Analysis
-
max time kernel
631s -
max time network
622s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
22-06-2024 15:03
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://rebrand.ly/Rift-Latest
Resource
win10v2004-20240611-en
General
-
Target
https://rebrand.ly/Rift-Latest
Malware Config
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs
Processes:
taskmgr.exedescription pid process target process PID 892 created 5712 892 taskmgr.exe Rift.exe PID 892 created 5712 892 taskmgr.exe Rift.exe PID 892 created 5712 892 taskmgr.exe Rift.exe PID 892 created 5712 892 taskmgr.exe Rift.exe PID 892 created 5712 892 taskmgr.exe Rift.exe PID 892 created 5712 892 taskmgr.exe Rift.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs
Processes:
MicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedotnet-sdk-3.1.417-win-x64.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation dotnet-sdk-3.1.417-win-x64.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 37 IoCs
Processes:
dotnet-sdk-3.1.417-win-x64.exedotnet-sdk-3.1.417-win-x64.exedotnet-sdk-3.1.417-win-x64.exeRift.exeRift.exemsedgewebview2.exemsedgewebview2.exemsedgewebview2.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_126.0.2592.68.exesetup.exesetup.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_126.0.2592.68.exesetup.exesetup.exeMicrosoftEdgeUpdate.exeRift.exeRift.exeRift.exeRift.exepid process 5556 dotnet-sdk-3.1.417-win-x64.exe 5196 dotnet-sdk-3.1.417-win-x64.exe 5172 dotnet-sdk-3.1.417-win-x64.exe 5904 Rift.exe 5712 Rift.exe 32 msedgewebview2.exe 1368 msedgewebview2.exe 4432 msedgewebview2.exe 1268 MicrosoftEdgeWebview2Setup.exe 4524 MicrosoftEdgeUpdate.exe 6000 MicrosoftEdgeWebview2Setup.exe 1752 MicrosoftEdgeUpdate.exe 4868 MicrosoftEdgeUpdate.exe 5388 MicrosoftEdgeUpdateComRegisterShell64.exe 2792 MicrosoftEdgeUpdateComRegisterShell64.exe 5512 MicrosoftEdgeUpdateComRegisterShell64.exe 2468 MicrosoftEdgeUpdate.exe 3092 MicrosoftEdgeUpdate.exe 540 MicrosoftEdgeUpdate.exe 4976 MicrosoftEdgeUpdate.exe 4772 MicrosoftEdgeUpdate.exe 1036 MicrosoftEdgeUpdate.exe 5772 MicrosoftEdgeUpdate.exe 5484 MicrosoftEdgeUpdate.exe 4924 MicrosoftEdgeUpdate.exe 4928 MicrosoftEdge_X64_126.0.2592.68.exe 5436 setup.exe 5596 setup.exe 5316 MicrosoftEdgeUpdate.exe 5392 MicrosoftEdge_X64_126.0.2592.68.exe 5452 setup.exe 2496 setup.exe 6028 MicrosoftEdgeUpdate.exe 2568 Rift.exe 1684 Rift.exe 5848 Rift.exe 5916 Rift.exe -
Loads dropped DLL 64 IoCs
Processes:
dotnet-sdk-3.1.417-win-x64.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exeMsiExec.exedotnet.exepid process 5196 dotnet-sdk-3.1.417-win-x64.exe 4608 MsiExec.exe 4608 MsiExec.exe 4940 MsiExec.exe 4940 MsiExec.exe 2236 MsiExec.exe 2236 MsiExec.exe 5692 MsiExec.exe 1976 MsiExec.exe 1976 MsiExec.exe 6108 MsiExec.exe 6108 MsiExec.exe 5892 MsiExec.exe 5892 MsiExec.exe 5980 MsiExec.exe 5980 MsiExec.exe 5544 MsiExec.exe 4220 MsiExec.exe 4220 MsiExec.exe 2168 MsiExec.exe 684 MsiExec.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe 5060 dotnet.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
dotnet-sdk-3.1.417-win-x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{544cc8ed-e21c-4242-ab28-a1e70824f769} = "\"C:\\ProgramData\\Package Cache\\{544cc8ed-e21c-4242-ab28-a1e70824f769}\\dotnet-sdk-3.1.417-win-x64.exe\" /burn.runonce" dotnet-sdk-3.1.417-win-x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe -
Checks system information in the registry 2 TTPs 18 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeMicrosoftEdgeWebview2Setup.exesetup.exesetup.exedescription ioc process File created C:\Program Files\dotnet\sdk\3.1.417\it\Microsoft.DotNet.Configurer.resources.dll msiexec.exe File created C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Net.Ping.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.23\PresentationCore.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBDF8.tmp\msedgeupdateres_vi.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk.WindowsDesktop\tools\net472\es\PresentationBuildTasks.resources.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBDF8.tmp\msedgeupdateres_ms.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\dotnet\sdk\3.1.417\FSharp\de\FSharp.Compiler.Private.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk.Razor\tools\netcoreapp3.0\Microsoft.CodeAnalysis.Razor.xml msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\DotnetTools\dotnet-user-secrets\3.1.23-servicing.22123.12\tools\netcoreapp3.1\any\assets\SecretManager.targets msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\zh-Hans\NuGet.Packaging.Core.resources.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\learning_tools.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\Locales\nn.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\VisualElements\LogoBeta.png setup.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.23\System.Runtime.WindowsRuntime.UI.Xaml.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.23\ru\UIAutomationProvider.resources.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll.sig setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\Locales\mi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\Locales\en-GB.pak setup.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk.Razor\build\netstandard2.0\Microsoft.NET.Sdk.Razor.Component.targets msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk.Publish\packageIcon.png msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\VisualElements\LogoBeta.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\resources.pak setup.exe File created C:\Program Files\dotnet\sdk\3.1.417\DotnetTools\dotnet-user-secrets\3.1.23-servicing.22123.12\tools\netcoreapp3.1\any\Microsoft.Extensions.FileProviders.Abstractions.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\Trust Protection Lists\Sigma\LICENSE setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\msvcp140_codecvt_ids.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\Locales\en-US.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\Trust Protection Lists\Sigma\Staging setup.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk\targets\Microsoft.PackageDependencyResolution.targets msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\TestHost\ja\Microsoft.VisualStudio.TestPlatform.Common.resources.dll msiexec.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBDF8.tmp\msedgeupdateres_uk.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Runtime.Serialization.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\3.1.23\pl\System.Windows.Input.Manipulations.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\wns_push_client.dll setup.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Threading.Thread.xml msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\zh-Hans\NuGet.Frameworks.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\NuGet.Build.Tasks.Pack\CoreCLR\cs\NuGet.Build.Tasks.Pack.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.23\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Security.Claims.xml msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\3.1.0\ref\netcoreapp3.1\System.IO.FileSystem.AccessControl.xml msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk.Razor\tools\netcoreapp3.0\tr\Microsoft.CodeAnalysis.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.23\.version msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.23\System.ComponentModel.EventBasedAsync.dll msiexec.exe File created C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Net.NetworkInformation.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.Sdk.BeforeCommonCrossTargeting.targets msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Roslyn\bincore\pt-BR\Microsoft.CodeAnalysis.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\FSharp\pt-BR\Microsoft.DotNet.DependencyManager.resources.dll msiexec.exe File created C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Threading.dll msiexec.exe File created C:\Program Files\dotnet\packs\NETStandard.Library.Ref\2.1.0\ref\netstandard2.1\System.Core.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk\targets\Microsoft.NET.Sdk.DefaultItems.props msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\cs\Microsoft.TestPlatform.Utilities.