1KB
MD5fc2f86b749b26cf9ac05594bd345f447
SHA11cd7addbc70367af22b6f7c9d40ee03523bcbcf0
SHA2568cadb3803624c65f7b5a6bd123752cdecf8281dcae363641c1d2011bbca0a78a
SHA512da2d68632f8b72294d783cc9e1d700261b2ae12bc191f2f8d23ddece9cfe15e16cb0f01801326616cf11df7699770b9f19aa8a11a7e35a4d5ee6a9327d961824
-
Filesize
1KB
MD5476379805f14aeebcaff43bc887795e1
SHA1c52074f13e9437b4f17846ba1aca43a9e039aaac
SHA2565be83d29cd1009fb567551bda9a30f10fcdd845444f7471b7130e61d8b8e6d0e
SHA512c104f67370a8aa8df7970d395a40eab6d94082a383c8dca21528355cd88e555c0535cd5450ae63a91c352361a8abec184cfd016600a87e87fb66d673616191fa
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD593423486fbae641bbbdfd211fe1f7da8
SHA1c8ce4d691704053e85d5f22c44c970a844612662
SHA2569bb1a1651f597fa47b9080e97f76c04699efc5fd6fa62e28f059b8ce897411e1
SHA512f235c8e711f440ad7213934597aa3a8904e4714404eb2ceae5d1bb1dd19ca8f9248ca0d478510296262f1733c3901ebd3be9570605ccfd054f7714c69c336512
-
Filesize
11KB
MD563f518fe39c4b31d5c682de6088c6624
SHA19e044cfa0f0ad81d45bdb06e2e9d39d295dd0fd4
SHA256cc25610e705eacc61dfabdcae850c0e2ff18b968a85e8b1636bf8ff282a0396a
SHA51290eb792b79e8257db4cae823d25456feca38545d47a4505838bfd65832ff9761f205d9c394a4e5ee38905d168ebf3f3519827cd99b172c3aefcaa86939041438
-
C:\Users\Admin\AppData\Local\Temp\.net\MelonLoader.Installer\hEYxuaudiObilNWrVJ_aBiyhrmvEhuw=\av_libglesv2.dll
Filesize4.2MB
MD50c6d7ef9f90b40fe51e67a2ff9f38244
SHA1d6cbf5d5b9957028d75d2456f1209b2454072367
SHA256caff1be1faee32f7c5bfba9162ee617c347aad40772caa9a1aff794e3a191420
SHA512b4cf85ea6be1c8528bfa6126a81faf44132b6978a07cf01af729f68807c7db6ae16fe71eb74135c9db9fe7696094d89330a94217c953b2ee5cce9be4a4e33373
-
C:\Users\Admin\AppData\Local\Temp\.net\MelonLoader.Installer\hEYxuaudiObilNWrVJ_aBiyhrmvEhuw=\libHarfBuzzSharp.dll
Filesize1.5MB
MD5c22de44419d1a1f1aa059f451fc59016
SHA1cff7fc6071b8ccfbaea2ad922071f243d265afea
SHA256ef5923ef4cdc8612c1825b294174b5b8cc8a056ed0f06b58db56aabc56aaae12
SHA51212f93c7d4548c1c20288d9fd1b2b1b3dd0dec7c1a0c9b12f7f2c1b8045cfbbbd1256e39112f7296c83f93bc6c8fad45390384cc80087edeff46e9d125e3bcbba
-
C:\Users\Admin\AppData\Local\Temp\.net\MelonLoader.Installer\hEYxuaudiObilNWrVJ_aBiyhrmvEhuw=\libSkiaSharp.dll
Filesize9.0MB
MD526d723bd75b5c6591dfde18b71281920
SHA147c05d42af2968f83877bb9cbf744c938489f466
SHA2562ca940b7c4621ecd27d2f07c5f46fafa0375f493692cd4e6e1e66c07fbc8109a
SHA51290bbdd48588616177354402b91a3fac363f8eb7959af570e6cee1174eeab950077b71ed47645262daf0957ced5b90b3aa5a7146a5d04d52b5c7975a5d31c5ef7
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.36_(x64)_20250124150723_000_dotnet_runtime_6.0.36_win_x64.msi.log
Filesize3KB
MD5efa844d8ebdc62c7cd37dc31e36f7a61
SHA166ca2627aa898b1d9217edbad5497da80722a793
SHA2569032c1a10b4572c65634022ad0a5960730a840d8ccdf8f59e87bcb9e3eebfa62
SHA512f8765c4b62101657651d9cf2e52b74643f9eeee1981eebf9abf721f99f304569753783c224a313a4762d68265e56b396d997a8a2ab44ee6907112894fcf5327c
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.36_(x64)_20250124150723_001_dotnet_hostfxr_6.0.36_win_x64.msi.log
Filesize2KB
MD5967eb45e8a5ab77c07055f0e880edc18
SHA141a6a9910217f7c8edb41a86223788a15610424f
SHA25675a9cf1b0678fcc58f55656f7d46ae791f183032f905a535b414a4ea626864d9
SHA5129698e808c406cb05a9403e3a77f3c2f8c32e9f8a9a9381f8c7ed4ab34c511e5eb2c0a717ec1dc42e545b05b230d44e719690cdd43820b611b69b5ac66351fc7a
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.36_(x64)_20250124150723_002_dotnet_host_6.0.36_win_x64.msi.log
Filesize2KB
MD5b6c3ee5e4449ef3e4bd21840dfb65e12
SHA1d7935b578eca824c133533a9272ff2fbb16d5322
