Analysis
-
max time kernel
1799s -
max time network
1178s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-06-2024 09:42
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
http://getwave.gg
Resource
win10v2004-20240508-en
General
-
Target
http://getwave.gg
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\126.0.2592.81\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components setup.exe -
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0" MicrosoftEdgeUpdate.exe -
Checks computer location settings 2 TTPs 5 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MicrosoftEdgeUpdate.exeWaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeBloxstrap.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WaveInstaller.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WaveBootstrapper.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation Bloxstrap.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 49 IoCs
Processes:
WaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exenode.exeBloxstrap.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_126.0.2592.81.exesetup.exesetup.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateSetup_X86_1.3.187.41.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeBGAUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdge_X64_126.0.2592.81.exesetup.exesetup.exesetup.exesetup.exesetup.exesetup.exeMicrosoftEdgeUpdate.exepid process 648 WaveInstaller.exe 3056 WaveBootstrapper.exe 3264 WaveWindows.exe 4368 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 6044 node.exe 4112 Bloxstrap.exe 6824 MicrosoftEdgeWebview2Setup.exe 4428 MicrosoftEdgeUpdate.exe 7604 MicrosoftEdgeUpdate.exe 7240 MicrosoftEdgeUpdate.exe 2016 MicrosoftEdgeUpdateComRegisterShell64.exe 7296 MicrosoftEdgeUpdateComRegisterShell64.exe 7892 MicrosoftEdgeUpdateComRegisterShell64.exe 7804 MicrosoftEdgeUpdate.exe 7896 MicrosoftEdgeUpdate.exe 7776 MicrosoftEdgeUpdate.exe 7756 MicrosoftEdgeUpdate.exe 7616 MicrosoftEdge_X64_126.0.2592.81.exe 7416 setup.exe 7376 setup.exe 8140 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 2444 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 6700 MicrosoftEdgeUpdate.exe 6436 MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe 6452 MicrosoftEdgeUpdate.exe 6600 MicrosoftEdgeUpdate.exe 6596 MicrosoftEdgeUpdate.exe 6532 MicrosoftEdgeUpdate.exe 6508 MicrosoftEdgeUpdateComRegisterShell64.exe 2256 MicrosoftEdgeUpdateComRegisterShell64.exe 3820 MicrosoftEdgeUpdateComRegisterShell64.exe 212 MicrosoftEdgeUpdate.exe 7908 MicrosoftEdgeUpdate.exe 7924 MicrosoftEdgeUpdate.exe 3640 MicrosoftEdgeUpdate.exe 2136 BGAUpdate.exe 3256 MicrosoftEdgeUpdate.exe 5972 MicrosoftEdgeUpdate.exe 6808 MicrosoftEdge_X64_126.0.2592.81.exe 7764 setup.exe 1728 setup.exe 1740 setup.exe 6464 setup.exe 7772 setup.exe 7620 setup.exe 6384 MicrosoftEdgeUpdate.exe -
Loads dropped DLL 64 IoCs
Processes:
WaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 3056 WaveBootstrapper.exe 3264 WaveWindows.exe 3264 WaveWindows.exe 3264 WaveWindows.exe 3264 WaveWindows.exe 3264 WaveWindows.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 3264 WaveWindows.exe 4428 MicrosoftEdgeUpdate.exe 7604 MicrosoftEdgeUpdate.exe 7240 MicrosoftEdgeUpdate.exe 2016 MicrosoftEdgeUpdateComRegisterShell64.exe 7240 MicrosoftEdgeUpdate.exe 7296 MicrosoftEdgeUpdateComRegisterShell64.exe 7240 MicrosoftEdgeUpdate.exe 7892 MicrosoftEdgeUpdateComRegisterShell64.exe 7240 MicrosoftEdgeUpdate.exe 7804 MicrosoftEdgeUpdate.exe 7896 MicrosoftEdgeUpdate.exe 7776 MicrosoftEdgeUpdate.exe 7776 MicrosoftEdgeUpdate.exe 7896 MicrosoftEdgeUpdate.exe 7756 MicrosoftEdgeUpdate.exe 8140 CefSharp.BrowserSubprocess.exe 8140 CefSharp.BrowserSubprocess.exe 8140 CefSharp.BrowserSubprocess.exe 8140 CefSharp.BrowserSubprocess.exe 8140 CefSharp.BrowserSubprocess.exe 8140 CefSharp.BrowserSubprocess.exe 8140 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 2444 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 6700 MicrosoftEdgeUpdate.exe 6700 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 6452 MicrosoftEdgeUpdate.exe 6600 MicrosoftEdgeUpdate.exe 6596 MicrosoftEdgeUpdate.exe 6532 MicrosoftEdgeUpdate.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BGAUpdate.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\!BCILauncher = "\"C:\\Windows\\Temp\\MUBSTemp\\BCILauncher.EXE\" bgaupmi=233D2E5AEB124512B75867759D00E512" BGAUpdate.exe -
Checks for any installed AV software in registry 1 TTPs 4 IoCs
Processes:
WaveWindows.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\KasperskyLab\Session WaveWindows.exe Key opened \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\KasperskyLab WaveWindows.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\KasperskyLab WaveWindows.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\KasperskyLab\LastUsername WaveWindows.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 8 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects setup.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Checks system information in the registry 2 TTPs 30 IoCs
System information is often read in order to detect sandboxing environments.
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer MicrosoftEdgeUpdate.exe -
Drops file in System32 directory 1 IoCs
Processes:
setup.exedescription ioc process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk setup.exe -
Drops file in Program Files directory 64 IoCs
Processes:
setup.exesetup.exeMicrosoftEdgeUpdateSetup_X86_1.3.187.41.exesetup.exeMicrosoftEdgeWebview2Setup.exesetup.exesetup.exesetup.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\vcruntime140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\bs.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\d3dcompiler_47.dll setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\mip_protection_sdk.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Locales\sq.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\onramp.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\pa.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU4FDE.tmp\msedgeupdateres_ms.dll MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\MEIPreload\preloaded_data.pb setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\es.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\identity_proxy\win10\identity_helper.Sparse.Dev.msix setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\vccorlib140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\identity_proxy\win10\identity_helper.Sparse.Beta.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Locales\hi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Locales\sl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\1740_13364215102390232_1740.pma setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCDF5.tmp\psmachine_arm64.dll MicrosoftEdgeWebview2Setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\de.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\edge_feedback\mf_trace.wprp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7772_13364215102731239_7772.pma setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\show_third_party_software_licenses.bat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\sr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\wdag.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\en-US.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\sr-Cyrl-BA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\hu.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EU4FDE.tmp\msedgeupdateres_km.dll MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Locales\cy.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\resources.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\VisualElements\SmallLogo.png setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\identity_proxy\win11\identity_helper.Sparse.Internal.msix setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source7416_1009125996\msedge_7z.data setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\delegatedWebFeatures.sccd setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\mi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\te.