hxxps://github[.]com/KingzCheats/Fortnite-External/releases/tag/1[.]0

Analysis

max time kernel
387s
max time network
383s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/KingzCheats/Fortnite-External/releases/tag/1.0

Score

8^/10

microsoft discovery persistence phishing

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe

Executes dropped EXE 7 IoCs

pid	Process
5204	VC_redist.x64.exe
3576	VC_redist.x64.exe
5612	VC_redist.x64.exe
4912	VC_redist.x64.exe
2504	VC_redist.x64.exe
4336	VC_redist.x64.exe
2196	VC_redist.x64.exe

Loads dropped DLL 7 IoCs

pid	Process
3576	VC_redist.x64.exe
2504	VC_redist.x64.exe
4336	VC_redist.x64.exe
1664	VC_redist.x64.exe
1096	loader.exe
1096	loader.exe
1096	loader.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c649ede4-f16a-4486-a117-dcc2f2a35165} = "\"C:\\ProgramData\\Package Cache\\{c649ede4-f16a-4486-a117-dcc2f2a35165}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5a0e6b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a0e6c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI102E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI15FC.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{19AFE054-CA83-45D5-A9DB-4108EF4BD391}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5a0e6c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a0e59.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI11F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19A7.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a0e81.msi	msiexec.exe
File created	C:\Windows\Installer\e5a0e59.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000982641fbe24eac720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000982641fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900982641fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d982641fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000982641fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\24	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X64,AMD64,14.30,BUNDLE\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{19AFE054-CA83-45D5-A9DB-4108EF4BD391}v14.38.33135\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\PackageCode = "1688782943A356649B2B29F7077E1BE1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\5BA8C0AA792764D40A9D8090F65EE964	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3270530367-132075249-2153716227-1000\{DB8220B3-CF36-46E5-874A-E5C2C6A3D6D5}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\ = "{c649ede4-f16a-4486-a117-dcc2f2a35165}"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.38.33135"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.38.33135"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{19AFE054-CA83-45D5-A9DB-4108EF4BD391}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.38.33135"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.38,bundle\Dependents\{c649ede4-f16a-4486-a117-dcc2f2a35165}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\ = "{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Version = "237404527"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Version = "237404527"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}v14.38.33135\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{AA0C8AB5-7297-4D46-A0D9-08096FE59E46}v14.38.33135\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5BA8C0AA792764D40A9D8090F65EE964	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\SourceList\PackageName = "vc_runtimeMinimum_x64.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5BA8C0AA792764D40A9D8090F65EE964\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\450EFA9138AC5D549ABD1480FEB43D19\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\PackageCode = "F31F6C1FFC7AAFF4D8FF3C825AB567E9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\450EFA9138AC5D549ABD1480FEB43D19\DeploymentFlags = "3"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 70564.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3744	msedge.exe
3744	msedge.exe
1404	msedge.exe
1404	msedge.exe
404	identity_helper.exe
404	identity_helper.exe
3592	msedge.exe
3592	msedge.exe
6072	msedge.exe
6072	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
2736	msedge.exe
5364	msedge.exe
5364	msedge.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe
5012	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	220	vssvc.exe
Token: SeRestorePrivilege	220	vssvc.exe
Token: SeAuditPrivilege	220	vssvc.exe
Token: SeShutdownPrivilege	2196	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2196	VC_redist.x64.exe
Token: SeSecurityPrivilege	5012	msiexec.exe
Token: SeCreateTokenPrivilege	2196	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	2196	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	2196	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	2196	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	2196	VC_redist.x64.exe
Token: SeTcbPrivilege	2196	VC_redist.x64.exe
Token: SeSecurityPrivilege	2196	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	2196	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	2196	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	2196	VC_redist.x64.exe
Token: SeSystemtimePrivilege	2196	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	2196	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	2196	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	2196	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	2196	VC_redist.x64.exe
Token: SeBackupPrivilege	2196	VC_redist.x64.exe
Token: SeRestorePrivilege	2196	VC_redist.x64.exe
Token: SeShutdownPrivilege	2196	VC_redist.x64.exe
Token: SeDebugPrivilege	2196	VC_redist.x64.exe
Token: SeAuditPrivilege	2196	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	2196	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	2196	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	2196	VC_redist.x64.exe
Token: SeUndockPrivilege	2196	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	2196	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	2196	VC_redist.x64.exe
Token: SeManageVolumePrivilege	2196	VC_redist.x64.exe
Token: SeImpersonatePrivilege	2196	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	2196	VC_redist.x64.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe
Token: SeTakeOwnershipPrivilege	5012	msiexec.exe
Token: SeRestorePrivilege	5012	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe
1404	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 3992	1404	msedge.exe	89
PID 1404 wrote to memory of 3992	1404	msedge.exe	89
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 4260	1404	msedge.exe	90
PID 1404 wrote to memory of 3744	1404	msedge.exe	91
PID 1404 wrote to memory of 3744	1404	msedge.exe	91
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92
PID 1404 wrote to memory of 4776	1404	msedge.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/KingzCheats/Fortnite-External/releases/tag/1.0
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe1e2146f8,0x7ffe1e214708,0x7ffe1e214718
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1920 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3444 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:5712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6940 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,14083318908202858264,3778238835913391837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5364
- C:\Users\Admin\Downloads\VC_redist.x64.exe
  "C:\Users\Admin\Downloads\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  PID:5204
- - C:\Windows\Temp\{C6E6970F-D12E-46A9-8AD4-857EAFB62537}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{C6E6970F-D12E-46A9-8AD4-857EAFB62537}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3576
- C:\Users\Admin\Downloads\VC_redist.x64.exe
  "C:\Users\Admin\Downloads\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  PID:5612
- - C:\Windows\Temp\{490DFBDD-FA90-447A-9D61-E004BECFD6E6}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{490DFBDD-FA90-447A-9D61-E004BECFD6E6}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=528 -burn.filehandle.self=536
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2504
  - - C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{80EE6229-F709-41A0-93DE-B1FAB6378DE2} {E7E7DAAD-C249-473E-8EA3-EB52BBB54392} 2504
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:2196
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1136 -burn.embedded BurnPipe.{9A09FE29-7DA0-4C99-987C-278294536BDA} {64C804CA-0364-4F2A-82C6-F3D413259F92} 2196
        5⤵
        