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\pt-BR\Microsoft.Build.Utilities.Core.resources.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\FSharp\zh-Hans\FSharp.Core.resources.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.AspNetCore.Mvc.ViewFeatures.xml msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.AspNetCore.App.Ref\3.1.10\ref\netcoreapp3.1\Microsoft.AspNetCore.Server.Kestrel.xml msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\Locales\ne.pak setup.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\data\FrameworkList.xml msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Net.WebSockets.Client.xml msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk.Razor\tools\netcoreapp3.0\Microsoft.AspNetCore.Razor.Language.dll msiexec.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.68\Locales\sr-Cyrl-BA.pak setup.exe File created C:\Program Files\dotnet\packs\Microsoft.WindowsDesktop.App.Ref\3.1.0\ref\netcoreapp3.1\UIAutomationProvider.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\ko\Microsoft.TestPlatform.VsTestConsole.TranslationLayer.resources.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\3.1.23\System.Runtime.dll msiexec.exe File created C:\Program Files\dotnet\packs\Microsoft.NETCore.App.Ref\3.1.0\ref\netcoreapp3.1\System.Net.Requests.dll msiexec.exe File created C:\Program Files\dotnet\sdk\3.1.417\Microsoft\Microsoft.NET.Build.Extensions\tools\netcoreapp2.1\it\Microsoft.NET.Build.Extensions.Tasks.resources.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e58ecbd.msi msiexec.exe File opened for modification C:\Windows\Installer\e58ecef.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI33AB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI55F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1599.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58ecc7.msi msiexec.exe File opened for modification C:\Windows\Installer\e58ece5.msi msiexec.exe File created C:\Windows\Installer\SourceHash{5673D71A-7C3A-3C2E-BF77-EA4890864EE4} msiexec.exe File created C:\Windows\Installer\e58eccb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5D94.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58ecea.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAB6C.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{7FF9BE57-3115-4282-BC9A-7FAB77C27235} msiexec.exe File opened for modification C:\Windows\Installer\MSI1132.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58ecb7.msi msiexec.exe File created C:\Windows\Installer\e58ecd1.msi msiexec.exe File opened for modification C:\Windows\Installer\e58ecbd.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI39F8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F78.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B52.tmp msiexec.exe File created C:\Windows\Installer\e58ecbc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3477.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58ecd1.msi msiexec.exe File created C:\Windows\Installer\e58ecdf.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAE0D.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI388F.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{40E525F8-4526-456F-8B8F-D74A40D2D019} msiexec.exe File created C:\Windows\Installer\e58ecad.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{81EDF4A0-FC57-48C3-B26A-E90C2DC266CE} msiexec.exe File opened for modification C:\Windows\Installer\MSI3000.tmp msiexec.exe File created C:\Windows\Installer\e58ecf8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI330E.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58ecdb.msi msiexec.exe File created C:\Windows\Installer\e58ecb7.msi msiexec.exe File created C:\Windows\Installer\SourceHash{31EDE1E7-C855-4633-9D73-56F566136567} msiexec.exe File created C:\Windows\Installer\e58ecc6.msi msiexec.exe File opened for modification C:\Windows\Installer\e58eccc.msi msiexec.exe File created C:\Windows\Installer\e58ecd0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7CD8.tmp msiexec.exe File created C:\Windows\Installer\e58ecf3.msi msiexec.exe File created C:\Windows\Installer\SourceHash{A7036CFB-B403-4598-85FF-D397ABB88173} msiexec.exe File opened for modification C:\Windows\Installer\MSI2B69.tmp msiexec.exe File created C:\Windows\Installer\e58ecda.msi msiexec.exe File created C:\Windows\Installer\e58ece9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI717D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1E16.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI47C7.tmp msiexec.exe File created C:\Windows\Installer\e58ecb1.msi msiexec.exe File created C:\Windows\Installer\SourceHash{9C7A4D28-C2E1-4CA7-A1F3-603049ED2937} msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\82D4A7C91E2C7AC41A3F060394DE9273\24.92.31022\fileCoreHostExe msiexec.exe File created C:\Windows\Installer\e58eccc.msi msiexec.exe File created C:\Windows\Installer\SourceHash{B0D52F62-1A2D-4023-8799-E8554E7E913E} msiexec.exe File created C:\Windows\Installer\e58ece4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI6825.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\82D4A7C91E2C7AC41A3F060394DE9273\24.92.31022\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\MSI28A8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2DFA.tmp msiexec.exe File opened for modification C:\Windows\Installer\e58ecb2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIF1C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFF8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI14DC.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
svchost.exesvchost.exesvchost.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString svchost.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
explorer.exewwahost.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Toolbar explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\GPU wwahost.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser explorer.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
msiexec.exeMicrosoftEdgeUpdate.exeLogonUI.exewwahost.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" LogonUI.exe Key created \REGISTRY\USER\S-1-5-19\Software wwahost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\36 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" LogonUI.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography wwahost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" LogonUI.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" LogonUI.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-19 wwahost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
MicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exemsiexec.exedotnet-sdk-3.1.417-win-x64.exeMicrosoftEdgeUpdateComRegisterShell64.exeexplorer.exeMicrosoftEdgeUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{82CCB536-D2EE-4F19-9067-40531F08D1D4}\InprocHandler32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\82D4A7C91E2C7AC41A3F060394DE9273\PackageCode = "50C8EBEAD03D3704AA3B6899B8C67BBC" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3249157779A0614382A843663002A61\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine.1.0\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.41\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\82D4A7C91E2C7AC41A3F060394DE9273 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_apphost_pack_24.92.31022_x64\Dependents\{544cc8ed-e21c-4242-ab28-a1e70824f769} dotnet-sdk-3.1.417-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\ = "Microsoft Edge Update Broker Class Factory" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A4FDE1875CF3C842BA69EC0D22C66EC\SourceList\PackageName = "dotnet-runtime-3.1.23-win-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BFC6307A304B895458FF3D79BA8B1837\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.AspNetCore.TargetingPack_x64_ENU,v3.1.10 dotnet-sdk-3.1.417-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7064674235373A544BD10B2ED7DF3942\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed." explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202 explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.AspNetCore.SharedFramework_x64_ENU,v3.1.23\DisplayName = "Microsoft ASP.NET Core 3.1.23 Shared Framework (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\windowsdesktop_targeting_pack_24.64.28315_x64 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\ = "Microsoft Edge Update Update3Web" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ = "IBrowserHttpRequest2" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.41\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32 MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\ProgID\ = "MicrosoftEdgeUpdate.CoreMachineClass.1" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\LocalizedString = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.41\\msedgeupdate.dll,-3000" MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3249157779A0614382A843663002A61\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\NumMethods\ = "6" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ProxyStubClsid32\ = "{0DD41A78-E3D4-44A8-9EAE-697BCF1781A3}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\ = "IAppBundle" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A4FDE1875CF3C842BA69EC0D22C66EC\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_targeting_pack_24.64.28315_x64\Dependents dotnet-sdk-3.1.417-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\ = "Google Update Policy Status Class" MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\dotnet_targeting_pack_24.64.28315_x64 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_24.92.31022_x64\DisplayName = "Microsoft .NET Core Runtime - 3.1.23 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\LogicalViewMode = "3" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75384AEFF2EC0DE32B0A5884EB6C1F11\FT_DepProvider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A17D3765A3C7E2C3FB77AE840968E44E\FT_DepProvider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe -
NTFS ADS 4 IoCs
Processes:
msedge.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeWebview2Setup.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 739304.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 456478.crdownload:SmartScreen msedge.exe File created C:\Program Files (x86)\Microsoft\Temp\EUBDF8.tmp\MicrosoftEdgeUpdateSetup.exe\:SmartScreen:$DATA MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUC04A.tmp\MicrosoftEdgeUpdateSetup.exe\:SmartScreen:$DATA MicrosoftEdgeWebview2Setup.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
explorer.exepid process 3728 explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsiexec.exemsedge.exemsedge.exemsedge.exemsedge.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exetaskmgr.exepid process 1676 msedge.exe 1676 msedge.exe 4476 msedge.exe 4476 msedge.exe 3808 identity_helper.exe 3808 identity_helper.exe 5488 msedge.exe 5488 msedge.exe 2860 msedge.exe 2860 msedge.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2336 msedge.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 2748 msiexec.exe 3208 msedge.exe 3208 msedge.exe 2348 msedge.exe 2348 msedge.exe 3120 msedge.exe 3120 msedge.exe 4524 MicrosoftEdgeUpdate.exe 4524 MicrosoftEdgeUpdate.exe 4524 MicrosoftEdgeUpdate.exe 4524 MicrosoftEdgeUpdate.exe 4524 MicrosoftEdgeUpdate.exe 4524 MicrosoftEdgeUpdate.exe 3092 MicrosoftEdgeUpdate.exe 3092 MicrosoftEdgeUpdate.exe 3092 MicrosoftEdgeUpdate.exe 3092 MicrosoftEdgeUpdate.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exe7zG.exepid process 5160 OpenWith.exe 2580 7zG.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 7024 3964 2300 6208 7160 4844 4016 776 1020 4940 7072 2692 6156 5468 4344 5264 432 1724 4084 4644 4860 6008 428 2872 3912 6168 6232 6264 6280 6308 6272 6288 3488 5296 6328 740 1372 5472 2568 6348 5304 5112 6152 6196 6200 6224 5404 3140 6504 3568 3444 6312 6324 6460 4976 3204 5180 2460 6296 2272 5912 5384 1940 1164 -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs
Processes:
msedge.exepid process 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXE7zG.exe7zG.exedotnet-sdk-3.1.417-win-x64.exemsiexec.exedescription pid process Token: 33 1044 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1044 AUDIODG.EXE Token: SeRestorePrivilege 344 7zG.exe Token: 35 344 7zG.exe Token: SeSecurityPrivilege 344 7zG.exe Token: SeSecurityPrivilege 344 7zG.exe Token: SeRestorePrivilege 1580 7zG.exe Token: 35 1580 7zG.exe Token: SeSecurityPrivilege 1580 7zG.exe Token: SeSecurityPrivilege 1580 7zG.exe Token: SeShutdownPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeIncreaseQuotaPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeSecurityPrivilege 2748 msiexec.exe Token: SeCreateTokenPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeAssignPrimaryTokenPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeLockMemoryPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeIncreaseQuotaPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeMachineAccountPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeTcbPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeSecurityPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeTakeOwnershipPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeLoadDriverPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeSystemProfilePrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeSystemtimePrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeProfSingleProcessPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeIncBasePriorityPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeCreatePagefilePrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeCreatePermanentPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeBackupPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeRestorePrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeShutdownPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeDebugPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeAuditPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeSystemEnvironmentPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeChangeNotifyPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeRemoteShutdownPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeUndockPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeSyncAgentPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeEnableDelegationPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeManageVolumePrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeImpersonatePrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeCreateGlobalPrivilege 5172 dotnet-sdk-3.1.417-win-x64.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe Token: SeRestorePrivilege 2748 msiexec.exe Token: SeTakeOwnershipPrivilege 2748 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exetaskmgr.exepid process 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 4476 msedge.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe 892 taskmgr.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
OpenWith.exeOpenWith.exewwahost.exeSystemSettingsAdminFlows.exeLogonUI.exepid process 5160 OpenWith.exe 5852 OpenWith.exe 2324 wwahost.exe 6968 SystemSettingsAdminFlows.exe 7092 LogonUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4476 wrote to memory of 220 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 220 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1980 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1676 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 1676 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe PID 4476 wrote to memory of 2320 4476 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rebrand.ly/Rift-Latest1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4c1a46f8,0x7ffc4c1a4708,0x7ffc4c1a47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2396 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5520 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5172 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5220 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1312 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5752 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6292 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1860 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6176 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2052,5140982580441367863,10631833896635587409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7396 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\Downloads\MicrosoftEdgeWebview2Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Temp\EUBDF8.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUBDF8.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTMxMkU2ODAtNTAxNS00RTRCLTkyMTktNTc4RUFENDVFQ0I3fSIgdXNlcmlkPSJ7QkMzMTQ3OEYtNkQ0NS00NUNDLUIzQ0QtRkNDRkE1NzcxNTgxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezNBN0VFNURELUQ2RDAtNEVGMS04RUMzLTRENDg1NzU4RTA5Mn0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtENmp4UGVVbUtmaDh5dHk2RjA3WXhNMWVaREgvVFY2RlFUMmZmRGlaeXd3PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTg3LjQxIiBuZXh0dmVyc2lvbj0iMS4zLjE4Ny40MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODE0ODgyNjYzMiIgaW5zdGFsbF90aW1lX21zPSI1NjciLz48L2FwcD48L3JlcXVlc3Q-4⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{A312E680-5015-4E4B-9219-578EAD45ECB7}"4⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\Downloads\MicrosoftEdgeWebview2Setup.exe"2⤵