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge_100_percent.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\am.pak setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCDF5.tmp\MicrosoftEdgeUpdate.exe MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\Analytics setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\nb.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Trust Protection Lists\Mu\Social setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msvcp140.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\fi.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\edge_feedback\camera_mf_trace.wprp setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\fr-CA.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\oneds.dll setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\settings.dat setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Sigma\Staging setup.exe File created C:\Program Files (x86)\Microsoft\Temp\EUCDF5.tmp\msedgeupdateres_it.dll MicrosoftEdgeWebview2Setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\ca-Es-VALENCIA.pak setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\msedge.dll.sig setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\vulkan-1.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\it.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\mt.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\hr.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\sl.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Trust Protection Lists\Mu\LICENSE setup.exe File opened for modification C:\Program Files\MsEdgeCrashpad\throttle_store.dat setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\mk.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Trust Protection Lists\Mu\Entities setup.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Locales\vi.pak setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\wns_push_client.dll setup.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\126.0.2592.81\Locales\af.pak setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
firefox.exefirefox.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe -
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\126.0.2592.81\\BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\126.0.2592.81\\BHO" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe" setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29} setup.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3" setup.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge setup.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute setup.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
MicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exesetup.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0" setup.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdgeUpdate.exe -
Modifies registry class 64 IoCs
Processes:
firefox.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdateComRegisterShell64.exeMicrosoftEdgeUpdate.exesetup.exeBloxstrap.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings firefox.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8B15189E-5465-4166-933D-1EABAD9648CB}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E3D94CEB-EC11-46BE-8872-7DDCE37FABFA}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine_64.dll" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ = "IRegistrationUpdateHook" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\NumMethods\ = "9" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.187.41\\MicrosoftEdgeUpdateBroker.exe\"" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe,0" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods\ = "5" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\ = "IAppCommand2" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC} MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD} MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\LOCALSERVER32 MicrosoftEdgeUpdate.exe Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\roblox-player\shell\open Bloxstrap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xml\OpenWithProgIds\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5F6A18BB-6231-424B-8242-19E5BB94F8ED}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\MicrosoftEdgeUpdateOnDemand.exe\"" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\LocalServer32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge" setup.exe Key created \REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32 MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12" MicrosoftEdgeUpdateComRegisterShell64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VERSIONINDEPENDENTPROGID MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\LocalServer32 MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0} MicrosoftEdgeUpdate.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32 MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\TypeLib\ = "{2397ECFE-3237-400F-AE51-62B25B3F15B5}" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass.1\CLSID\ = "{8F09CD6C-5964-4573-82E3-EBFF7702865B}" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE} MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\ = "IGoogleUpdate3" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine" MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23" MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83} MicrosoftEdgeUpdateComRegisterShell64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\AppUserModelId = "MSEdge" setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32\ = "{8B15189E-5465-4166-933D-1EABAD9648CB}" MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32 MicrosoftEdgeUpdate.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithProgIds\MSEdgeMHT setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.171.39\\psmachine.dll" MicrosoftEdgeUpdate.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods MicrosoftEdgeUpdateComRegisterShell64.exe -
NTFS ADS 1 IoCs
Processes:
firefox.exedescription ioc process File created C:\Users\Admin\Downloads\WaveInstaller.exe:Zone.Identifier firefox.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
msedge.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeMicrosoftEdgeUpdate.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exeBloxstrap.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 6000 msedge.exe 6000 msedge.exe 3264 WaveWindows.exe 3264 WaveWindows.exe 4368 CefSharp.BrowserSubprocess.exe 4368 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 1232 CefSharp.BrowserSubprocess.exe 3264 WaveWindows.exe 4428 MicrosoftEdgeUpdate.exe 4428 MicrosoftEdgeUpdate.exe 8140 CefSharp.BrowserSubprocess.exe 8140 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 5712 CefSharp.BrowserSubprocess.exe 4428 MicrosoftEdgeUpdate.exe 4428 MicrosoftEdgeUpdate.exe 4428 MicrosoftEdgeUpdate.exe 4428 MicrosoftEdgeUpdate.exe 4112 Bloxstrap.exe 4056 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 4056 MicrosoftEdgeUpdate.exe 6700 MicrosoftEdgeUpdate.exe 6700 MicrosoftEdgeUpdate.exe 6600 MicrosoftEdgeUpdate.exe 6600 MicrosoftEdgeUpdate.exe 7908 MicrosoftEdgeUpdate.exe 7908 MicrosoftEdgeUpdate.exe 7908 MicrosoftEdgeUpdate.exe 7908 MicrosoftEdgeUpdate.exe 5972 MicrosoftEdgeUpdate.exe 5972 MicrosoftEdgeUpdate.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
firefox.exeWaveInstaller.exeWaveBootstrapper.exeWaveWindows.exeCefSharp.BrowserSubprocess.exeCefSharp.BrowserSubprocess.exedescription pid process Token: SeDebugPrivilege 4700 firefox.exe Token: SeDebugPrivilege 4700 firefox.exe Token: SeDebugPrivilege 648 WaveInstaller.exe Token: SeDebugPrivilege 3056 WaveBootstrapper.exe Token: SeDebugPrivilege 3264 WaveWindows.exe Token: SeDebugPrivilege 4368 CefSharp.BrowserSubprocess.exe Token: SeDebugPrivilege 1232 CefSharp.BrowserSubprocess.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe Token: SeCreatePagefilePrivilege 3264 WaveWindows.exe Token: SeShutdownPrivilege 3264 WaveWindows.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