        PID:4112
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1136 -burn.embedded BurnPipe.{9A09FE29-7DA0-4C99-987C-278294536BDA} {64C804CA-0364-4F2A-82C6-F3D413259F92} 2196
        6⤵
        Loads dropped DLL
        
        PID:1664
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{CFACD12E-EF51-4540-8A3D-37E61835A895} {F7059C01-774C-4CA6-AF47-94860617248D} 1664
        7⤵
        Modifies registry class
        
        PID:3816
- C:\Users\Admin\Downloads\VC_redist.x64.exe
  "C:\Users\Admin\Downloads\VC_redist.x64.exe"
  2⤵
  - Executes dropped EXE
  PID:4912
- - C:\Windows\Temp\{B3610C5F-FADD-49FD-87F8-29CC03058F15}\.cr\VC_redist.x64.exe
    "C:\Windows\Temp\{B3610C5F-FADD-49FD-87F8-29CC03058F15}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=548
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3416

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5404

C:\Users\Admin\Downloads\KingzCheatsV1\loader\loader.exe
"C:\Users\Admin\Downloads\KingzCheatsV1\loader\loader.exe"
1⤵
PID:5948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:220

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3684

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Users\Admin\Downloads\KingzCheatsV1\loader\loader.exe
"C:\Users\Admin\Downloads\KingzCheatsV1\loader\loader.exe"
1⤵
- Loads dropped DLL
PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a0e5e.rbs

Filesize
19KB

MD5
256453d14cdb74723a92b7b475a6f7af

SHA1
98bfa65e65e43374b13da4aee0d95996bd5fe1b9

SHA256
e53650ca65043201789005efa3abd26ac6a4f6a561f481738615eeddb8539cf7

SHA512
92ccbf799f9a73b2ea23027354ba63c6074a036379acdd61447f79249c8e314a25abaa6e48d9d0805eb293e00f609c8f795ee072968024eb138338862f1874df

Download Submit
C:\Config.Msi\e5a0e6a.rbs

Filesize
19KB

MD5
703d25c5e2ebf766927e4c3b06716360

SHA1
471bc9b1e1792e9a85b3eb3e079eae8e82cab2be

SHA256
d0d0313a86011f11cc211e9a1ab8c0af03fd52694733bb2a4a50eeacfcd9997d

SHA512
3e657d01635a8d7cfa4dc4a17a0b844d89a00ea9f480d5f221e6a5522b0660e3d794cbea61faf8e156ac300e9c09349c49ef8e7713039081b70594312e498cb3