- Executes dropped EXE
- NTFS ADS
-
C:\Program Files (x86)\Microsoft\Temp\EUC04A.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUC04A.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"3⤵
- Checks computer location settings
- Executes dropped EXE
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /healthcheck4⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUQyQ0M0OTYtQzI0My00MEM3LTgwNjctNTNGQ0EzNzI3Rjk4fSIgdXNlcmlkPSJ7QkMzMTQ3OEYtNkQ0NS00NUNDLUIzQ0QtRkNDRkE1NzcxNTgxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezFDRDk3QzIzLTI1NEMtNEZBNy1CQzdFLUMzNkFFQjM2QUEyRX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtENmp4UGVVbUtmaDh5dHk2RjA3WXhNMWVaREgvVFY2RlFUMmZmRGlaeXd3PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTg3LjQxIiBuZXh0dmVyc2lvbj0iMS4zLjE4Ny40MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODE1MDA2NjU3NyIgaW5zdGFsbF90aW1lX21zPSI1NCIvPjwvYXBwPjwvcmVxdWVzdD44⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource taggedmi /sessionid "{ED2CC496-C243-40C7-8067-53FCA3727F98}"4⤵
- Executes dropped EXE
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x328 0x49c1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18795:86:7zEvent162491⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Rift-2.2.1.0\" -ad -an -ai#7zMap16747:86:7zEvent44601⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\dotnet-sdk-3.1.417-win-x64.exe"C:\Users\Admin\Downloads\dotnet-sdk-3.1.417-win-x64.exe"1⤵
- Executes dropped EXE
-
C:\Windows\Temp\{FE3CC186-00E9-4CF1-84B6-487E7481ACA1}\.cr\dotnet-sdk-3.1.417-win-x64.exe"C:\Windows\Temp\{FE3CC186-00E9-4CF1-84B6-487E7481ACA1}\.cr\dotnet-sdk-3.1.417-win-x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\dotnet-sdk-3.1.417-win-x64.exe" -burn.filehandle.attached=580 -burn.filehandle.self=7162⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\.be\dotnet-sdk-3.1.417-win-x64.exe"C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\.be\dotnet-sdk-3.1.417-win-x64.exe" -q -burn.elevated BurnPipe.{B1826D80-AAC5-4C7F-932F-AC1E70354E28} {D0FB2F8D-CA4A-43D9-A52B-9DCF06B9BCD2} 51963⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E1F29DF12C9E8DFE048C3C864F505CEF2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DA377653D0D2508509F1F47A8C08CFA32⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 73B36A3027B53AC63F8C3D2A0BE0C2842⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9F6422ED44B9E861C15E6FD849A0EFA52⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8BA31543BB4C484F7BC80D492357166E2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E6AE89E16380BDA3CB3C7026CCF3820C2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CB4A079EA8366F06232AEDE0D713E7252⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A2133ACCABA42BCA8F17389193D626F02⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 656EDCA363459F67C1579C9D439764382⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6FC8F1B00370BAD96CB0030CCA7E24FA2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 22FA5AFB2A6B8586A2010C5A851FA8DE2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2A2005DDDFF7B778176E10ABEC0227B6 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\\dotnet.exe" exec "C:\Program Files\dotnet\\sdk\3.1.417\dotnet.dll" internal-reportinstallsuccess "C:\Users\Admin\Downloads\dotnet-sdk-3.1.417-win-x64.exe"3⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\getmac.exe"getmac.exe"4⤵
-
C:\Windows\SysWOW64\getmac.exe"getmac.exe"4⤵
-
C:\Windows\SysWOW64\getmac.exe"getmac.exe"4⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 95727C3A583C8309F3C4B0ABFE816D1B2⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4834BE1416EBC23982A0E8FEA2C2BA712⤵
-
C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://msedge.sf.dl.delivery.mp.microsoft.com/filestreamingservice/files/2a723731-d64d-4119-8214-9781c986c21b/MicrosoftEdgeWebView2RuntimeInstallerX64.exe2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc4c1a46f8,0x7ffc4c1a4708,0x7ffc4c1a47183⤵
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
-
C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"1⤵
- Executes dropped EXE
-
C:\Windows\System32\GameBarPresenceWriter.exe"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15113:174:7zEvent177381⤵
-
C:\Users\Admin\Downloads\Microsoft.WebView2.FixedVersionRuntime.126.0.2592.68.x86\msedgewebview2.exe"C:\Users\Admin\Downloads\Microsoft.WebView2.FixedVersionRuntime.126.0.2592.68.x86\msedgewebview2.exe"1⤵
- Executes dropped EXE
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Microsoft.WebView2.FixedVersionRuntime.126.0.2592.68.x86\" -spe -an -ai#7zMap3103:174:7zEvent13311⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\Downloads\Microsoft.WebView2.FixedVersionRuntime.126.0.2592.68.x86\msedgewebview2.exe"C:\Users\Admin\Downloads\Microsoft.WebView2.FixedVersionRuntime.126.0.2592.68.x86\msedgewebview2.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Microsoft.WebView2.FixedVersionRuntime.126.0.2592.68.x86\msedgewebview2.exe"C:\Users\Admin\Downloads\Microsoft.WebView2.FixedVersionRuntime.126.0.2592.68.x86\msedgewebview2.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUQyQ0M0OTYtQzI0My00MEM3LTgwNjctNTNGQ0EzNzI3Rjk4fSIgdXNlcmlkPSJ7QkMzMTQ3OEYtNkQ0NS00NUNDLUIzQ0QtRkNDRkE1NzcxNTgxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDUyOUZGNjYtMzdCNS00NTdBLTlGMEQtNERFMEI0Q0JEMTU3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2hWZkRqTWRGRzZGZ0tzME56NmVtcllDU2c2VFF2RFBvbW9sUmF5UVhCSzQ9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzE4MTMyMTY3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjI2MDQ2NjE0NzAyMTQzIiBmaXJzdF9mcmVfc2Vlbl90aW1lPSIxMzM2MzU0MjIzMDM5NDY0NzIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMzExMTg5IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MTU2ODgxNjM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTMxMkU2ODAtNTAxNS00RTRCLTkyMTktNTc4RUFENDVFQ0I3fSIgdXNlcmlkPSJ7QkMzMTQ3OEYtNkQ0NS00NUNDLUIzQ0QtRkNDRkE1NzcxNTgxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RkZBRjJGRDEtMTkzNC00OTQwLUE1N0QtOUIxNDAwRkQzMjQ4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2hWZkRqTWRGRzZGZ0tzME56NmVtcllDU2c2VFF2RFBvbW9sUmF5UVhCSzQ9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMCIgaW5zdGFsbGRhdGV0aW1lPSIxNzE4MTMyMTY3IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNjI2MDQ2NjE0NzAyMTQzIiBmaXJzdF9mcmVfc2Vlbl90aW1lPSIxMzM2MzU0MjIzMDM5NDY0NzIiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMzExMTg5IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MTU2ODgxNjM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\MicrosoftEdge_X64_126.0.2592.68.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\MicrosoftEdge_X64_126.0.2592.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\EDGEMITMP_15270.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\EDGEMITMP_15270.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\MicrosoftEdge_X64_126.0.2592.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\EDGEMITMP_15270.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\EDGEMITMP_15270.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.114 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{EFB2BD8C-15F1-47D4-9621-E4B75F1679A1}\EDGEMITMP_15270.