firefox.exeBloxstrap.exeWaveWindows.exepid process 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4112 Bloxstrap.exe 4112 Bloxstrap.exe 3264 WaveWindows.exe -
Suspicious use of SendNotifyMessage 9 IoCs
Processes:
firefox.exeBloxstrap.exepid process 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4112 Bloxstrap.exe 4112 Bloxstrap.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
Processes:
firefox.exenode.exeBloxstrap.exeMicrosoftEdgeWebview2Setup.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exeMicrosoftEdgeUpdate.exepid process 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 4700 firefox.exe 6044 node.exe 4112 Bloxstrap.exe 6824 MicrosoftEdgeWebview2Setup.exe 4428 MicrosoftEdgeUpdate.exe 7604 MicrosoftEdgeUpdate.exe 7240 MicrosoftEdgeUpdate.exe 7804 MicrosoftEdgeUpdate.exe 7896 MicrosoftEdgeUpdate.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
firefox.exefirefox.exedescription pid process target process PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 372 wrote to memory of 4700 372 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 692 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe PID 4700 wrote to memory of 4248 4700 firefox.exe firefox.exe -
System policy modification 1 TTPs 4 IoCs
Processes:
setup.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID setup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1" setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\ setup.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://getwave.gg"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://getwave.gg2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.0.1442444933\1344846436" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7c83f94-0613-4c36-9091-8c84dd77495c} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 1832 162d152dd58 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.1.1081426972\285388431" -parentBuildID 20230214051806 -prefsHandle 2420 -prefMapHandle 2408 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {955b8936-592f-403d-ba12-13ac77eb2b5f} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 2432 162bd28a558 socket3⤵
- Checks processor information in registry
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.2.1777758733\672244482" -childID 1 -isForBrowser -prefsHandle 2876 -prefMapHandle 2956 -prefsLen 23030 -prefMapSize 235121 -jsInitHandle 1116 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c5fd5dd-b623-45f8-9471-2f17fbee1431} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 2944 162d4550258 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.3.215007079\1761928895" -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1116 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {41c15acd-0b7c-4dab-8288-805209f932f5} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 3888 162d6393858 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.4.1090697297\1362234069" -childID 3 -isForBrowser -prefsHandle 4940 -prefMapHandle 4956 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1116 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff8177b9-8968-42a2-81ce-5b416a284fd4} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 4964 162d774ca58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.5.815357191\1512650061" -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5256 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1116 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {416d786d-b593-4ae0-bc91-68c6e0e44fef} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 5268 162d8094758 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.6.1117632552\1182601934" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 3100 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1116 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ff8e17bf-a089-408d-882b-a6ee925f1a27} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 5364 162d8095058 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4700.7.836769031\552916468" -childID 6 -isForBrowser -prefsHandle 5552 -prefMapHandle 5548 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1116 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fabcd944-d4df-493c-a290-49ada02fa68c} 4700 "\\.\pipe\gecko-crash-server-pipe.4700" 5384 162d8095358 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\WaveInstaller.exe"C:\Users\Admin\Downloads\WaveInstaller.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"C:\Users\Admin\AppData\Local\Wave\WaveWindows.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,15609741207777882255,1472398973480451673,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2068 --mojo-platform-channel-handle=2032 /prefetch:2 --host-process-id=32644⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=2608,i,15609741207777882255,1472398973480451673,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=2612 --mojo-platform-channel-handle=2604 /prefetch:3 --host-process-id=32644⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Luau Language Server\node.exe"C:\Users\Admin\AppData\Local\Luau Language Server\node.exe" server --process-id=32644⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe"C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exe" /silent /install5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Temp\EUCDF5.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EUCDF5.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"6⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.171.39\MicrosoftEdgeUpdateComRegisterShell64.exe"8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDYxMEZENTItNUZFRC00NkM3LTgyNTctRDY5NkIzNzRCQUU4fSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InszNkFBRTVFOS1GMzNGLTQ1NjEtOUFEOC1FNUJFMzA5RUY1QjB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RHhPYmpIR2ErblJhMmF0QzN3bytJRXBDNzgrWlllQVVia1hwREMyY2o3VT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4Ny4zNyIgbmV4dHZlcnNpb249IjEuMy4xNzEuMzkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYyMjMxNDcyMDciIGluc3RhbGxfdGltZV9tcz0iNDI0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg7⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{4610FD52-5FED-46C7-8257-D696B374BAE8}" /silent7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --field-trial-handle=4444,i,15609741207777882255,1472398973480451673,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=4408 --mojo-platform-channel-handle=4440 /prefetch:8 --host-process-id=32644⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe"C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-sandbox --locales-dir-path="C:\Users\Admin\AppData\Local\CefSharp\locales" --resources-dir-path="C:\Users\Admin\AppData\Local\CefSharp" --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\CefSharp" --cefsharpexitsub --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4408,i,15609741207777882255,1472398973480451673,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version --enable-logging=handle --log-file=4520 --mojo-platform-channel-handle=4440 /prefetch:8 --host-process-id=32644⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault1d120508h2062h439fh8583hb11c0ffdeb491⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff9135946f8,0x7ff913594708,0x7ff9135947182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,15580567975853334028,9270909711885580135,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,15580567975853334028,9270909711885580135,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,15580567975853334028,9270909711885580135,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDYxMEZENTItNUZFRC00NkM3LTgyNTctRDY5NkIzNzRCQUU4fSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntFOUU5MEYzRi0zNDhBLTQ5RjMtQTU2NS1FNzJBMEU0MzExMzh9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RHhPYmpIR2ErblJhMmF0QzN3bytJRXBDNzgrWlllQVVia1hwREMyY2o3VT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTEwLjAuNTQ4MS4xMDQiIG5leHR2ZXJzaW9uPSIxMTAuMC41NDgxLjEwNCIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYyMjYzNTU5NzgiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\MicrosoftEdge_X64_126.0.2592.81.