SHA2566713d87897aaa2aa5178b5c5cff589f3f8f31f854add39a0cd1e1b62359a5039
SHA512ab0747a5314c278d64ff3a8e00ddff1d70228db8f27f69179d9619e7205aa3889a5c888123467cb037dfccc6f40f981b85f67adec2264f5f3f6cb635fcf3cf60
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.36_(x64)_20250124150723_003_windowsdesktop_runtime_6.0.36_win_x64.msi.log
Filesize2KB
MD58e2cb05f347e68f8936da7c2fdefff9f
SHA168bbd326c350df0c82e0f7619d457609b30424c7
SHA25656bc75e6f2691d72f6fd966fc839774189a491ea27628a4475a6451e2a6e2fde
SHA51284070fdb8ee20699ad1f4f2690d60faae5c23b36bd107d8ecef9861647b8566322c879f8907d6b6f8ca9acf16e832fae27a1090a58514b0751af2b56d3920246
-
Filesize
20.6MB
MD5fa6e6f8538a820b802884e713f80a677
SHA1ed7f96d61b80cdc96d1a6afe30dac4907210dff7
SHA256a32f508050dbda03f7de9f1f3dd1ae400135e9ddf03956edb9af3464ceed3f8f
SHA512ec2414b34855fe6f5294bcf49e4b2981592c0d4257abce7c073360a240da1d7ec070f36d9f8747223fdb8cacf2dfbd556bc59a563111152732685c2e8004b364
-
Filesize
219KB
MD5928f4b0fc68501395f93ad524a36148c
SHA1084590b18957ca45b4a0d4576d1cc72966c3ea10
SHA2562bf33a9b9980e44d21d48f04cc6ac4eed4c68f207bd5990b7d3254a310b944ae
SHA5127f2163f651693f9b73a67e90b5c820af060a23502667a5c32c3beb2d6b043f5459f22d61072a744089d622c05502d80f7485e0f86eb6d565ff711d5680512372
-
Filesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
C:\Windows\Temp\{37D7BC9B-761B-4F45-A587-80E0C3243DA6}\.cr\windowsdesktop-runtime-6.0.36-win-x64.exe
Filesize608KB
MD5d73468bae3dee29164dd9f7fb0ed49cd
SHA1a1eb8fbe9916008d3948ec64b407600b40cc958c
SHA2569b8b7390579a87b3f6a1370a31c92ebdcbbf0d43a4007ee6f66f3c1887681b15
SHA51205c74c09489ac104b9c8e35e339561a0c09687f1b57caceea23c4dc4d199f9bc2e3941e9530a0b8ce0d9ed131892d86a48dbefce6841748d110f2745ac3341c7
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
190KB
MD5f1919c6bd85d7a78a70c228a5b227fbe
SHA171647ebf4e7bed3bc1663d520419ac550fe630ff
SHA256dcea15f3710822ffc262e62ec04cc7bbbf0f33f5d1a853609fbfb65cb6a45640
SHA512c7ff9b19c9bf320454a240c6abbc382950176a6befce05ea73150eeb0085d0b6ed5b65b2dcb4b04621ef9cca1d5c4e59c6682b9c85d1d5845e5ce3e5eedfd2eb
-
Filesize
716KB
MD5155dae1ed3b7773cd86b6a68d45eaa35
SHA18b8934ba8ac23496a7a554c60e460491da3a54ed
SHA256f73830d5f64e7a920aef8ae2c101b3dea69a5feb47c10d1d6b2141235c4156ae
SHA512c1839de901084757da563b4b3c091b0851430102355e655e58bcc7a3324e78de908a30ad3aa5814a52f5ab46cf6f4c1ebe610d84b642554c2661bdc3d72b06bc
-
Filesize
780KB
MD59e06a7a66690f89aa724369b851904ec
SHA1e5e2441fd0a95fc6fa80ec2e2d4bcb451a9eacb6
SHA256ccb99abeb554c877236697168ad75bf6fb905c986ddbdb463a8e16cf430a1c0d
SHA512a9d9c7f4146ce5940b237462ef574c58edfc4ca8d4da6079df7cfe7738c869c48ec6619ba45d5275ad45d204be58e40976dbd28a4759058424d14711442e6f1b
-
Filesize
25.9MB
MD5ce601053890199872aee8f17e6149527
SHA104a99a97045d95f7814608e66ea735f19dda4420
SHA256db92e057f649d4804d3a758aedade71a3b63991ca318077d4340e47c4bdba8e7
SHA5126d352a77eeac9bb01d19a115951f9c11ab2285f18739c3861c941353bb63b9f4c418e590eed81762de39c5f1d634dbad274a778fd53df90e29ea919d5fa5bef9
-
Filesize
28.4MB
MD5344ffd985baf47c368a9c9b56f9625fd
SHA11855382370544728829c5a87e690dc3a674b1df7
SHA256c463d23e60c2169da0e10d1cfb097d2ae27f25102ac55d4589069bbe2c4a2276
SHA512c086fedc2bffb94a3cc68ec70bcda8a2ba528c19f394f002ef7b2a49529407915c0e405a70527b63671b89dfe74ba53e8129739d74009d66143da8bda75e852a
-
Filesize
5KB
MD5d5070cb3387a0a22b7046ae5ab53f371
SHA1bc9da146a42bbf9496de059ac576869004702a97
SHA25681a68046b06e09385be8449373e7ceb9e79f7724c3cf11f0b18a4489a8d4926a
SHA5128fcf621fb9ce74725c3712e06e5b37b619145078491e828c6069e153359de3bd5486663b1fa6f3bcf1c994d5c556b9964ea1a1355100a634a6c700ef37d381e3