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.68 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff6570eaa40,0x7ff6570eaa4c,0x7ff6570eaa584⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\MicrosoftEdge_X64_126.0.2592.68.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\MicrosoftEdge_X64_126.0.2592.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\EDGEMITMP_A2370.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\EDGEMITMP_A2370.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\MicrosoftEdge_X64_126.0.2592.68.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\EDGEMITMP_A2370.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\EDGEMITMP_A2370.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.114 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\EDGEMITMP_A2370.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.68 --initial-client-data=0x22c,0x230,0x234,0x21c,0x238,0x7ff72a86aa40,0x7ff72a86aa4c,0x7ff72a86aa584⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QTMxMkU2ODAtNTAxNS00RTRCLTkyMTktNTc4RUFENDVFQ0I3fSIgdXNlcmlkPSJ7QkMzMTQ3OEYtNkQ0NS00NUNDLUIzQ0QtRkNDRkE1NzcxNTgxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezc3NkUwQUVDLTFEMjgtNDgxQS05RjlBLTFDOTIzQ0JFOTFBOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtWUFFvUDFGK2ZxMTV3UnpoMWtQTDRQTXBXaDhPUk1CNWl6dnJPQy9jaGpRPSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjYuMC4yNTkyLjY4IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MTY5MTI0MDU4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODE2OTE3NTIzMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg0OTYzNTg0MDMiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2FjNmY2MTFiLWVlYjctNGE0Mi1hNmQ0LThjZDcxNDI5NmExMT9QMT0xNzE5NjczNzg3JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUtJJTJmQlk1QmZtMlJENkhDMnpyZ0FNaExBdlBXS1MlMmZDcEVldzJ1eFJOYXJFelhxU3VOOFYya1daOWcwczdCR2ZRT2FGOU0xRkolMmJZVEMlMmZEdElGRDFMNlElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzI5NTcyNDAiIHRvdGFsPSIxNzI5NTcyNDAiIGRvd25sb2FkX3RpbWVfbXM9IjI0NzM4Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODQ5NjQxODU1MSIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1MjE1MzgzNDAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg5NDQ5MzkwNzQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI4NjIiIGRvd25sb2FkX3RpbWVfbXM9IjMyNzEyIiBkb3dubG9hZGVkPSIxNzI5NTcyNDAiIHRvdGFsPSIxNzI5NTcyNDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjQyMzM4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xODcuNDEiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RUQyQ0M0OTYtQzI0My00MEM3LTgwNjctNTNGQ0EzNzI3Rjk4fSIgdXNlcmlkPSJ7QkMzMTQ3OEYtNkQ0NS00NUNDLUIzQ0QtRkNDRkE1NzcxNTgxfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0NFNzFBRkUyLTFCRjYtNEE0Ni05RDk4LUI4NTg0NDUzQzY4QX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0IiBwcm9kdWN0X3R5cGU9IjQ4IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtoVmZEak1kRkc2RmdLczBOejZlbXJZQ1NnNlRRdkRQb21vbFJheVFYQks0PSZxdW90OyIvPjxhcHAgYXBwaWQ9IntGMzAxNzIyNi1GRTJBLTQyOTUtOEJERi0wMEMzQTlBN0U0QzV9IiB2ZXJzaW9uPSIiIG5leHR2ZXJzaW9uPSIxMjYuMC4yNTkyLjY4IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI4MTcwMjY2MjUzIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODE3MDI2NjI1MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg1MjE1NjgxNjQiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2FjNmY2MTFiLWVlYjctNGE0Mi1hNmQ0LThjZDcxNDI5NmExMT9QMT0xNzE5NjczNzg3JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUtJJTJmQlk1QmZtMlJENkhDMnpyZ0FNaExBdlBXS1MlMmZDcEVldzJ1eFJOYXJFelhxU3VOOFYya1daOWcwczdCR2ZRT2FGOU0xRkolMmJZVEMlMmZEdElGRDFMNlElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNzI5NTcyNDAiIHRvdGFsPSIxNzI5NTcyNDAiIGRvd25sb2FkX3RpbWVfbXM9IjI3OTIyIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iODUyMTY5ODI1NiIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijg5NDQ5NDg5NzYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjkyOTA0MDQwMjEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI4MTAiIGRvd25sb2FkX3RpbWVfbXM9IjM1MTQzIiBkb3dubG9hZGVkPSIxNzI5NTcyNDAiIHRvdGFsPSIxNzI5NTcyNDAiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjM0NTQzIi8-PC9hcHA-PC9yZXF1ZXN0Pg2⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"C:\Users\Admin\Downloads\Rift-2.2.1.0\Rift.exe"1⤵
- Executes dropped EXE
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
-
C:\Windows\system32\wwahost.exe"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\SystemSettingsAdminFlows.exe"C:\Windows\system32\SystemSettingsAdminFlows.exe" EditUser S-1-5-21-3169499791-3545231813-3156325206-10011⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3802055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e58ecb0.rbsFilesize
55KB
MD5d0d73ae28e9efcde8ca675989916f366
SHA12c97516758818ed14fdaa0afa5725d0e4d020739
SHA25619e625d34f5f8d874664edf6e4ab9b4587eb07a23e5ef8e030e4f5062acb9c1c
SHA51261869f146b146e3eca10f923d180df2919a321bef9eb99b7cedff9c578c7633246e97085e536adc44f51885f38768d3146bb9b41a99d41f78d14c1b79f2985d5
-
C:\Config.Msi\e58ecb5.rbsFilesize
9KB
MD5237490bdb55da917b5a6c9b88ba2a2cc
SHA10ec284d1dc5360559d7f754abcc5861972c9bc0d
SHA256e7f24db72f3ace8bf6e10687f0ca9b191256af929160b8bb69a913d1bfbbc710
SHA512657d4c859d98ba8356a64b849fff54821dc934a62d496519f9d4feb05afa72ea088436005039fd3242ccb221a36b736186994d33f6086b916b3cf93663b6020e
-
C:\Config.Msi\e58ecba.rbsFilesize
10KB
MD5577c3f999caf7ef8435b782978f7b940
SHA1dd47a769d56884ff67bcbfbf7210909fe825d296
SHA256d7944c0d55444b119dc22b936c1cf2d874848c306f0d2deab22c93c3a8f92502
SHA512fe439569411b3b614f17a0321bdc1154b05460ea647a05b25e8e15a9362f5c450f05064348a0dd521baadeeccc5eebeee973aa8f12bcc0415cb2682ad35dcf9f
-
C:\Config.Msi\e58ecc0.rbsFilesize
66KB
MD5f68c6e28e1d9eb9f366932a774246e7c
SHA177c1f06db91db83d863647b27525260c1ec02dc0
SHA2565fab0d13abecc0421fc126628f09cccaa423e26d49172dd2f388dc37cecfc34b
SHA512171f203b543d0fe9be046914a3676248ca5a66e1d5658de65796c02947e63ea06d64019ae491179d1434b6511cf45d752c95787a5b04b0b2660ce95cf27cb3b1
-
C:\Config.Msi\e58ecc5.rbsFilesize
10KB
MD5278a7517bbe5cb4bf02514cd18ea2d86
SHA1ec05bc2214aea35288f4e177fca2213efd7d999c
SHA256db57296843b5e4bb2c5b753e131fa24b0664c98e86dcb35479516159e970dfcf
SHA5129b0337c5986c4bc85e1a7593ffdea1c25999923d2cc788374f0ac36f555c94520fb2a85c23f3615ddcff52f364b1349b62254d035aeae96ae55165da8c4b9b6a
-
C:\Config.Msi\e58ecca.rbsFilesize
10KB
MD53e89b3ed354885cd39493ca511cc8943
SHA1fe7164afe9319aeb8103251b67ee0e331fa542e4
SHA2565570c9e67a752b19e13a9c93ce0202ba9ab909694d38721e5544b2655dcff822
SHA512f8493de7f76044b13c8a82866f32ae4bd27ae5cf65a45b3cc9ab0fdd946c7e4aeab46f0efe6f377e56832327bba89dedd221af625bb5ccec93b955f72d4b765a
-
C:\Config.Msi\e58eccf.rbsFilesize
10KB
MD5175ad2bbf5f32683b2cb9cca599e3c4e
SHA102c77973087511d2750a44f1478c2ff1d459f439
SHA2567d94fc697f40aeddd7a28368ae219e6decf760efbf5d2483a6a0082d5c4a66ff
SHA512a4c3c4e411616743241788a0f824c13358ad7903d91341eee13c49a2b76dcd7f8e99f4c29ed005d826a985eebe12bf93692d67ae7f09898d68eef1a4b3b8c17e
-
C:\Config.Msi\e58ecd4.rbsFilesize
10KB
MD5f4a0bd7b72caf26c9fd0281eafab7734
SHA1dbb28b956719ca47aff9518a4e3cb6587b2c634f
SHA256f60014e88e11f6a5175760ae3a74ff37241002ff97e535ad451520449de74c61
SHA5123ab8d66d9ec8a878b5e89bec8f9b1c5d193f3dde43589bffb18df09667e8f539e8b60cf123500424fed74f6e9aea631b4c28760c1158fd6fa75288853ade58bc
-
C:\Config.Msi\e58ecd9.rbsFilesize
35KB
MD5c7c0fdf854da1351eeafa4a92ab5d90e
SHA192b30b6ef8148408a183f446b1c870ab26a09745
SHA256c9e9d16013b75b1c43868ad38b196f85f32fd35200a7c7a4acc237495e56fb4a
SHA51252532fb3120f8f7964ec70bab577a69c795add1c03db76a9500c42225d929903203146c37265ed93283f9cd218cb2617c3cd704f64041dda6ca6f99a1b7d247f
-
C:\Config.Msi\e58ecde.rbsFilesize
82KB
MD5e78fd6c06666f337488c62d2e65b2f87
SHA120a2c8014deb77732d841bea20a84f1137212ca7
SHA256c62dc43adea182029adf372bd20d5f0e6e4339884c4810fcf023cd386ca5c9cc
SHA512e49323236ca729935db4728bda4fa4ebb42c3b2f08ecf4ed1905783bce8578bfa6b82df6e41437067a0e73b2106b5f5cdfeae2dc13e2cfe3ec6d13c3076e3b6e
-
C:\Config.Msi\e58ece3.rbsFilesize
30KB
MD5e067bd3f949613f6b8852f0878124e0b
SHA1583aa3a94ddd48ab16ab54c237e077dd0f11b101
SHA256045ba5050464744b8838c874542ca48d7e51d36edc540d8b864819a596c319a3
SHA512dc7526a0f16944bdf24017f192def3798370ac15f7e97b96804c6678643f95a8e92aa7299573c97ddf7da494f9fa207e7ff7a52078b0e7c791f5fc4d576b7a4f
-
C:\Config.Msi\e58ece8.rbsFilesize
71KB
MD5cd5e84f28af2ec2f03e51fe8295fb275