Download Submit
C:\Config.Msi\e5a0e71.rbs

Filesize
21KB

MD5
4af5fa4364fb101428e924c892db17c2

SHA1
bde205de792ce8f89323bd6d482a5e00432030d1

SHA256
6397f4532b399464abe930c4c27ba0a759304d7bfbf8303f578c39217101102f

SHA512
d290b2564a30a1787a7e7bffd9726383942aee3bf216eb26ed353b13bb7849a6603f9c906b992fa494e522fa6eff352602aab21c73aadc0d561ce1d604764679

Download Submit
C:\Config.Msi\e5a0e80.rbs

Filesize
21KB

MD5
6c72fd36f5b43ce4de9e34bfa825ceef

SHA1
d2aa5a0ec1629698e16147e7c729de69f6412987

SHA256
7646cb3e12a41d5c81d5fc0348c84e48eac08ccf39aae92b674005299e572a04

SHA512
431c73fc5aaca7e87137e1a94aa0b866a88ab37d92177b7d82970fe94b06dc2904504c71482db2b403d2093c45c5d15eecaa9245c567f9d05e9e1f21117e0376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ca1dcce50bc6e79e4a30b7faaa4139a0

SHA1
ffe7d24dfc0c1b57b718ac46bd050b279e85953e

SHA256
9cbe57f2965d32ee30f9f874f7a5d35a897c12f0c5e0e36c2f4494335dd3d654

SHA512
e2dafccddfec2db405b84ad2929539705fb11faa0b08305f6d272f2b88d31379863f9b3a23a88b6cafe584370852483c2a63f19685d43ee99cd04ae0600c3818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4c6aa8a4dc2e5e54c2b8c9e5273d5f80

SHA1
8712fdf7b49930cf52fdcd50a4a219021e3f5cbb

SHA256
554c526bee1cec476ea0a08be7c61ff2ed108c424d2ab914f08551443e914c3c

SHA512
57a0804917f7d067573fd8633e37470e65c29d05e3d0467e75eec7d27d9a20ade1dbfc6a860472cdac69d6d54c79c7ba8e820a8f09f9b04d1c1adabfa3597f48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
be1f97a31376c3cff0c6cafcc7ef819e

SHA1
59db035a08cbe7972b2eb8c497b1c4a7849c4ee1

SHA256
434f5a234dc1a83b866b59b07a7e8b8aacf8ac9380a29d313d7140291b3a566e

SHA512
79ba579fed4b071fe79b1c6d0213571e691849dfd1792ce27c306ff41401a1b69811e1893a70a6ce231a8b7415b624e004be02ec1da3a68714dcc18665e8b717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
566B

MD5
25a9370483f33e0d6358c387ba2edc99

SHA1
2bf12703718d93adf05bdaa575a5e17d29b43dc4

SHA256
a6dcf65d4d3aa44aaf076efb110d83b06e46f4b0dfa10d7314e5a6951283b431

SHA512
e4f5d537551c444166afe386e4f17efbfc0541f38201cb5b9dd925c6212541fee1f081555b44e7d4cfc99c14b892a730356f1b7e4ebb5b7679d496bde8a0e7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f2cb63e5ec10c810e5057607671acdec

SHA1
87bc9998d7653c0a11c7b08d6c619461ce068993

SHA256
c514616eaad1bb3054be23f2530f89c14aea127b6863c6b3e204f9b90c5d6c39

SHA512
36911175f54922c6a1220b0ebc8b6b6ca3f6fd614dc298f30602ffb33ce976acd636062699e0c66bb69b13cb84fdae373ec7530851f0eaf4167c3c1f9650a2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c452b0aca0c4a0f375a28049b2bbd914

SHA1
2450270d79e901f719b39f2d9244eff2e6ec2b5d

SHA256
817e80bae6c813f39165a8335ffd08e3cc4fbf9c9626cf03a13fbd1b25b2363e

SHA512
c579188162e56eaf4dc0358b46fdcefba30e80ea76ffb2a9c910e69fe1a0acd6693d1e7a65aaf8dce22c563c55440760b6e68c907f5ce725e3776a08d1d9fde7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1b89f119c7328a4a71caf9f7d818f4e3

SHA1
964df9b57dc78a7c245d238e94ac4fbf632eba06

SHA256
da59487cd2c1602789e94daa06b4a4aa51c2fa8ad773a4c48b8b912cd0beb8ed

SHA512
514746e56f64d4aa7f1263900ab7f64a0b345f28837f9c738f9783e8f14a3c0d22cb285779a1dbb6b2738ae21d2f0b51f2f70c2f4bacefd8422fe117daa6a930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a242c0bfb1ba6e39766b3a1a990d293d