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\EDGEMITMP_73312.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\EDGEMITMP_73312.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level3⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\EDGEMITMP_73312.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\EDGEMITMP_73312.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{7CB52041-3C1D-44D3-B609-33480DC513CC}\EDGEMITMP_73312.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.81 --initial-client-data=0x22c,0x230,0x234,0x208,0x238,0x7ff74aabaa40,0x7ff74aabaa4c,0x7ff74aabaa584⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDYxMEZENTItNUZFRC00NkM3LTgyNTctRDY5NkIzNzRCQUU4fSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InsxMDMxQkQxQy1BMjRFLTQ0NTYtOTBDQi01MTZFNTgyODI2QkN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTI2LjAuMjU5Mi44MSIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiIgZXhwZXJpbWVudHM9ImNvbnNlbnQ9ZmFsc2UiIGluc3RhbGxhZ2U9Ii0xIiBpbnN0YWxsZGF0ZT0iLTEiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iOSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNjIzMTcxNzAyMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjYyMzE3NDcwNTkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDE2MTU3NTE5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJiaXRzIiB1cmw9Imh0dHA6Ly9tc2VkZ2UuZi50bHUuZGwuZGVsaXZlcnkubXAubWljcm9zb2Z0LmNvbS9maWxlc3RyZWFtaW5nc2VydmljZS9maWxlcy8xMTEwYmY2My1jNmNlLTQ3MTQtOTY5Yi1iMzAyOGI0NDFjNDc_UDE9MTcyMDM0NTU2MSZhbXA7UDI9NDA0JmFtcDtQMz0yJmFtcDtQND1uMW1lYzY1a3pFaUp3dTZUNXowRm1FQjhuUGxHd3ZSckVHdGVQY05RRkQycTRQZUJ4Q0JhUUh4TUhEMlF0bzdkdFRhJTJmUXpWd0FQVXE5RHJJMXdlUEtnJTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTczMDgyMTY4IiB0b3RhbD0iMTczMDgyMTY4IiBkb3dubG9hZF90aW1lX21zPSIxNjEzNiIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjY0MTYyODcxMDUiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI2IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2NDMyMTE3MTM1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI2OTA0Mzc3MTI2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iMTk1IiBkb3dubG9hZF90aW1lX21zPSIxODQ1MCIgZG93bmxvYWRlZD0iMTczMDgyMTY4IiB0b3RhbD0iMTczMDgyMTY4IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI0NzIyMyIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8241CF20-C335-4C48-AF74-BBC7E8826E84}\MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{8241CF20-C335-4C48-AF74-BBC7E8826E84}\MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exe" /update /sessionid "{89C64658-DBD2-4A20-BE1C-086970EC541F}"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Temp\EU4FDE.tmp\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\Temp\EU4FDE.tmp\MicrosoftEdgeUpdate.exe" /update /sessionid "{89C64658-DBD2-4A20-BE1C-086970EC541F}"3⤵
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.187.41\MicrosoftEdgeUpdateComRegisterShell64.exe"5⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODlDNjQ2NTgtREJEMi00QTIwLUJFMUMtMDg2OTcwRUM1NDFGfSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ic2VsZnVwZGF0ZSIgcmVxdWVzdGlkPSJ7MzBFNTcwQkItODQzNi00Mjc2LUIzRjItNzNGQTcyNEIwQTA5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzEuMzkiIG5leHR2ZXJzaW9uPSIxLjMuMTg3LjQxIiBsYW5nPSIiIGJyYW5kPSJJTkJYIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iNTIiIGluc3RhbGxkYXRldGltZT0iMTcxNTE4OTM4OSI-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTgzNjY1NzE1NyIvPjwvYXBwPjwvcmVxdWVzdD44⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNzEuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODlDNjQ2NTgtREJEMi00QTIwLUJFMUMtMDg2OTcwRUM1NDFGfSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9InsxOUJBMzJGOS03QkJELTRDRkQtQkMxMC0xOTNDRjZEMEM4OUF9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7cjQ1MnQxK2syVGdxL0hYemp2Rk5CUmhvcEJXUjlzYmpYeHFlVURIOXVYMD0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE3MS4zOSIgbmV4dHZlcnNpb249IjEuMy4xODcuNDEiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iSXNPbkludGVydmFsQ29tbWFuZHNBbGxvd2VkPS10YXJnZXRfZGV2IiBpbnN0YWxsYWdlPSI1MiI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSIxMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTUwMTI0NzE2NCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEzIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5NTAxMjk3MTg5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIwIiBlcnJvcmNvZGU9Ii0yMTQ3MDIzODM4IiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5ODE2Mjc3Mzg0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNGFkOWNiNmUtODI0NS00ZTQ3LWIyOTgtMWZmNGIwNDI1NmUxP1AxPTE3MjAzNDU4ODgmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9VDFyTmRlTmJWNERJY3M5elBGZ1hGdE9FSWVzSTZSVVpJcEVYdlVmViUyYjB3YVg4ZERweTE1aGpxajhLQndZVXBRVHZxUU5PZ2hEcVV2eGJwWWZYS3l3USUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIzIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9Ijk4MTYzNDcyODEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzRhZDljYjZlLTgyNDUtNGU0Ny1iMjk4LTFmZjRiMDQyNTZlMT9QMT0xNzIwMzQ1ODg4JmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVQxck5kZU5iVjRESWNzOXpQRmdYRnRPRUllc0k2UlVaSXBFWHZVZlYlMmIwd2FYOGREcHkxNWhqcWo4S0J3WVVwUVR2cVFOT2doRHFVdnhicFlmWEt5d1ElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxNjM0Mzc2IiB0b3RhbD0iMTYzNDM3NiIgZG93bmxvYWRfdGltZV9tcz0iMjcyMDkiLz48ZXZlbnQgZXZlbnR0eXBlPSIxNCIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iOTgxNjQzNzUzMCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjE1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI5ODIxNjc3MjY4IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PHBpbmcgcj0iNTMiIHJkPSI2MzM3IiBwaW5nX2ZyZXNobmVzcz0iezFCRkI3MjdCLUYzOTMtNEUxNC05OTY2LTk0QjMyODQ0NjI4OH0iLz48L2FwcD48YXBwIGFwcGlkPSJ7NTZFQjE4RjgtQjAwOC00Q0JELUI2RDItOEM5N0ZFN0U5MDYyfSIgdmVyc2lvbj0iOTIuMC45MDIuNjciIG5leHR2ZXJzaW9uPSIiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iNTIiIGxhc3RfbGF1bmNoX3RpbWU9IjEzMzU5NjQyMjAwMjg1OTE0MCI-PHVwZGF0ZWNoZWNrLz48cGluZyBhY3RpdmU9IjEiIGE9IjUzIiByPSI1MyIgYWQ9IjYzMzciIHJkPSI2MzM3IiBwaW5nX2ZyZXNobmVzcz0ie0JEMDFCOEUzLTM3RTItNDYzQS04OUMzLTI4MEM5MTE0NjM3NX0iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTI2LjAuMjU5Mi44MSIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2Mzg0Ij48dXBkYXRlY2hlY2svPjxwaW5nIHI9Ii0xIiByZD0iLTEiIHBpbmdfZnJlc2huZXNzPSJ7ODg4MkU3QUUtNjIxNS00RDMzLUE4QTItODdGMzlERUFDNUNEfSIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTA0NDgzQ0EtNzY3RC00NEMwLUE5NzgtOUZGMDJCQ0ZGNDAxfSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MkQxQzM5REEtRTUwQi00Mzg2LUFBRkMtQTRDNkZEQjk1OTAwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O2hWZkRqTWRGRzZGZ0tzME56NmVtcllDU2c2VFF2RFBvbW9sUmF5UVhCSzQ9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjExMC4wLjU0ODEuMTA0IiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1MiIgaW5zdGFsbGRhdGV0aW1lPSIxNzE1MTY1MjIxIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzNTk2Mzc4MTA1ODc5MTE5Ij48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjExNDMyNSIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI4MzA3NTcyMjEiLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3206F783-6C7E-4FC4-8897-EC10228C53BF}\BGAUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{3206F783-6C7E-4FC4-8897-EC10228C53BF}\BGAUpdate.exe" --edgeupdate-client --system-level2⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTA0NDgzQ0EtNzY3RC00NEMwLUE5NzgtOUZGMDJCQ0ZGNDAxfSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9IntDNzEzMDM2QS1EOUQ1LTQ4NEEtQURCRi04NzFEQTdFMTJGQzd9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7MUZBQjhDRkUtOTg2MC00MTVDLUE2Q0EtQUE3RDEyMDIxOTQwfSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMi4wLjAuMzQiIGxhbmc9IiIgYnJhbmQ9IkVVRkkiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjg0NDM5NzA0MyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyODQ0NTY3MTQ2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjAiIGVycm9yY29kZT0iLTIxNDcwMjM4MzgiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMzU5NDQ3MDM2IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiBkb3dubG9hZGVyPSJkbyIgdXJsPSJodHRwOi8vbXNlZGdlLmIudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNWYxOTU2MTItMzg0YS00OGVhLTg0MDgtYjRlZGU5ZGM1NmJiP1AxPTE3MjAzNDYyMjMmYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9SnBRTnN4cGNDb0NKZER4QzhnZnFkOHF2TDFZUUVyUUh1TkNMeFNJUGlnYk5aUlU4dW5VWHUzMmJVMEN5NVloU25HZzluN0xuVXdBMnRkaVZ6dSUyYlljUSUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjAiIHRvdGFsPSIwIiBkb3dubG9hZF90aW1lX21zPSIyIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzNTk0NTcwMzgiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5iLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzVmMTk1NjEyLTM4NGEtNDhlYS04NDA4LWI0ZWRlOWRjNTZiYj9QMT0xNzIwMzQ2MjIzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PUpwUU5zeHBjQ29DSmREeEM4Z2ZxZDhxdkwxWVFFclFIdU5DTHhTSVBpZ2JOWlJVOHVuVVh1MzJiVTBDeTVZaFNuR2c5bjdMblV3QTJ0ZGlWenUlMmJZY1ElM2QlM2QiIHNlcnZlcl9pcF9oaW50PSIiIGNkbl9jaWQ9Ii0xIiBjZG5fY2NjPSIiIGNkbl9tc2VkZ2VfcmVmPSIiIGNkbl9henVyZV9yZWZfb3JpZ2luX3NoaWVsZD0iIiBjZG5fY2FjaGU9IiIgY2RuX3AzcD0iIiBkb3dubG9hZGVkPSIxODA0NDQ0OCIgdG90YWw9IjE4MDQ0NDQ4IiBkb3dubG9hZF90aW1lX21zPSI0Njk2MyIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMzU5NDk3MTAyIiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTMzNjU2MjcwNDYiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzM2NzI5NzIxNCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijk1MCIgZG93bmxvYWRfdGltZV9tcz0iNTE0NjEiIGRvd25sb2FkZWQ9IjE4MDQ0NDQ4IiB0b3RhbD0iMTgwNDQ0NDgiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjE2MiIvPjwvYXBwPjwvcmVxdWVzdD42⤵
- Executes dropped EXE
- Checks system information in the registry
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc1⤵
- Executes dropped EXE
- Checks system information in the registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\MicrosoftEdge_X64_126.0.2592.81.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\MicrosoftEdge_X64_126.0.2592.81.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.81 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff7b68baa40,0x7ff7b68baa4c,0x7ff7b68baa584⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.81 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff7b68baa40,0x7ff7b68baa4c,0x7ff7b68baa585⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level4⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=126.0.6478.127 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\126.0.2592.81\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=126.0.2592.81 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff6afeaaa40,0x7ff6afeaaa4c,0x7ff6afeaaa585⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xODcuNDEiIHNoZWxsX3ZlcnNpb249IjEuMy4xNzEuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NDY3QzAzQkYtQzQ1Qy00QkMzLUFGOUMtRkE1NDZBOEFCMjQ2fSIgdXNlcmlkPSJ7NzMzRDc4NzQtMUJDMy00MTFDLUI4RjEtNzNCRjQzQzU0ODI1fSIgaW5zdGFsbHNvdXJjZT0ic2NoZWR1bGVyIiByZXF1ZXN0aWQ9Ins2NzMxODhFOC00MERBLTQ5QTctODUwMS02NzQzMDhBMDVEMjZ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7aFZmRGpNZEZHNkZnS3MwTno2ZW1yWUNTZzZUUXZEUG9tb2xSYXlRWEJLND0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjNDNEZFMDAtRUZENS00MDNCLTk1NjktMzk4QTIwRjFCQTRBfSIgdmVyc2lvbj0iMS4zLjE4Ny40MSIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iSU5CWCIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJJc09uSW50ZXJ2YWxDb21tYW5kc0FsbG93ZWQ9LXRhcmdldF9kZXY7UHJvZHVjdHNUb1JlZ2lzdGVyPSU3QjFGQUI4Q0ZFLTk4NjAtNDE1Qy1BNkNBLUFBN0QxMjAyMTk0MCU3RCIgaW5zdGFsbGFnZT0iNTIiIGNvaG9ydD0icnJmQDAuNTMiPjx1cGRhdGVjaGVjay8-PHBpbmcgcmQ9IjYzOTAiIHBpbmdfZnJlc2huZXNzPSJ7NkIyQkNEMDQtOTUwMC00MTg5LUIxOEYtQjA1QTVENDY4RjBCfSIvPjwvYXBwPjxhcHAgYXBwaWQ9Ins1NkVCMThGOC1CMDA4LTRDQkQtQjZEMi04Qzk3RkU3RTkwNjJ9IiB2ZXJzaW9uPSI5Mi4wLjkwMi42NyIgbmV4dHZlcnNpb249IjEyNi4wLjI1OTIuODEiIGxhbmc9IiIgYnJhbmQ9IklOQlgiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iNTIiIGlzX3Bpbm5lZF9zeXN0ZW09InRydWUiIGxhc3RfbGF1bmNoX2NvdW50PSIxIiBsYXN0X2xhdW5jaF90aW1lPSIxMzM1OTY0MjIwMDI4NTkxNDAiPjx1cGRhdGVjaGVjay8-PGV2ZW50IGV2ZW50dHlwZT0iMTIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzNTQ4NTI3MjEyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTMiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzNTQ4NTY3MjI2IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTQiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzNTc4Nzg3MTQ1IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMTUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzNTkzOTk3MjYwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMyIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMTk2NzU3IiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMzk4NTk4NzI2NyIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9IjE0NTciIGRvd25sb2FkZWQ9IjE3MzA4MjE2OCIgdG90YWw9IjE3MzA4MjE2OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjIiIGluc3RhbGxfdGltZV9tcz0iMzkxOTYiLz48cGluZyBhY3RpdmU9IjAiIHJkPSI2MzkwIiBwaW5nX2ZyZXNobmVzcz0iezQ0QzdBRjdGLUExQzEtNEVEMi1BQUJBLTU2N0ZBQzMyMTc0Q30iLz48L2FwcD48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iMTI2LjAuMjU5Mi44MSIgbmV4dHZlcnNpb249IiIgbGFuZz0iIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjAiIGluc3RhbGxkYXRlPSI2Mzg0IiBjb2hvcnQ9InJyZkAwLjQ0Ij48dXBkYXRlY2hlY2svPjxwaW5nIHJkPSI2MzkwIiBwaW5nX2ZyZXNobmVzcz0ie0E3MUE1MkY0LTQ2MjYtNDhGQi1CRTkxLTQ4REZGRENCREUyQ30iLz48L2FwcD48L3JlcXVlc3Q-2⤵
- Executes dropped EXE
- Checks system information in the registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Event Triggered Execution
2Image File Execution Options Injection
1Component Object Model Hijacking
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Microsoft\EdgeCore\126.0.2592.81\Installer\setup.exeFilesize
6.5MB
MD57c44a5cba89f38d967b1f4e11225da0f
SHA144837f2ff9b3ebc7c371ee5f9e0cd5dcaad508dd
SHA256a10c3e0b2ec1286bfe6b3fe9005a9132fad01be9afc4bdd5adb29f174b8fb706
SHA51225b4cae7fc6d200dab70e94461b7f2e7899813975cab498fb367a32aa2e187fb7b1330545b60f6340d53fe5e04a1ecfb5d6b8bf004ac26ecaa7a8f6e387dfe99
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{1FAB8CFE-9860-415C-A6CA-AA7D12021940}\2.0.0.34\BGAUpdate.exeFilesize
17.2MB
MD53f208f4e0dacb8661d7659d2a030f36e
SHA107fe69fd12637b63f6ae44e60fdf80e5e3e933ff
SHA256d3c12e642d4b032e2592c2ba6e0ed703a7e43fb424b7c3ab5b2e51b53d1d433b
SHA5126c8fce43d04dd7e7f5c8bf275ba01e24a76531e89cc02f4b2f23ab2086f7cf70f485c4240c5ea41bf61cb7ceee471df7e7bdc1b17dfdd54c22e4b02ff4e14740
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.187.41\MicrosoftEdgeUpdateSetup_X86_1.3.187.41.exeFilesize
1.6MB
MD5a9ad77a4111f44c157a1a37bb29fd2b9
SHA1f1348bcbc950532ac2b48b18acd91533f3ac0be2
SHA256200a59abdeb32cc4d2cec4079be205f18b5f45bae42acb7940151f9780569889
SHA51268f58a15ef5ba5d49d8476bee4a488e9a721f703a645ddd29148915d555ca2eb451635c3b762e5a0f786d69bb5cba9bffac3eeee196f1ec7ad669e2d729fe898
-
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{A3C9E7F2-FCF3-4766-9477-4D49C460E5EA}\EDGEMITMP_706D0.tmp\SETUP.EX_Filesize
2.6MB
MD533efe1418d476ff5d8eaffa404072360
SHA10b24c3cf402737e23b509b7cd9c49761d2d6ea08
SHA256caa9ce4d4a529b0a5e19c24a85cbe3bcd74b7d8bc5d3f946c909cf05deb16d10
SHA5120438c9b819a695edc549ea19419fab9b6f152d3e457c8f59418d1bbc409a80ca4988d1b6797d9b4c47aa79761074f5f9c36d96d131b72a64b45cf3bfb4b80c0b
-
C:\Program Files (x86)\Microsoft\Temp\EUCDF5.tmp\MicrosoftEdgeUpdate.exeFilesize
201KB
MD54dc57ab56e37cd05e81f0d8aaafc5179
SHA1494a90728d7680f979b0ad87f09b5b58f16d1cd5
SHA25687c6f7d9b58f136aeb33c96dbfe3702083ec519aafca39be66778a9c27a68718
SHA512320eeed88d7facf8c1f45786951ef81708c82cb89c63a3c820ee631c52ea913e64c4e21f0039c1b277cfb710c4d81cd2191878320d00fd006dd777c727d9dc2b
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3264_352178025\LICENSEFilesize
473B
MD5f6719687bed7403612eaed0b191eb4a9
SHA1dd03919750e45507743bd089a659e8efcefa7af1
SHA256afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59
SHA512dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56
-
C:\Program Files (x86)\chrome_Unpacker_BeginUnzipping3264_352178025\manifest.jsonFilesize
984B
MD50359d5b66d73a97ce5dc9f89ed84c458
SHA1ce17e52eaac909dd63d16d93410de675d3e6ec0d
SHA256beeab2f8d3833839399dde15ce9085c17b304445577d21333e883d6db6d0b755
SHA5128fd94a098a4ab5c0fcd48c2cef2bb03328dd4d25c899bf5ed1ca561347d74a8aab8a214ba2d3180a86df72c52eb26987a44631d0ecd9edc84976c28d6c9dc16a
-