SHA1baf01ce77e05c47127274ba53b582ed8d5cc63c8
SHA256388b36a3ebd4fa61e1d0fc6875200ef8923c0187bc06928ddb51e4cb5f0f5815
SHA5122e3b14f2ee881e1ba4604e6c82b9bd177b9e0fa85cc253ea1b7f2b57bbb702858d6102c2afdda350131a334a8cab3b83f8afe3d70d71d0199e21cea275846a65
-
C:\Config.Msi\e58eced.rbsFilesize
10KB
MD5a38849f65dc00a0491f8b2f493446171
SHA14a73e31643025d12fc6b92ac897c3bcb22cbfb27
SHA256824b51209569e9f2564673a7f2503ba7f7010694caca7d20b20de7c87a642d17
SHA5125ec68d6f4951c6a0c8853d160858d03d1af59e532cee632c28af369107a64d602f5d5c832f39edc45229a8092c7bf29b377c9a0a208cdc4c00e614bdb66236df
-
C:\Config.Msi\e58ecf2.rbsFilesize
382KB
MD5b4df02cc8e9e75b3253bce738b369567
SHA104892dc5715dee5c41e2a52381124e1838fc0660
SHA256d89d014f18c1ad0c02f3755027d6bafa65c4759e56c0d43daf60212b001ad078
SHA51236c265fefdc3125a01286b5ca9c88f9b3eea6baf400a6fed2c90e652133a45cc70cf93c1eb8ef2af36c604bc8d5c337be59cb171440f367073aa3b3159c363d8
-
C:\Config.Msi\e58ecf7.rbsFilesize
38KB
MD5ec8793f7d5c1a4f8f7207cc37c287bfb
SHA104c071d2434b1affc96052fa8168ffaadf7c029b
SHA256ca64fa31b992658b97c4c389e3fceca2f8ba8b62ae17e0fd57aa4fba9b40bd49
SHA51259523fe78f3986375ea9b8dd025719ae4bd993b3429be4d2338e355a06e7deb4b69dc594469ba8580f0326d4e4ddc5f2e21f4ea23ed09342dfa868635a1b6978
-
C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.68\Installer\setup.exeFilesize
6.5MB
MD505e320ae544022adea3f8c441646765d
SHA13c6266b8a8c0132a97b2785bcb9ae7546ac02cc9
SHA256e1618f31f476932871871ebc6e63d57aad643b74ea892d3d305e4125df1e6f10
SHA512c1cf5c001ddd6b3b3c68b697f8ec9f1cbd48b5881f9fc805d74eb14a13eedcdf71e958ca1b790353a4edc64008558295741cfb785e0a3824a8f3a62bc985d387
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{D8F95208-0FF6-4D93-8303-1718B9EB4CC5}\EDGEMITMP_A2370.tmp\SETUP.EX_Filesize
2.6MB
MD52885270a83008fa7c8aed1932eda65b3
SHA1640892a2a112432afb50082f65f7b640bf1b76b9
SHA256542406852cfc0b13924336093ada2e15d905147508c4d4af94b837a0bac615a5
SHA512afd12f59ab41efb9ac576a5b8e8ef1d6c391574dcca5acb46005c8d2ba81b3e7fd94374a5dde629976cdd2f58007fb53f99447a949f0f2bc35f0c8634dfd9ae0
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exeFilesize
201KB
MD5e3f7c1c2e2013558284331586ba2bbb2
SHA16ebf0601e1c667f8d0b681b0321a73e8f4e91fa3
SHA256d19616ac12d3d536c8fbf034513a4977c88ef2d1676d358a2358fa051c8a42ba
SHA5127d4fd7ad06b05d79211144cbaa0047bdb4910212565b79f292a6bea652735dacf69435b24c73bc679cbdad4207f6352726eb297a1e7af4f7eef14dbc8a2ca42d
-
C:\Program Files\MsEdgeCrashpad\settings.datFilesize
280B
MD5518dca930d227f5d4f5788b689a27bd5
SHA1b2a2321780d1fc41336007d48eace52d0298a1be
SHA2566bad15c73a7856aca6e3d16e88af433c8c3ffc31a3180b2f5903c39500524d9b
SHA512a400d24fd3d16da38ff30f5de2fb5402d11d21fb446c343fd20b0dab76f45200a41f5d94859d27485bf44e0030c4498fe5556b9e3df2e9c53023c1223ce9e822
-
C:\Program Files\dotnet\ThirdPartyNotices.txtFilesize
31KB
MD53782925318a682b12aecc11fe37cb4d1
SHA197adc7d7e8f0fde6fea76e1420c008a8b1b87c7c
SHA2562e3b2cb5cb57ff44310801dd46e51dab1d35d9cfe196a9709ee8cb9c6f8e4d4a
SHA512cc99f07fd1971fe732de4bfff4a83be6e10464708e8b37c8b5c2cf840d6ef36e4b29d6f80bcc6ad498859cc92d5ba2265b6e7f408ffdab08cacaea69fcab3929
-
C:\Program Files\dotnet\sdk\3.1.417\MSBuild.runtimeconfig.jsonFilesize
155B
MD556760d60ec78f1c116391ee4a1c7e45c
SHA11604011dd1d97e29c4a10325e90d4de63dfdaf8f
SHA25674b192ca1ce54a9c42314959187bab0f575978d8e991730b404a47ead30c314e
SHA5120c0f4078e19f27ae213cb5c5810eac4189681635cffe87e48d711a75d034ed4d5691ea1cc5759167e2b2960da057cb6b476d7b2d716ea8ea41f6b2baab771651
-
C:\Program Files\dotnet\sdk\3.1.417\Sdks\Microsoft.NET.Sdk.Publish\packageIcon.pngFilesize
6KB
MD509e1aea3b3b37c1d1df0cac1526db117
SHA162e90259673547dcd6f96724457102bce993a21d
SHA2563356b59b6d9c24db3a22398c0fb3430724052fe75ae5e8430ee8ede2fb713356
SHA51212d5aa8bea27ad6a1118bee3b1185dbb952197dfa4465e141d3b51090364db7d7ab7c2add6463a0adc318410faf1c3783c69b35e08cba0285571c59c0c7aab25
-
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logFilesize
197KB
MD5464c447ad232e3d3ce447446d954faaf
SHA12db16b4d0a80d62fe4eb7098bd961451839f45d2
SHA256e4703bed0c4c3f85d987d70db62cc28698c91b61128e6e883c01b1321257f3c7
SHA512711ca48f84c17812f81a128f87914ab1d4fe200a901bae0fb8265e503d0ec0e82ecd7212e942f8b1db337c35b57861dcbc67371ef1983db03cadcee40901aa17
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5c5abc082d9d9307e797b7e89a2f755f4
SHA154c442690a8727f1d3453b6452198d3ec4ec13df
SHA256a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716
SHA512ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b4a74bc775caf3de7fc9cde3c30ce482
SHA1c6ed3161390e5493f71182a6cb98d51c9063775d
SHA256dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280
SHA51255578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
72B
MD5b58553ff6bce4c4ba776f478e02e9dea
SHA12cba867989c77ecf3cff66869fa0a4e7247bc6d6
SHA2562f3469af602265d9f0ece56e5f5aa9987b02d6e73408310f8f538634b44bb3f4
SHA51241ddb877a1833b3341548864a42c9871208eeca8967708233f672c881f56534a9cd045799cabd9a52fc51801923639c6f58608ee7f9001e29745fab7fb4644c8
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5299c131ab1485e09c70c37dd07a0641f
SHA1f790160b021060856f3a8869fe2cad4bc6d2a992
SHA2565b374aaf9b4799cbb97901ae691401aba8bf868559718bbb1a4653f6b822fb47
SHA51203f34841701ab4c8059396a0d4442f799b1b33414337c0a4601bc9f5df08aaca753fc26d8313999a0a74b1ec2d25e1523e93503142bd47afeec35c74f3df46c4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5d82044c2171690501c76b7e8c1b20b7b
SHA12b4f9b4c70770b0e898689edc9658103c1bcd524
SHA256169fcfce579c4dac2db9b71342a2861c889ff156c8ecb28976c2bc5158ff7b5d
SHA512150d0d385eee74d34f767fdbd7ce112c712ee30a8b2c6465ef6a7b0e0ff962d718fd6ae0bb934eb5afc024b1eb3a6c2cca4b08b7a392fec978a739ed60a6a446
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
419B
MD514d13fd670cbe6db2d3f3dc8fdc5fdbe
SHA1bd6b2fa4a30cafb9951dcecbd0c4d00e901abfed
SHA256a52513822ea7b5675386101972403f44f719b7b3bfded5c317a2632f181ee26c
SHA512f2e8f5ba5b0c2c5713ff3e9752993fba9e552cc8e62f0a6accca54cf0e30f49974af49572ff8f8aa1658fe4c920554703872ff3fb204a257187b5b420aaf37c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD50beba3eb17a3bf0ae422492b42171351
SHA1ad437de1e8b97ebcaaa31aa9d2ce3fb98c27e297
SHA25643087273b5c6caf61b0a884ad42a62fd5f5c9ccfe861169e1d6aaa96e1085af6
SHA512cda11f24f1f1fcbd896774916b62a00a83cc4dc6c455ea4c401900bb9f2a624fd44dbcae78179819e1f1033ae6994892c5ae3bb1e39c065c53b2c26e55c6222d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5afa5bfc350fbd1b6bf5a4dbb8301cd0f
SHA1aa81ce171dd5ed60487b1928e44ea84a0abebd81
SHA2565d206857b2bf94e6085399c661e3a74291c350182ff9c354397df95bc9a24fdf
SHA512ab697bd862bebfc0cab153c46ffae8184d4af9cf27941b6f0ff1fc3dc773c81e3eb01e3f974968a4330cec4bfbfdb0d85ca8c318d8804e698d4a5b45eb9c8b19
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD51a182bc5ccbf74c86598243d2da88817
SHA1367449844a844df56a69e729c49be00b3179bedd
SHA256000ac5734f63445ac26aaa8d1af056010172a75eb3f6c78bede73ec75593e83d
SHA512f3be5f37b3bc4ddb386fcd28d64f8a6f8446d40e7242493880b11a1f408c8f4d90d8bb3091800585b32d4826f3f069a40e3ab28e1efdd4aa5bd69d03c0279dbe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD53b510d090b3331ecb6d518fd5bfd3883
SHA14ce831e06634234bd15606ad068129474f327447
SHA256e93567e2a9519a4d7ce7c7a47b44017e4ff0c09649232f1bea871b7d2c23f848
SHA512784ddb7f068d738e17d182c6aa49fed9497573bb719df6f65a13328d4df75b6811154a98e13c15102d7fe9320abe29aed802ac283fc761c5a39ac75408760dbe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5518390246860f1aad1804f733deaed5c
SHA129bf0a1c7ba36d556949e889c53ebdf3f6e640d2
SHA256b53e21f6c4cf1c9ddc870c7fa152558daba3bbe0f198bb5f4649be04c4821f89
SHA5124fef384fd25dce931b93f87186d838afa5f5f5a4285386689f08dcd9a6cda4e1f5c39b1a6e3640ef978d471c6ee9e4e6b69c8d857c49f8a079f40f534ed25d02
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5b9af97cfe46fe0ef02dc1884c1dc47b2
SHA172a64d06e4b6542823fdff993026df0bca2b4924
SHA2566a786b60010b193bd19a7118bcccfc19933f0291d12e757867cbb7a72d0336c2
SHA51295340763303767ca6e176a764256e128a7ad48296a92ef760d99f945c32d105f65b69b29e244ae23206b93b1aae34abf25c6284d11417fcf964f765e2a2624cf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD55b57f4d9d2d00d0166430b6199757afc
SHA1752f4840b18a1c9511925b0bd0b93635decc012c
SHA2567df6b264fceeff197bfb78c7c3187f305fb098c6be3cfcf1ca5aee15c93e8632