SHA1
bb8b5b5d62b66368ef42e307e04a20f888748079

SHA256
5b55a6ce9b120991f3985e12d46733a62513159f643e358cdae5c1762cbf0280

SHA512
521068b70ab8cc80f51f15eee60309b0e0bebb7140f675b25293350d7590fd7bc35358374e16ed23dbe46bd8f4c5de2dc016179acf5d10ba160ad44dea4cfe82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb3625fe1a7d04869ec84fae5a78c839

SHA1
7a59f00298340b1a6d570cd84e458c4d08b4874d

SHA256
572da74e20cb81a83245347c2e7f4ad39b98a9e2932a0b72bd0bbe428b4e6df3

SHA512
e6badeefc79f2dd56ac26251a306e415205f7533b6a87f6fcd319f3696ac443dcbf7f9cfaaa6727793b0e1299de2096fb372f63aee4e1c63a2c2723a98c75da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ce0d2ee04c4517c9261a544ed62b9ec7

SHA1
5fadd0ebf748d05bf44e7523f24827647bbe346c

SHA256
3c81a53cb46c487999141db2c77d876263faf7c0c4f8ff521e09ad725c89c837

SHA512
fe5e28995ae820b78f272d358366ea8a138665df1123c707c28f02ea9fec5545d1f60d562dd5fdef527cab19f40792d309ce6639537dbfcbffcea28f877266ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
b55178db04ecd64e76aaad6f5f34fa3d

SHA1
80dbba757db030a12676c7f83d237a3ebda4f2af

SHA256
bbaaac1c2fc6823c18628129f7ab8fd62d11ec9f07ee7e198bc1f4b7bde49aa7

SHA512
9d3a8aa20be6ace4db1d25cbfc204217ae73d3a1f220eb44a375f3271cdc163d4d85e369b773883b10e736361783cc27faaa30486d0b5805792c8a754ba13953

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cea018e93983e9d764e93e95e9351f12

SHA1
dd925da3a1a833a44a0d21d46ed2ce6eb073c88c

SHA256
c819bfb00fce1f10a1de2f34a0cb5eed5c2c4e7dee69b4c9b1baa3e6de08407f

SHA512
7b0c6e03f749e7bf4af50a94e7f5c4f382eb82fac7cfc476fd8da55ca6adbd32cdaef7479f3b88894b4b2e9130ab37feb3b92135f290f6be929f1f693e55d467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6c4a09cc2ea2160ea6ce9dafc1feaf80

SHA1
0857e75df44f6ec8af15eb006593cbb6385da7dd

SHA256
32d0e2af423c218a763077bb2bc500967e917948f4a317b5899af0a91d9a78cf

SHA512
a8c72f47896a88acff0859a96731cea31c3149e5898d0c3c9f0346ee864aa7c4900ad2d3bd063c42e700461841d15bf0bc11bfda8b923916b01bb1bb078a92c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6af67546bf3f4bd341a5d4841a5cee5c

SHA1
0f340ff9af4fc072fb8d3f9ec9cf863af6d3f5db

SHA256
361e724908d6a9341306f6cd7a6cc58f0f0fcf3dec2908f9af9b2cd50ca8611f

SHA512
4ba344dad2b79aa86fd09de1daa81f212e706369d97e9fa2afa850ce176062d1f0842af0590528f6dc605d5aa8db2517ada1a5ec5f425fe422e9402e4fb55b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
46fd5227806e47b64fa9c0322c069890

SHA1
dbaffdbea0f3983a79d516f68545f4970a840a9f

SHA256
865069151ee11d7275fd72704c9ffd2a0caf076178b40401988c031caa9efbdc

SHA512
608c71253284d4ef1e7335ba84e7ef39fd1309b53293769b6dda745a6b23d5fc618f1effabe949e4864fe6431bcd5e4f15f3756a63b94322aa771c0ae07bea03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8318ba0d679e85d44a19bb15d178f0b1

SHA1
807715384a1afaf0b2b232874bf0b373bd708a92

SHA256
dc4b8b82f0f05f0d9ab4c097db80faa0db1ba8096a2a96a1820766038fb6e9de

SHA512
a3c970b2769b85f458552ff0fbf589bfe1915aa6de958520bc3ba91123cd307a725d1e218e6a678a4780fc851c2f9ca13ee92b43c5f47d21847755cccf87a57c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
183c9e337618f6623aef21193c2f8c59