C:\Program Files\MsEdgeCrashpad\settings.datFilesize
280B
MD5d7908688fedbdff145c99b19d55a423e
SHA197b20094d644613f0614c5a93ea9103932b48a9b
SHA2562a901298613c8804808eb6583ea8df5c35df5ffbaec6471074d75f02c55ce103
SHA512800d11b4e1e90640f41e042612bd75cf090f5ce18d588cabdf15abc90859e337e0b6ddbfc9b3e2405fcff31e7af5294a6c2d343cc636a74b994b62d718f4cff3
-
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.logFilesize
108KB
MD5530932ee867336d4471e3bc53580a728
SHA1b7b70db6bb6b08348fc4c01446d618b5ca0714ff
SHA256eb097be11e7715a9b8a9005b392361a21fc49bec5b6636b642c3fa4277173690
SHA512efecbe3c65f779d94df6275d1a9e1e26e58f163bc559952cd344567fbaff02cee80f635f91c37f0c2bbbc0bec8305bda3946685584782244b0c1fdb1bcae36a4
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.dllFilesize
4.3MB
MD56546ceb273f079342df5e828a60f551b
SHA1ede41c27df51c39cd731797c340fcb8feda51ea3
SHA256e440da74de73212d80da3f27661fcb9436d03d9e8dbbb44c9c148aaf38071ca5
SHA512f0ea83bf836e93ff7b58582329a05ba183a25c92705fab36f576ec0c20cf687ce16a68e483698bda4215d441dec5916ffbdfa1763fb357e14ab5e0f1ffcaf824
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.exeFilesize
249KB
MD5772c9fecbd0397f6cfb3d866cf3a5d7d
SHA16de3355d866d0627a756d0d4e29318e67650dacf
SHA2562f88ea7e1183d320fb2b7483de2e860da13dc0c0caaf58f41a888528d78c809f
SHA51282048bd6e50d38a863379a623b8cfda2d1553d8141923acf13f990c7245c833082523633eaa830362a12bfff300da61b3d8b3cccbe038ce2375fdfbd20dbca31
-
C:\Users\Admin\AppData\Local\Bloxstrap\Bloxstrap.runtimeconfig.jsonFilesize
372B
MD5d94cf983fba9ab1bb8a6cb3ad4a48f50
SHA104855d8b7a76b7ec74633043ef9986d4500ca63c
SHA2561eca0f0c70070aa83bb609e4b749b26dcb4409784326032726394722224a098a
SHA51209a9667d4f4622817116c8bc27d3d481d5d160380a2e19b8944bdd1271a83f718415ce5e6d66e82e36819e575ec1b55f19c45213e0013b877b8d61e6feb9d998
-
C:\Users\Admin\AppData\Local\Bloxstrap\Modifications\ClientSettings\ClientAppSettings.jsonFilesize
120B
MD5636492f4af87f25c20bd34a731007d86
SHA122a5c237a739ab0df4ff87c9e3d79dbe0c89b56a
SHA25622a1e85723295eeb854345be57f7d6fb56f02b232a95d69405bf9d9e67a0fa0d
SHA512cd2e3a738f535eb1a119bd4c319555899bcd4ce1049d7f8591a1a68c26844f33c1bd1e171706533b5c36263ade5e275b55d40f5710e0210e010925969182cd0c
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\shimmer_lightTheme.pngFilesize
20KB
MD54f8f43c5d5c2895640ed4fdca39737d5
SHA1fb46095bdfcab74d61e1171632c25f783ef495fa
SHA256fc57f32c26087eef61b37850d60934eda1100ca8773f08e487191a74766053d1
SHA5127aebc0f79b2b23a76fb41df8bab4411813ffb1abc5e2797810679c0eaa690e7af7561b8473405694bd967470be337417fa42e30f0318acbf171d8f31620a31aa
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaApp\graphic\[email protected]Filesize
71KB
MD53fec0191b36b9d9448a73ff1a937a1f7
SHA1bee7d28204245e3088689ac08da18b43eae531ba
SHA2561a03e6f6a0de045aa588544c392d671c040b82a5598b4246af04f5a74910dc89
SHA512a8ab2bc2d937963af36d3255c6ea09cae6ab1599996450004bb18e8b8bdfbdde728821ac1662d8a0466680679011d8f366577b143766838fe91edf08a40353ce
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\ExtraContent\textures\ui\LuaDiscussions\buttonFill.pngFilesize
247B
MD581ce54dfd6605840a1bd2f9b0b3f807d
SHA14a3a4c05b9c14c305a8bb06c768abc4958ba2f1c
SHA2560a6a5cafb4dee0d8c1d182ddec9f68ca0471d7fc820cf8dc2d68f27a35cd3386
SHA51257069c8ac03dd0fdfd97e2844c19138800ff6f7d508c26e5bc400b30fe78baa0991cc39f0f86fa10cd5d12b6b11b0b09c1a770e5cb2fdca157c2c8986a09e5ff
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\WebView2RuntimeInstaller\MicrosoftEdgeWebview2Setup.exeFilesize
1.5MB
MD5610b1b60dc8729bad759c92f82ee2804
SHA19992b7ae7a9c4e17a0a6d58ffd91b14cbb576552
SHA256921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08
SHA5120614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-hans.jsonFilesize
2KB
MD5fb6605abd624d1923aef5f2122b5ae58
SHA16e98c0a31fa39c781df33628b55568e095be7d71
SHA2567b993133d329c46c0c437d985eead54432944d7b46db6ad6ea755505b8629d00
SHA51297a14eda2010033265b379aa5553359293baf4988a4cdde8a40b0315e318a7b30feee7f5e14c68131e85610c00585d0c67e636999e3af9b5b2209e1a27a82223
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\configs\DateTimeLocaleConfigs\zh-tw.jsonFilesize
2KB
MD5702c9879f2289959ceaa91d3045f28aa
SHA1775072f139acc8eafb219af355f60b2f57094276
SHA256a92a6988175f9c1d073e4b54bf6a31f9b5d3652eebdf6a351fb5e12bda76cbd5
SHA512815a6bef134c0db7a5926f0cf4b3f7702d71b0b2f13eca9539cd2fc5a61eea81b1884e4c4bc0b3398880589bff809ac8d5df833e7e4aeda4a1244e9a875d1e97
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\sounds\ouch.oggFilesize
6KB
MD59404c52d6f311da02d65d4320bfebb59
SHA10b5b5c2e7c631894953d5828fec06bdf6adba55f
SHA256c9775e361392877d1d521d0450a5368ee92d37dc542bc5e514373c9d5003f317
SHA51222aa1acbcdcf56f571170d9c32fd0d025c50936387203a7827dbb925f352d2bc082a8a79db61c2d1f1795ad979e93367c80205d9141b73d806ae08fa089837c4
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\Cursors\KeyboardMouse\IBeamCursor.pngFilesize
292B
MD5464c4983fa06ad6cf235ec6793de5f83
SHA18afeb666c8aee7290ab587a2bfb29fc3551669e8
SHA25699fd7f104948c6ab002d1ec69ffd6c896c91f9accc499588df0980b4346ecbed
SHA512f805f5f38535fe487b899486c8de6cf630114964e2c3ebc2af7152a82c6f6faef681b4d936a1867b5dff6566b688b5c01105074443cc2086b3fe71f7e6e404b1
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioToolbox\Clear.pngFilesize
538B
MD5fa8eaf9266c707e151bb20281b3c0988
SHA13ca097ad4cd097745d33d386cc2d626ece8cb969
SHA2568cf08bf7e50fea7b38f59f162ed956346c55a714ed8a9a8b0a1ada7e18480bc2
SHA512e29274300eab297c6de895bb39170f73f0a4ffa2a8c3732caeeeac16e2c25fb58bb401fdd5823cc62d9c413ec6c43d7c46861d7e14d52f8d9d8ff632e29f167c
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\StudioUIEditor\valueBoxRoundedRectangle.pngFilesize
130B
MD5521fb651c83453bf42d7432896040e5e
SHA18fdbf2cc2617b5b58aaa91b94b0bf755d951cad9
SHA256630303ec4701779eaf86cc9fbf744b625becda53badc7271cbb6ddc56e638d70
SHA5128fa0a50e52a3c7c53735c7dd7af275ebc9c1843f55bb30ebe0587a85955a8da94ff993822d233f7ed118b1070a7d67718b55ba4a597dc49ed2bf2a3836c696f6
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\TerrainTools\checkbox_square.pngFilesize
985B
MD52cb16991a26dc803f43963bdc7571e3f
SHA112ad66a51b60eeaed199bc521800f7c763a3bc7b
SHA256c7bae6d856f3bd9f00c122522eb3534d0d198a9473b6a379a5c3458181870646
SHA5124c9467e5e2d83b778d0fb8b6fd97964f8d8126f07bfd50c5d68c256703f291ceaed56be057e8e2c591b2d2c49f6b7e099a2b7088d0bf5bdd901433459663b1f8
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick1.pngFilesize
641B
MD52cbe38df9a03133ddf11a940c09b49cd
SHA16fb5c191ed8ce9495c66b90aaf53662bfe199846
SHA2560835a661199a7d8df7249e8ae925987184efcc4fb85d9efac3cc2c1495020517
SHA512dcef5baccef9fff632456fe7bc3c4f4a403363d9103a8047a55f4bd4c413d0c5f751a2e37385fe9eba7a420dbdb77ca2ff883d47fcdd35af222191cc5bd5c7a9
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD5e8c88cf5c5ef7ae5ddee2d0e8376b32f
SHA177f2a5b11436d247d1acc3bac8edffc99c496839
SHA2569607af14604a8e8eb1dec45d3eeca01fed33140c0ccc3e6ef8ca4a1f6219b5dd
SHA51232f5a1e907705346a56fbddfe0d8841d05415ff7abe28ae9281ba46fedf8270b982be0090b72e2e32de0ce36e21934f80eaf508fd010f7ab132d39f5305fb68f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD5499333dae156bb4c9e9309a4842be4c8
SHA1d18c4c36bdb297208589dc93715560acaf761c3a
SHA256d35a74469f1436f114c27c730a5ec0793073bcf098db37f10158d562a3174591
SHA51291c64173d2cdabc045c70e0538d45e1022cc74ec04989565b85f0f26fe3e788b700a0956a07a8c91d34c06fc1b7fad43bbdbb41b0c6f15b9881c3e46def8103e
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\Thumbstick2.pngFilesize
738B
MD5a402aacac8be906bcc07d50669d32061
SHA19d75c1afbe9fc482983978cae4c553aa32625640
SHA25662a313b6cc9ffe7dd86bc9c4fcd7b8e8d1f14a15cdf41a53fb69af4ae3416102
SHA512d11567bcaad8bbd9e2b9f497c3215102c7e7546caf425e93791502d3d2b3f78dec13609796fcd6e1e7f5c7d794bac074d00a74001e7fe943d63463b483877546
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD583e9b7823c0a5c4c67a603a734233dec
SHA12eaf04ad636bf71afdf73b004d17d366ac6d333e
SHA2563b5e06eb1a89975def847101f700f0caa60fe0198f53e51974ef1608c6e1e067
SHA512e8abb39a1ec340ac5c7d63137f607cd09eae0e885e4f73b84d8adad1b8f574155b92fbf2c9d3013f64ebbb6d55ead5419e7546b0f70dcde976d49e7440743b0f
-