SHA512c3bf6df96aaf4f45198801a28875cb0cae5965509a865f35e94d00f83d10436cfbb24471bb8a7416d5bda763afd75a31a752af38e14341586064e8934169cc81
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
7KB
MD5ea4720ddf1990360676e933f01a56dc9
SHA196cf320dfa20c81637933498fb8f46eaeeebd446
SHA2566de30d04ad78c1a916a3fe41684a131fd3066345f2032d2df03f2f4f278c46fb
SHA512dfc1253f0f1f128d5f79ebf7189557ab143bba6500f01606a81f1fee6d22433ca9ba9385b78f730ba386b0fa6ac3ac425b308c120de5cf3fa5b0d2d58bcf3f9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5de4484e2b112460610beb930de2bf1db
SHA132e96bd2bda9cb8fcc8c532c9cc30cd91cbc42db
SHA2565a0cd41c22dd4706b7d2d31b047fb098b31c64c1f06426c7bbd212322675e43c
SHA5129560241c5a3c083a055e3803531cad000874b8aa98cfb1fc9c72d1afa197c815e7329ba2f87b219535a57c0618815102d34ca3b8e2809b7822523c15aa32ca75
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5d5b70669739b05ea5e19b9bb7fdabacf
SHA1187a4e3ace12ee01ce11e76da4a20ff7c47f6937
SHA25617df4ed0640598b4df2d8e350d550130d309ddac6524831b97808d8c7ca2e2e8
SHA512d26a1aeb90005babc062d226ebe58975fd21d58bfae5f6472e11957d69870c82c6e1bc65e6f49340755ff6c8bd6a9403940548da52a912a5f171680744b7794f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-indexFilesize
72B
MD5a4a22197d5fe861993f4ca6fa062b0f8
SHA1f097bcd9b3b08e2162518231554080d9a9472a58
SHA256cb5f9616b241ea58ac7b7c67f60f71c500bc07cc80de6740f064bc096dc6248c
SHA5120dae26028e8f75826834da0ca50ef092afa056e3c420c1826017d4067d038ff13e6beb305fdd98598c64c2755939398516cc4619e6a8a38fa057914e66f96375
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ab44.TMPFilesize
48B
MD54e100706e4904daf4599910c031b6d39
SHA127c9c8bc2afad1e019379552eb1cc97bb0bcd267
SHA256773f98999100a739c41b841ab81928e9e547b29a55234551d065f421dd120c80
SHA51255453001fbb116e0dd8d6a99dbbdccb28dc36bbab7e4fababf5502a179e81fb51c5e9b5d2938768b117dce24b4421fa61d8dc653f09e1989b4e6354083c4d302
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD52435fc9c9269a02e5f8ab77c7c07ec4c
SHA1f7c3d0e58bdb84b60451efa29531f6cd28b3643a
SHA256480262ac2f1676bcfa9eded6c4fc6e195082563e9b523d22f60cff3db81a2ec0
SHA512f19852945abcd261a8c7942508b1884b6df019c0c92e4aaf70e5d004112fee9f2d9f499b44cb669b281d57906af365c5f69f07577ff6521c95df7d2558490ceb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD509ca89f98214aad632705a15f3793c8d
SHA1cc351ae35a14abba94a71b24e11d20dd93711e14
SHA256ee7953022736deac97881db2f8b7e26a9cefd1cc4cfdb3294347a9425304b99f
SHA51235926d055a5e86914d2e1f540c2d4ed6daa537e216991cf136a2f85f6bfaa1b00b0e565299765b9a5f96f1ded76f45a281c9cbd4efa410e4172dbd21402c3597
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD539a7bab32cf474b112b6e571b67e45c0
SHA1bddc4bc89b75ba02f4beb80bdc8cfe0108ddca34
SHA2566e772738658854b8013d4988e85e19a7519a54ebd7cb59de5be16b5ce461bebd
SHA5123ab9a36f9aa1277810bdf049f3555c1057d7222e08b92bc9d6111e2be046c58677be1d8b1fca608260b9901f6195710d064dc174ab8917ac371d3636efe16690
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
371B
MD50cef451b029aea5654d1f32cab6d25f3
SHA16dee23d2ad979507546949398ad709780d2a5ecc
SHA256e3c70558d333053e0a25cd99f9a4c61855944ad0f53ebdd4ec85dc306a4dc293
SHA512aeb2457380c76cb4ad66dc189b2be13594b5da432b0680b888b2b7241506e604764861b9a964b33ea544b9f2e9cab597b1a0ed7c47260ddb72a1192b5abc74df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5825b3.TMPFilesize
371B
MD596796501fb797566929149becf8243f5
SHA12532cb0b85905136509f22382a6acb4cd90282e3
SHA25699813f3dfa7911805c99f57f214818f72dbd474e71ecb349f490f0746777db56
SHA512685e6488e88b4da1f65728ce3e959fe3d145a23c0c1b6b40e33c2d5a21fed32e87e0ab91a97a4b5f0a2aee435673af0164a71857f9fbfafbcacdfa3babccb6fc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51bf34d92850a2fbc6127cee4b884403b
SHA134efe278c8145fb502d5c6f7bf2382d8d26f5abf
SHA256e799a914557b2e56cc0b982b5aed379ab2cb989be8aa54726b2ad7acaf03aef1
SHA5127cac51bedc2651888c0df6979656197a04692a676a7dec6052bf4ae65e0f29efff6cc01221382bff597973e429c9f051675021acb78a9faf4b061f5452b9fa0c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD58378cfdfec157f601f4b509bf1d03780
SHA162e63a459519328d1de0fc310da88bcc5fff6325
SHA256b2d40f4d29967eb09fa9e614ce99039200d678b4565be220784d0d5250790ccd
SHA512e8af2031e16aae42ceb9a0f3c38df5975bf51aa8139b586d3bf1233cbf242c7a77ba999b8e5445f46fdef946980b9a715ce605febd16051ebff6e38e5d932f3c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a0fef964359b09549ba91d17d4323a93
SHA1d9097ffee0af9a5f749192b97bfaadf3de648020
SHA2567cb01f05809700e087b0d4e5cdf850dfbec799d3ed2d1583561b4fdbe9c63506
SHA512c09b38472efd64112b78d42e7c00426a7157eceead359b6627388b39cfe1ef93b314302a43105c523311c9eda0d3fde871c5f270035a0fb62b227f7e7afc4157
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD5a62600622dde70c55df03f99824db30a
SHA1aebca412fad6ac05c129437443a313e328050017
SHA25618ced5c76e3d92f7c5054522669e6a2c02607285d83c87079d77822779f00315
SHA51220e79804f6f53ad41914442d24a53169f30884682b862045932c33b7cd82bd06511698cff939d49a615b354583d4d3e79b77f3995aa7ce9c9a284f04b654e2fb
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\10KQH7L4\account.live[1].xmlFilesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Core_SDK_3.1.417_(x64)_20240622150529_000_dotnet_runtime_3.1.23_win_x64.msi.logFilesize
3KB
MD52e9040d53b4760fcfd1e7e689088ded7
SHA1432e37e0e9905942fdbe4dbc969599e3fd35492d
SHA25657569983f2322c69735300700703cc6f46ad5997172eb0f1422775ab1ef8865a
SHA512708329b94d716680c091cc94654d8b7771ddde34be7ecaf96906dca5aafb05914bf5f03433b2fc08aa6de04262950c85f6d54e2397de88fee760adae434ebdc3
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Core_SDK_3.1.417_(x64)_20240622150529_001_dotnet_hostfxr_3.1.23_win_x64.msi.logFilesize
2KB
MD597d938698a9c0b2fd2d3ee3f3a9953c8
SHA1ab66066f185ed9765dfe253e789c5c949d51498e
SHA256157f244e791784343034b9029b58e7f289900139b78817a455699f67c7b19b43
SHA512ae0afd41ef0d26d8a2384aaf4e5c375474a498e13a7d15d3846bbf2c063b0ef20388f27f3d2f87e60f1d91c8d7eaf4b8ec565d3cd1d66b09eecd9c4d92f621b0
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Core_SDK_3.1.417_(x64)_20240622150529_002_dotnet_host_3.1.23_win_x64.msi.logFilesize
2KB
MD56a597514dd09ef62b41c6a2223053a45
SHA1440267b8a5c4af1798cec57f4d20443a5e96cd55
SHA256999aafff897ac14224d245a3f7cbfde92dbf83ed1de58d9359d037ee081b6449
SHA512c25f8257ed6c2a12589be5e03af7b51dff3e32463b6d1c2661600cedd98654e5fefb071d2bd16dfdce7d54f5f4026531d19a508800b6f8eef27dec6c5b74f904
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Core_SDK_3.1.417_(x64)_20240622150529_003_dotnet_targeting_pack_3.1.0_win_x64.msi.logFilesize
2KB
MD59a44b9dc31d53b78fea4d97703ccc61c
SHA1403bf2b16fd3f261a32ca38e7a083310d685fc03
SHA2561a7e7a289381a76d54d2f086fe2d8d0881636d1f5cef54ee43d8fd0f5ec281d9
SHA512a0e47a152784c837a9d331421ebbb70c084a262cf0332dc2708ef35ee86d08562756362436a9c21a7b70f29935f1fd40f8333858f7948f456a386b5d18f8c230
-
C:\Users\Admin\AppData\Local\Temp\Microsoft_.NET_Core_SDK_3.1.417_(x64)_20240622150529_004_dotnet_apphost_pack_3.1.23_win_x64.msi.logFilesize
2KB
MD5869c51605ec6703a0e7ec4e840dedfe0
SHA1063624748725375d968e13db55e014a7afcccd3d
SHA25695d775ad873341a71b88e2ff3dd28790753f0b2a1e9e3ba4ff0e13b19a770790
SHA5125ba5a5e799d23de7200ef70c31e2de47764fcc62e5c86fb939a98ed476e2694a9c8c561515677aae095e500ecd189f476fc2b43cb14b133df4e1884bc5423d08
-
C:\Users\Admin\Downloads\Rift-2.2.1.0.zipFilesize
7.3MB
MD5fc332b7d4d15da6be0615be37e280789
SHA15e93ce41c14a784734c381ca49385a2c57130995
SHA256837ec0e9287fcb56331695971c618ce18f14dff0107ccd5749bd51c75bccc6d6
SHA512962ab673d36d3e3856fd3ec5de3671eeb9c11039e34d988b98765d42f6b75ab460ee83ad32d6bd39e21ecb01b6a0758caca19956a7a33543e25810497ddaea27
-
C:\Users\Admin\Downloads\Unconfirmed 456478.crdownloadFilesize
1.6MB
MD5db7fb67fcec9f1c442de25f3ad59f50c
SHA1b600aa26d1cded59760304c6d77f4ff75722eabd
SHA256c227208854734bbd38c9f74f39034111733da5c7ce71515b1610aedd79417f9f
SHA512c14ec7d252a6f201dfea476d302fbc5140713cb4ea7bc8d4e610bfd806b3fa3c141153e2e9b8cb36255fba1fab4d4400ed83f5f5c1228d77d77bace41d5de7fe
-
C:\Users\Admin\Videos\Captures\desktop.iniFilesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
C:\Windows\Installer\MSI2645.tmpFilesize
202KB
MD5b2052adb8202ed24034dee4cc7bb8515
SHA19cab6ba0a629f26a0031ef7aa47f7a25eb7093cb
SHA25620056d3a5c6115fae1c4169cd5e236897215b340cb1feac71ec8297191db76b9
SHA512f8ace80d9042f9a66c5db6f5caa4e8237b4fa88b9e3fb25845313b531e8b9e38b262f5a4c74ece0d273cdc2e0017af0b046744d620feb36c2ae81c94ea1a022b