SHA1
1046fe201fe32d1171d4eadc5bb6167a17a26c1b

SHA256
edcea247a7db52abbe450cd54028c3a519e2a994233f7ccc20040b6e547ad644

SHA512
32030ca717809ab6a1b30447aac77b51b254efad7fcb1852528f7a897c60dd5e5c1a295b0f3169996b69c9bd5abc02987161b5622edb1ae4a8a34f4a3341db93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579625.TMP

Filesize
874B

MD5
fa53f0e98584afa8dbce335a4374fd4b

SHA1
67138f9075d80ccad80fecf7800a03b32c387f46

SHA256
beee6d40160b93a2fe3ac0e5f36f17f3c1927569b9b51d09c1935703c93a19f9

SHA512
6754808bd8e6f8195d9a52bbb85233ef9df4d8d613d11986c489d9ae0aea9841d4517a189fd14869937d6dbe57a0ecd00bd125e73d900ce5625e7cda63327800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fde688ee8fd6a48cc4dbb5967fc9bdd0

SHA1
5bafa7ca2223688aa35d3689180561bc264dad5a

SHA256
3bd44d0c795b771bab98ee5d26669d4d020b27316a25010e9a634466b191db5f

SHA512
f9978f21bcb4da348f609a3bdbef3ea5a469e2d5801029cfdad2f0f06cd821a6928cf90196a8d99b9c87a9564a1d8ad180f2f027266556bde80c1a5539fc6023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d6856132a26ceb1ad09eb8465a12245d

SHA1
e406f9e8ba2ad20b992f75cacf0e3a9fff6672ca

SHA256
93f67b571684735b8233ac4ddc3ba94144b76603ab24a5109161a743c28733a4

SHA512
dc074802574ca4c96d738b3ab0101a1585f058950decdfbaad07a260f38ef4de60c6ac43c379f98b6d6a4d5c3a4fc3ce8da71a5522653331da0c8f592fe8046d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ed5bbcdd2171cfdaec54f6320fbb3547

SHA1
5715d86a76ce5111d226b31995f264a2f3da0c4c

SHA256
ee4512b0ca8769c37fc0c22eb063c30e000b4fe6f8774e48996b91160e032c9f

SHA512
de4972cdd1a01ad859a7442d929c6be39849bd7d6245929c5a4b647cc9a11232803c6068276beeb2ba04ac141507043ae05e5384fb8461b6c1d4c7c26cc64c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240312204236_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
6e61f20f097d2119e2b0de8cda0fa8fa

SHA1
6ae11b1ebf9e1fbd8c0391a5e19a8b375466df34

SHA256
99b29148b384a87a2c5076c88e8429fcc0d9544700deb182e2476dc88efb19f7

SHA512
c37b92a4f97b03a0e3bdd70567b2a0451ff6f15c77dcda637760be47a8b230b15152fa7fbaab681967310ac21a41ebcef9f89fff63d5fa142a8d12449d45ac62

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240312204236_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
2a6058b49450893ea5f916ead14aac3f

SHA1
497321afc6f09c45a816244d35d0f409ef0e5095

SHA256
d993f0af5d1e24871cbfb17f620c615f5085419386d0534af806e412f8b10923

SHA512
da888683f437673a9a219b8e0c152479ed694a56a231f98f8a04edd6184110a0f47c2434babd71dffca9cee244017f63841325e16b407d49e6c7395c0d21990b

Download Submit
C:\Users\Admin\Downloads\KingzCheatsV1.zip

Filesize
1.5MB

MD5
07e590b1e27a76e37a25f412eb2f8905

SHA1
f644fc32b9dca5c07dc73c93c5fe2c3ffdfcaa9d

SHA256
e79f6861de0eb4fe3673f86f5a3a5891d2276bcf7d533a87a74ea9d062729e5b

SHA512
2bcb4b22ef49e60662395152a07e9d470a63069ff1f31c977d25f70c9de1119e4f68c785ba30a2732e704e617288c7d07a5a5b93c18ccb23f3106880bb4215e2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 70564.crdownload

Filesize
24.2MB

MD5
a8a68bcc74b5022467f12587baf1ef93

SHA1
046f00c519900fcbf2e6e955fc155b11156a733b

SHA256
1ad7988c17663cc742b01bef1a6df2ed1741173009579ad50a94434e54f56073

SHA512
70a05bde549e5a973397cd77fe0c6380807cae768aa98454830f321a0de64bd0da30f31615ae6b4d9f0d244483a571e46024cf51b20fe813a6304a74bd8c0cc2