C:\Users\Admin\AppData\Local\Bloxstrap\Versions\version-1088f3c8e4a44cc7\content\textures\ui\Controls\XboxController\[email protected]Filesize
1KB
MD555b64987636b9740ab1de7debd1f0b2f
SHA196f67222ce7d7748ec968e95a2f6495860f9d9c9
SHA256f4a6bb3347ee3e603ea0b2f009bfa802103bc434ae3ff1db1f2043fa8cace8fc
SHA51273a88a278747de3fefbaabb3ff90c1c0750c8d6c17746787f17061f4eff933620407336bf9b755f4222b0943b07d8c4d01de1815d42ea65e78e0daa7072591e9
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.Core.dllFilesize
915KB
MD5100c32f77e68a2ce962e1a28997567ea
SHA1a80a1f4019b8d44df6b5833fb0c51b929fa79843
SHA256c0b9e29b240d8328f2f9a29ca0298ca4d967a926f3174a3442c3730c00d5a926
SHA512f95530ef439fa5c4e3bc02db249b6a76e9d56849816ead83c9cd9bcd49d3443ccb88651d829165c98a67af40b3ef02b922971114f29c5c735e662ca35c0fb6ed
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.BrowserSubprocess.exeFilesize
7KB
MD5516ff62b2e1f4642caa954c0968719e8
SHA1e349d0ce82e2109dd0d18416d9cf46e8411b7f15
SHA25619da58849cec5933860116e60a1e94b08e30d90e0f955768270b47998d612045
SHA5127aa4a0c87b29c2a84f585a884d8208fc2352a43f2cdb549c100e3b121837ad5f8dadb1101f57d1d3fcb7ebec9d9f22e07dc14239b7d2e2d25793c999becf288b
-
C:\Users\Admin\AppData\Local\CefSharp\CefSharp.dllFilesize
272KB
MD59ca06a8f9e5f7239ca225ab810274023
SHA1e1a219f567a7b7d3af9386df51b14c76e769c044
SHA2565fd00ae3e83e6ca156647ff6df87b49ffc7cad47c23fe3ae07c067c5adf6f74a
SHA512430c9bceed5439b987d5bd4840cfe32411ca61594f18597aca1948aa39a22c9d70beadf3bb9b1dd0373f81a94a25dcba17fa8e8c73abf06cba28d0971d5614c5
-
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.jsonFilesize
643B
MD5ef06fd929d986a19913b962c82e99e32
SHA13d8811fea3d0c7e3385df1656e7ca254109ecf37
SHA256052796e400257ceb5108c72ab749fd4b1464eb4bdc2d48c9467b32f2b1dda2d7
SHA512bc4eb990a2b9b2e3604038f9e91940a146efdaf77e86c0c549f433dbee4ed755ffb7136626c9ccfa2a9f056e162058011b78b74e7336b82943e71619551758ff
-
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.jsonFilesize
755B
MD57ad0bcbf3a8a63ed1fb4bf09d58d49cf
SHA152a73fcb5115e3b8b94359186f6b761ab75b9c6a
SHA25658d918c256b80a36acffee73b7ea9db2fdccf8d0e5cd8d1757c9e0635ac28da8
SHA512d855b6954d910faa1bf7d038217ecf0748022b7bdcf493d343abf57c09e81e9911022a7ddb1732bb229b54b185564fee993727a9095f234aa79829c21873444f
-
C:\Users\Admin\AppData\Local\CefSharp\LocalPrefs.json~RFe59c1fe.TMPFilesize
434B
MD56dbf56f1598a8edfc66d4fe14cddd7d5
SHA1d4d7f22d03f53a2fcca3f9b7567882c360789826
SHA256d3950e8b7da2f5e0a74a32f34cdec6e820600d89ca5402e68e596455a4f8ff22
SHA512f5ee57f3eb1914acb3eb1b7d7f92c9ae31bad952cb2158ede8758891b65414d72dafd4d9afcd41d29bc8368476c2972820b04e8586a56c210e3ca7adf2f847c3
-
C:\Users\Admin\AppData\Local\CefSharp\ShaderCache\data_1Filesize
264KB
MD5d0d388f3865d0523e451d6ba0be34cc4
SHA18571c6a52aacc2747c048e3419e5657b74612995
SHA256902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17
-
C:\Users\Admin\AppData\Local\CefSharp\chrome_100_percent.pakFilesize
667KB
MD5ae195e80859781a20414cf5faa52db06
SHA1b18ecb5ec141415e3a210880e2b3d37470636485
SHA2569957802c0792e621f76bbdb1c630fbad519922743b5d193294804164babda552
SHA512c6fef84615fe20d1760ca496c98629feb4e533556724e9631d4282622748e7601225cf19dfb8351f4b540ae3f83785c1bcea6fe8c246cf70388e527654097c1c
-
C:\Users\Admin\AppData\Local\CefSharp\chrome_200_percent.pakFilesize
1.0MB
MD51abf6bad0c39d59e541f04162e744224
SHA1db93c38253338a0b85e431bd4194d9e7bddb22c6
SHA25601cb663a75f18bb2d0d800640a114f153a34bd8a5f2aa0ed7daa9b32967dc29e
SHA512945d519221d626421094316f13b818766826b3bedddab0165c041540dddadc93136e32784c0562d26a420cb29479d04d2aa317b8d605cd242e5152bf05af197e
-
C:\Users\Admin\AppData\Local\CefSharp\chrome_elf.dllFilesize
1020KB
MD57191d97ce7886a1a93a013e90868db96
SHA152dd736cb589dd1def87130893d6b9449a6a36e3
SHA25632f925f833aa59e3f05322549fc3c326ac6fc604358f4efbf94c59d5c08b8dc6
SHA51238ebb62c34d466935eabb157197c7c364d4345f22aa3b2641b636196ca1aeaa2152ac75d613ff90817cb94825189612ddd12fb96df29469511a46a7d9620e724
-
C:\Users\Admin\AppData\Local\CefSharp\icudtl.datFilesize
10.2MB
MD574bded81ce10a426df54da39cfa132ff
SHA1eb26bcc7d24be42bd8cfbded53bd62d605989bbf
SHA2567bf96c193befbf23514401f8f6568076450ade52dd1595b85e4dfcf3de5f6fb9
SHA512bd7b7b52d31803b2d4b1fd8cb76481931ed8abb98d779b893d3965231177bdd33386461e1a820b384712013904da094e3cd15ee24a679ddc766132677a8be54a
-
C:\Users\Admin\AppData\Local\CefSharp\libEGL.dllFilesize
359KB
MD57dd6b0e4a31d35a0fae5ff425707073c
SHA1fbd12e9f8e2252c52ce555c2ebbd7f07e62a0140
SHA2568762d8001fc3ddd90e3129dfea172817e8d09b9936eaae391957de4326c8c906
SHA512726968df6b83ab5f589276672250d92f532fe2dcea2176e42031a7f1dcecf578b0320cfe2a7d88bb9883ad99387d71c6ebf1e9968272bb5e62850ef09abd2648
-
C:\Users\Admin\AppData\Local\CefSharp\libGLESv2.dllFilesize
6.6MB
MD58803db5b167fb5a5f8a8c595c4e4d7c6
SHA17fde861151f3bea66c65b6c2487a30728048811a
SHA25652a58d25a41f4bd31cdb4a0d306217862e04ebf7c1925cc85330054a5523d719
SHA5122fa9a0eda221982896e41eb387b5e156198615ac1a1fbac0acffd13008919368b41a240df416c1fce2e48c20a14cd7af7cca9fba476ada5e64a0cadde84a44b7
-
C:\Users\Admin\AppData\Local\CefSharp\locales\en-US.pakFilesize
456KB
MD54430b1833d56bc8eb1f7dc82bb7f4bc9
SHA1dc15e6306625f155683326e859d83f846153c547
SHA256b44ddcfac9df4934007e6c55a3c7f5e7f14c7e5e29f35c81de917fc3b22aabbc
SHA512faf93bf371b2a88c1b874a5e2c54e4487fd152ad19c2a406a46f55ae75ecd421a779888c2e4c170857b16bfb5d8744bc1815a4732ed50b064b3cbd0c5ffad889
-
C:\Users\Admin\AppData\Local\CefSharp\resources.pakFilesize
8.0MB
MD54933d92c99afa246fc59eef010d5c858
SHA198d443654e93c73dd317f9f847f71fba3d5b3135
SHA25662f4674daa15245ee081920b8ee191e72f36ca8fe24f6b986a832f45676915b2
SHA512a3a69523c8e7310716daeebc06c2ba4fce673eccd1958e824ff179b82f4502d0ec095190179bbb387342e4150f952ea7533182fb6ba90377d17dafba8f4da623
-
C:\Users\Admin\AppData\Local\CefSharp\v8_context_snapshot.binFilesize
643KB
MD528477a60b4fbd51dfef5237245817690
SHA1b0afd5ea9f9d550124f23c65bc7851ddeffc662f
SHA256169ea86f544e5cdf2a460675f876a9abb7f56bbe122782e94bb03d624931fc12
SHA5123520658583bb498d5032a7f7ae77195fd2e5f8ed03c6531e56dee8320d8701102a723766e59f7766ab223f837e65a6d85cf862bb2bef6d2755ce45e672a47b22
-
C:\Users\Admin\AppData\Local\CefSharp\vk_swiftshader.dllFilesize
4.4MB
MD50ec149455727ace9acc09b3ba2c3a2b2
SHA16eeb990876cef6a34115b67f3190255db589f723
SHA256e2d8ef53897e864b5b66bc73606681c99461798a9f4c1e13ca5cef7bc774d7fd
SHA512c8eaa598c9439b1f2375fdac1f58896853510bddbd640707b9142c0d3793836120b28d7c2bd0407f0d5656dd19f14b312f37b7ac0165c9cc8b4c1a0f2af62531
-
C:\Users\Admin\AppData\Local\Luau Language Server\server\index.jsFilesize
6.1MB
MD56b1cad741d0b6374435f7e1faa93b5e7
SHA17b1957e63c10f4422421245e4dc64074455fd62a
SHA2566f17add2a8c8c2d9f592adb65d88e08558e25c15cedd82e3f013c8146b5d840f
SHA512a662fc83536eff797b8d59e2fb4a2fb7cd903be8fc4137de8470b341312534326383bb3af58991628f15f93e3bdd57621622d9d9b634fb5e6e03d4aa06977253
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD587f7abeb82600e1e640b843ad50fe0a1
SHA1045bbada3f23fc59941bf7d0210fb160cb78ae87
SHA256b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262
SHA512ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5e1f8c8d88aca227b2cb14d44e72b2acf
SHA1d262e31c60be7c35fbb92105e1be1503c473aabd
SHA2564e798988fc5b98034948ed739373f667631a838832d85b7f799658ed53606a6a
SHA512706c2f493bdf472d16d2ccf0939427e6a171a27d76072a4794c5d464fe5e104aef9ab60ab6964bc30bdb4187aac15da5358caad8365c4f807652c9f4e1bfb0eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD58e3094074a7c89e7ac0112274d9d74be
SHA1fa002553342e734c893bf5ee4a066559a0f39a87
SHA256a65cc5a14cbfcc156e66f6cad0574f721544bbbb78453dc6b688213de6d079e1
SHA5122a1ed21e8f473417703a06bce1154a57d086c14b7cdf2c86dfa0c6b6c6c41c8269dd41608387ee7200db01824374c560f42fd40dca5e4299bbbe7af257227d8a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\activity-stream.discovery_stream.json.tmpFilesize
34KB
MD5a27b14a4897393ac6955a4b84282c714
SHA1e6c8afc3720df32c7b94da062036e4606eac05a5
SHA25640b29af9a6a6a308e4b61b104b609a2e7ccf4785debeacfb76c68f672ae484d9
SHA512ba4478e4a22236411883f8392b910d02a7ed378f1e40a46b2d4342ebbc832a88042cf0ba67883f25112b9ad50e8d0f4c53216d189932a39b059829c5f65ef47e
-
C:\Users\Admin\AppData\Local\Wave\CefSharp.Core.Runtime.dllFilesize
1.3MB