-
C:\Windows\Installer\MSIF26A.tmpFilesize
225KB
MD5d711da8a6487aea301e05003f327879f
SHA1548d3779ed3ab7309328f174bfb18d7768d27747
SHA2563d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283
SHA512c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\.ba\bg.pngFilesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\.ba\wixstdba.dllFilesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\AspNetCoreSharedFramework_x64Filesize
7.4MB
MD5d34d4f1d159116e71a7e1872f04cd21d
SHA1a97e6da8ebfb7b76308d2f455ebb45558d5d4fd4
SHA2567d811d61fd5e7d4ddfd36d74c840251763727a777e97e7bccdb0cb490bf97c14
SHA51271094f94f1f23a8388802673d580fb77d428c4e4e7a238e8d028610adcccb05b33042470f7b00d184de3acf3237cb7a8cad5bf8b08bab966713bb269f35d0886
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\aspnetcore_targeting_pack_3.1.10_servicing.20520.4_win_x64.msiFilesize
1.7MB
MD515e6242bc595221796db260f2272d6c8
SHA156459d67eea54046252ed6bc20c12feed8ac4049
SHA25695c883c38b35bf3118fb7ede1940d7b29216e2c85ceeddaea23d898f02cf1d35
SHA512e033b62e1750d801a4d2158e5a0fe64b053b582467a0e361acd24d58f298c2a53cce880dd0dbe8209965200fe9c7ff4eea1d9c8b96b3118bb1256f9db157c7f9
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_31templates_3.1.417_servicing_015931_win_x64.msiFilesize
2.3MB
MD5b579f4236fb254d81cc95d765820e6bd
SHA14b26c4489851f2a714d69d79e1b3638b1056849c
SHA2567f5bfe739426cb761ce0faeab459af18e99b5a09d85901c8b61cd6bcd18a33bf
SHA5126d6d476973ca54a8e28e8c5d88542153f26f2858657327f4b0900e77df7dc2a0f051a37dc3ba88cb6e884e54c0fdfee7a6bb2530f46dea9933440e4b2a8e238f
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_apphost_pack_3.1.23_win_x64.msiFilesize
916KB
MD5a5d8e81fd1eae020ecc975d3f2878236
SHA13d4564cb9ed673ab54d294b57cdad9eb2be2f74a
SHA256705649e276ac73c5f0b6eb91c364c896a4cccb75d74076ee2731a48e6462c482
SHA5129491f7e4d9c299a67f12a42c3b455809650f3c8d5b0e139413c7fac39e99e8502024bcd06da35e5267be204578d77e68091609daafc04db22bf569c52dd430a0
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_apphost_pack_3.1.23_win_x64_arm.msiFilesize
884KB
MD50443c39c5e8a534248196e431ec4a0f3
SHA1d0613deffe00af434a8be442aaa0f2b9cb9d880c
SHA2569c1ac294893d07c9113ca253511af0efe8dd285d4ddc76bd11892420a5e25a52
SHA5129cfcd19e26468d677e421b5aab7d834a0588e2b7c55559a0b09c16f36b8e305e229460ca995c932b766a06682c5f0b5db4baae44e9371d084122b2c895ee040d
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_apphost_pack_3.1.23_win_x64_arm64.msiFilesize
884KB
MD5d24647a56bfcc464f349994dc23f33ac
SHA14a889768ed3f37ad51463a4b1f428be00468cb26
SHA2564513f2d16e37c56cf6ca702338548ede3edff3c98c6e8beeae7745484aa41e55
SHA512065a99915bd1812917b98a323d276b331be8436c2f5e11e89b196945b87bc0bbd544b5caf039513670bcd483f1be7891cb61fb6f97caa6ea2e20abcabca28138
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_apphost_pack_3.1.23_win_x64_x86.msiFilesize
880KB
MD52272ab912f4e8b99030d8921b2cee8f3
SHA1a10267cb8e5b416350ecf745e7ca51481f84e5e6
SHA2560a8820aa0387e94a7a88eea93745274ab61f1b3d2dae13facb6f92909e5333ff
SHA51231b2ec049bd6954f74a654aa55ceda93147ca9f83ab560be2ef1997c2dacc22cac53dc3a6328fdd4ec3350b32c693a29e07b71a68d330043ba26909b3a0be478
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_host_3.1.23_win_x64.msiFilesize
736KB
MD5aceda5df5ce45a37b8c490c1f0d01dd0
SHA12c6a116000797a07d6816d7bb3ec841f11a1a9e3
SHA256237715d70986cac351308471e9c3b1a0280112aa6a95589cafc64d3b6c97370a
SHA512d7a3e0a7c317edbaab3b447f9d17c5a11d15b745a3c389a679bc9c2a12d87695ef20131f8ce857821280bb71f9770e2b0b28e3fb8872cc1a5b006fc5f5f04415
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_hostfxr_3.1.23_win_x64.msiFilesize
876KB
MD5bdac47081ffc5138218a4b915292be40
SHA128e110d0341135f83f9a387835f6a9ce2e166963
SHA256e144502d8e1a0e48149d9108e601a916a6c0bacc6580a412d95d385b1c0f67c2
SHA512165db17a407f3dcfb0c97175c355b8621f3a8219d1aaf814bb4d377f7ab389674d8968aa1206624f1aaa2542580a900b81550ced9a2cde7fc6aee4fcddee456e
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_runtime_3.1.23_win_x64.msiFilesize
24.0MB
MD56c0ea403d3fb2a8aa34c888d11e7fbce
SHA1e87c87c7e6d3623254a89c1d73e05bdad930e252
SHA2565987cfc1c25822049c0efc632971b79ca0e7c6c63831f59dc2711853599799d2
SHA512a2f4f2f4dbd96a000337a8709178267a4ce0c4ebd270f562a0ebc8247f18484ba9327f30fa0e576e9884c3ec055423b25d10da582dbdaca27c48838ddb26c2a8
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\dotnet_targeting_pack_3.1.0_win_x64.msiFilesize
2.9MB
MD5ad23a50ee625c2d80c0034df504978c0
SHA17f3aaf89187d5af92288e90777cee6ffcd7c48d4
SHA2563d5db01fa2190c57b265d499fb5bd7d375e458878821bab4e0b878ce8f93ef5f
SHA51227f02dbe49094f2c691aede8eb4ec81cc76913e3626a8bd181ef83f2b01b44a42862de1f6471ec844966608e04b070860afb5cff92cd2e5b59000104c6f3fa83
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\netstandard_targeting_pack_2.1.0_win_x64.msiFilesize
2.2MB
MD5584af811f7462070bd3c37d1b57f3583
SHA172444392f17cb5cecfa7c913fbb2706b5c01c242
SHA256d270e7f8f29ecf30bf4e06d21663ec1a36cfbd8d535cd1a4d011d693e646506f
SHA512ba4cfe9fff8516de39333f6d71a3baa2c3b0d1f0d53b0bc7cf4be70b8c2245a9653485f6eb2d85e36574dcb1dae9bbe4009a2a315f52b5a3710d479115cdffb2
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\windowsdesktop_runtime_3.1.23_win_x64.msiFilesize
27.3MB
MD5b4152fb7a315afa33b75af365a28ab64
SHA16fb12e36cdffc4d6267d8678c9eb5eda513771d3
SHA256c40965dad99d9833a99ad145d0d6c7565e7de5d9eac9aba911ea126efcd9203a
SHA5126bce164c2ab5805904214e2bbeddc4e4d276781abf88b6c13a3b35b55c82657b94c29ccb2da1d2e770ce2001d29524c14813d15ac3f1277f44bb00cf5431054e
-
C:\Windows\Temp\{368FB190-7207-459A-98EC-726B5E13FFF9}\windowsdesktop_targeting_pack_3.1.0_win_x64.msiFilesize
3.2MB
MD59752caa84adad4820351ff015063e781
SHA155a62e73daceac6272a9a8f997bf39d477910f84
SHA2566c00f3386f793b1d5274a51686547d24277e9233725f1a4fb67401f008590ee7
SHA512eb564ebe082cda495fac4e0a85651c642b859994e7e79de463bb32145a96a8d251a28515c3a5e985f6bed44adbdf04c83aba6bcb6683cb7a1b6f2cf4b3b89cf6
-
C:\Windows\Temp\{FE3CC186-00E9-4CF1-84B6-487E7481ACA1}\.cr\dotnet-sdk-3.1.417-win-x64.exeFilesize
606KB
MD5dc89fb275eb58a4925618726851b9939
SHA102c5e7c78307a79a3e661582ce13fae6b8367a43
SHA256cacb138abb59d520baa3dfa4d9132f4f3a9cbb042d617ecde2d691f76804f7c9
SHA5125dac4d80f25a35e9b106cd8b5126f02401d5ae437847d84e66df41c26a8aef8595f8eccbe28022ed64952960b3bfa003dcd2badc3f137a71607e67400b03711a
-
\??\pipe\LOCAL\crashpad_4476_PXHYONPMPEELNIFTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/892-5871-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5870-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5863-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5864-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5865-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5869-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5875-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5874-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5873-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/892-5872-0x0000019705CD0000-0x0000019705CD1000-memory.dmpFilesize
4KB
-
memory/2324-6074-0x0000017474E10000-0x0000017474E30000-memory.dmpFilesize
128KB
-
memory/2324-6181-0x0000017478150000-0x0000017478250000-memory.dmpFilesize
1024KB
-
memory/2324-7054-0x0000017477780000-0x00000174777A0000-memory.dmpFilesize
128KB
-
memory/2324-6188-0x0000017478360000-0x0000017478460000-memory.dmpFilesize
1024KB
-
memory/2324-6217-0x00000174784D0000-0x00000174785D0000-memory.dmpFilesize
1024KB
-
memory/2324-6259-0x0000017478EF0000-0x0000017478FF0000-memory.dmpFilesize
1024KB
-
memory/2324-6182-0x0000017478150000-0x0000017478250000-memory.dmpFilesize
1024KB
-
memory/2324-6554-0x000001747A000000-0x000001747A020000-memory.dmpFilesize
128KB
-
memory/2324-6177-0x0000017477E20000-0x0000017477E40000-memory.dmpFilesize
128KB
-
memory/2324-6334-0x00000174793F0000-0x00000174794F0000-memory.dmpFilesize
1024KB
-
memory/2324-6336-0x000001747A680000-0x000001747A780000-memory.dmpFilesize
1024KB
-
memory/2324-6515-0x000001747B680000-0x000001747B780000-memory.dmpFilesize
1024KB
-
memory/4524-5366-0x0000000074500000-0x000000007471F000-memory.dmpFilesize
2.1MB
-
memory/4524-5382-0x0000000074500000-0x000000007471F000-memory.dmpFilesize
2.1MB
-
memory/4524-5433-0x00000000009F0000-0x0000000000A25000-memory.dmpFilesize
212KB
-
memory/4524-5365-0x00000000009F0000-0x0000000000A25000-memory.dmpFilesize
212KB