MD509cba584aa0aae9fc600745567393ef6
SHA1bbd1f93cb0db9cf9e01071b3bed1b4afd6e31279
SHA2560babd84d4e7dc2713e7265d5ac25a3c28d412e705870cded6f5c7c550a5bf8d5
SHA5125f914fa33a63a6d4b46f39c7279687f313728fd5f8437ec592369a2da3256ccff6f325f78ace0e6d3a2c37da1f681058556f7603da13c45b03f2808f779d2aa1
-
C:\Users\Admin\AppData\Local\Wave\WaveBootstrapper.exeFilesize
939KB
MD5258a9cae6024c91784bbd8aa5379e86f
SHA1fe1a808ba23053413359a78d5ec096b2cd540dd5
SHA2563881840473ec5286189d2fc8e85f0f26a2532890055d1653da9580aa31b2d0e5
SHA512b621ef432b430d2df0443fa0ebdd59dc7de6b32375c2fc83e8474838843c4abcf4a35f2b5f80e78911fc52336d71812ca9fbc9919314ea3b59bd26036a4ea5a5
-
C:\Users\Admin\AppData\Local\Wave\WaveWindows.exeFilesize
7.5MB
MD57e09dde2226c18dde3c76471c01b3665
SHA194bb80704e14314331e007b942a64f423104644f
SHA2564f9a703b0491de02519a343659f0a351f6ad09942cd82920995d5fa89e6571ae
SHA512c61c911eb37c758f64ae9372eb4208210b6a964bb8604d3fcd3285805448b1801a91c519ed0294815f8167500654b423d19161a82c82f7935ec637c4038c93dc
-
C:\Users\Admin\AppData\Local\Wave\d3dcompiler_47.dllFilesize
3.9MB
MD53b4647bcb9feb591c2c05d1a606ed988
SHA1b42c59f96fb069fd49009dfd94550a7764e6c97c
SHA25635773c397036b368c1e75d4e0d62c36d98139ebe74e42c1ff7be71c6b5a19fd7
SHA51200cd443b36f53985212ac43b44f56c18bf70e25119bbf9c59d05e2358ff45254b957f1ec63fc70fb57b1726fd8f76ccfad8103c67454b817a4f183f9122e3f50
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.jsFilesize
7KB
MD54de78c1fd3bcdb5b12640a645180b794
SHA17414e0bcf8b27f105d6a32ae45ba09d612cb2dd4
SHA256c6f34905c82f8e5df221de962ac7ecfc3ca250c3b84eb1091f538b0b1674a5ad
SHA512d198942e8bb4d3b316b772b27de596f74c0c490f7d16f034721339fce6e3f6c754a1bbf115dba97ca9c6681ccf83b90edaf755f276edda072b8dde93d7cac975
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\prefs-1.jsFilesize
7KB
MD583c2e1187a7967bec6c847a0b7de5369
SHA1d61fc044814120710d6deaf4a7b4b0b2e8623583
SHA2569e0fbab6c4e48c6e5753776bae1c4fb28c8b4a4f898fd45f87c9a4070cc266d9
SHA512eef2e3480a251096d3c61ae1e3053cc26d325ed2943d860275c10b4292265e6856d0de276f2f4a84b868f338b77ad6f3090a2d56a7fdf23d90a6b72d83b2b84d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4Filesize
112KB
MD5c1e8d0b5947455c61c964c14c33fa069
SHA171efce3ced5082f42d7174c707206d31308dbb85
SHA25635078efea293d23e7370128b5b9d5ce7a4669efbddac9232394e47627e29cbe2
SHA51206f47c114072c5ac59f1c2f155fd7a0e5778c9496bd15a0e2e7b51954ebceb6ff183f83bb8c2fa7416a1e46ae2c344e287467b53df8326428f41f2c5d8e13ce4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore-backups\recovery.jsonlz4Filesize
112KB
MD5f8bbf6f153399831f556e97ffd4b1ca8
SHA193e42ce6e73b6d8252226b13e4313ed1746268c3
SHA256d5d63e7ce85a35a8e2c802337129a92399053750bd54fda9850a0fb070149302
SHA512e4f2b766aa6a66d9ad312bc293cfe5ce40ec55d222b221df0469933e3998ac6bb990aafd2ea314f280d6dfa9111a52135cb5bf87b204716fcde722d8f608827b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\sessionstore.jsonlz4Filesize
111KB
MD5b5edfa4edc86ba10236db7006bdef94c
SHA1939b2964a4ab6c109f5e46028adaedb508066b8b
SHA25604e56364245b45615a3189ac676dc6bea4ceb3d960eefa7c4b98126e2863e302
SHA5127039040085480444b28eaf2a16206ff728744532ceb470325df72e399bcad658f3143cf7189b93329e93d8b2290bbe9cb8659325416043e33179a092f5f0e157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\xs8l7p8u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqliteFilesize
192KB
MD547291f5bffb17c1658b2811eee4df7be
SHA1e030537635d7c86eb9fe73d9c7fc05f5c4165545
SHA2561385c163850263d9c6806b1defd58aa25e00b04a0faf83446c25ec92ac761f31
SHA5127582a960472b794ae598be82cf65857cb51b389ac657c20e394d041db7a46a1eae761a2530090f67ec0e4d90edf84a7139593bc846731130b14b44a13b8d4c2b
-
C:\Users\Admin\Downloads\WaveInstaller.DeZvm_RI.exe.partFilesize
196KB
MD5c496b19062efde2e19d08ec8e42145b3
SHA167a0df12e8a879003be53043ea2068e99509b9d9
SHA256011bd3ec4086adf53f7845b85624587c15854033a9e983cd7c7b3c3043c521d2
SHA51260243219483045db803f6d460c5e2f013b32b88b2aadbde6991301507452a9e4376ba6367ef735d059f77b5fb0c8916546a01f95d8199717914465755d0544d5
-
C:\Users\Admin\Downloads\WaveInstaller.exeFilesize
1.5MB
MD5c822ab5332b11c9185765b157d0b6e17
SHA17fe909d73a24ddd87171896079cceb8b03663ad4
SHA256344700d3141170111a9b77db100f6961cc54a2988d964d34f7e1ca57aa42aa2a
SHA512a8612836fb4714b939d03f7fe08391bbc635ca83ab853fc677159e5db6b00f76b9b586bdae9c19d2406d9a2713d1caf614132cb6c14e1dddc6ac45e47f7e5a5d
-
\??\pipe\LOCAL\crashpad_5740_EOASKKHEPOMMEFYLMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/648-193-0x000000007444E000-0x000000007444F000-memory.dmpFilesize
4KB
-
memory/648-291-0x00000000093D0000-0x0000000009466000-memory.dmpFilesize
600KB
-
memory/648-517-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/648-124-0x00000000096D0000-0x0000000009708000-memory.dmpFilesize
224KB
-
memory/648-125-0x00000000096A0000-0x00000000096AE000-memory.dmpFilesize
56KB
-
memory/648-120-0x000000007444E000-0x000000007444F000-memory.dmpFilesize
4KB
-
memory/648-297-0x0000000009640000-0x000000000964A000-memory.dmpFilesize
40KB
-
memory/648-296-0x0000000009630000-0x000000000963A000-memory.dmpFilesize
40KB
-
memory/648-295-0x000000000A7E0000-0x000000000A852000-memory.dmpFilesize
456KB
-
memory/648-293-0x0000000009610000-0x0000000009618000-memory.dmpFilesize
32KB
-
memory/648-292-0x00000000095E0000-0x0000000009606000-memory.dmpFilesize
152KB
-
memory/648-121-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1.6MB
-
memory/648-123-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/648-122-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/648-204-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/648-203-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/648-198-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/648-126-0x0000000074440000-0x0000000074BF0000-memory.dmpFilesize
7.7MB
-
memory/3056-519-0x000000000A210000-0x000000000A21A000-memory.dmpFilesize
40KB
-
memory/3056-520-0x000000000A250000-0x000000000A258000-memory.dmpFilesize
32KB
-
memory/3056-518-0x000000000A1D0000-0x000000000A1E6000-memory.dmpFilesize
88KB
-
memory/3056-521-0x000000000A2B0000-0x000000000A2CE000-memory.dmpFilesize
120KB
-
memory/3056-514-0x00000000003A0000-0x0000000000490000-memory.dmpFilesize
960KB
-
memory/3056-515-0x00000000094A0000-0x00000000095A0000-memory.dmpFilesize
1024KB
-
memory/3264-537-0x0000000000A00000-0x000000000118C000-memory.dmpFilesize
7.5MB
-
memory/3264-612-0x000000000FB90000-0x000000000FBB2000-memory.dmpFilesize
136KB
-
memory/3264-606-0x000000000E9E0000-0x000000000EA92000-memory.dmpFilesize
712KB
-
memory/3264-548-0x0000000006DE0000-0x0000000006F3B000-memory.dmpFilesize
1.4MB
-
memory/3264-538-0x0000000006510000-0x000000000655A000-memory.dmpFilesize
296KB
-
memory/3264-539-0x0000000006680000-0x00000000066A4000-memory.dmpFilesize
144KB
-
memory/3264-540-0x0000000006A60000-0x0000000006B46000-memory.dmpFilesize
920KB
-
memory/3264-613-0x0000000010820000-0x0000000010B74000-memory.dmpFilesize
3.3MB
-
memory/4368-574-0x00000000053E0000-0x000000000542A000-memory.dmpFilesize
296KB
-
memory/4368-567-0x00000000052A0000-0x000000000538A000-memory.dmpFilesize
936KB
-
memory/4368-563-0x0000000000A50000-0x0000000000A58000-memory.dmpFilesize
32KB
-
memory/4428-7778-0x0000000000BD0000-0x0000000000C05000-memory.dmpFilesize
212KB
-
memory/4428-7668-0x000000005DAB0000-0x000000005DCC0000-memory.dmpFilesize
2.1MB
-
memory/4428-7667-0x0000000000BD0000-0x0000000000C05000-memory.dmpFilesize
212KB
-
memory/4428-7730-0x000000005DAB0000-0x000000005DCC0000-memory.dmpFilesize
2.1MB
-
memory/5712-7762-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7765-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7763-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7761-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7766-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7756-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7757-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7755-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7767-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/5712-7764-0x0000000009960000-0x0000000009961000-memory.dmpFilesize
4KB
-
memory/6600-7923-0x0000000001000000-0x0000000001035000-memory.dmpFilesize
212KB