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe

Filesize
21.7MB

MD5
c88a72fd8ae645ce0e10de930f703b29

SHA1
cbacfcbcc0396a402b61fd3dc43ea0b12b347425

SHA256
5ea480f86c5972875bb9ce080430307b823cb3e1e23d1f07f862b9df6b98c2e5

SHA512
788ad9f610434ad8bbb3bc09c94080488235284433ef3d52af6e6e732417240c5a5588460b91f70478928a1c0784e0b7a6e738bf3c0e8806deb65aba395cb544

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe

Filesize
9.3MB

MD5
63704060ac99b300199443cc17b2d98a

SHA1
bce2eb75430159ec951d8c630dfddc74bbf0880f

SHA256
1bf6f56f87d6b7f1baaa4e8b292d18b4a2f72beee79debf01e72ffff7013486c

SHA512
98a1a1277e2a9454eb561868b573579c48926cfadb83bc153c50e5be1b0b80e8f2bf4de6bb4e10fde117af3c8fe905a11619699670a75d06ba22b9811bde964a

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe

Filesize
21.1MB

MD5
7a6f1c9734ec3ebadd60f808f3f0045b

SHA1
234149f158ab25b644773896fd3d7d1a3fb9da3c

SHA256
57371d391d93c7edb8d704ab2a6ecb6ecd5f5da1dd3cef7f4cde468772919a2b

SHA512
5070ed575161a29e3a7626975e3009f4e370e2b741089cc053bac76e0c136ee5111a9f15a1fec791450ce5bf5479eae27eb1c46fe66a0822751ac7dc33017163

Download Submit
C:\Users\Admin\Downloads\VC_redist.x64.exe

Filesize
4.2MB

MD5
9f715da369f962a86fbbba59bd5030d2

SHA1
b8fd6d3ed3fce29d0647369fc33cef1f77ee0012

SHA256
f6ada2e46c55729ff9724f636b906a0591a065b8b913f0d45d55ab914fdd315f

SHA512
bb86b09bfb48b23d920712d08ba525ebe2a900d43dcc004d0ddbd527a4b401de9c17e1f2e301e8483f436c26de4312ee449acfbe8c33fb5f53e184bd2c945d40

Download Submit
C:\Windows\SYSTEM32\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Windows\System32\vcruntime140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Windows\System32\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Windows\Temp\{4F586EF8-6001-4F85-8395-44C2F40BDA7C}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{4F586EF8-6001-4F85-8395-44C2F40BDA7C}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\.ba\BootstrapperApplicationData.xml

Filesize
14KB

MD5
9f31dac727b29b7d2a79347a433e9d0f

SHA1
5be3aa18cb2ed06e871cdc198e059e11bf92eb58

SHA256
0e5d6ce30f863a00cc2032182a5553d30c175af03815ad1ff1f0e1f7b92f8163

SHA512
700c176b3cd66d31ef7ff656ad23512b7c932d75740aec828504573bdc065cbb6c918ee64eb1d6d082a5e3551d59cb402f932075dd9baa607112e92d25e2655c

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\.ba\license.rtf

Filesize
9KB

MD5
04b33f0a9081c10e85d0e495a1294f83

SHA1
1efe2fb2d014a731b752672745f9ffecdd716412

SHA256
8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b

SHA512
d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\.ba\thm.wxl

Filesize
2KB

MD5
fbfcbc4dacc566a3c426f43ce10907b6

SHA1
63c45f9a771161740e100faf710f30eed017d723

SHA256
70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

SHA512
063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\.ba\thm.xml

Filesize
8KB

MD5
f62729c6d2540015e072514226c121c7

SHA1
c1e189d693f41ac2eafcc363f7890fc0fea6979c

SHA256
f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916

SHA512
cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d0cbbe859fbb7c25dd5158e0f45d3682

SHA1
9c2f0b8379976fda1b46aa8c4a4a27b6f824b659

SHA256
97aef328363e120e786841903bb51a17547aa84f64d5d3525940ec5a69b9a627

SHA512
7ad84ae54668c07033ad100bc101fd0bf0b0783a1dd1f018d241097e167328b8e87cc15e4c0b45859e1946d41ef7528f46ca3c44deccd8859f11274d9e4189b6

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\cab5046A8AB272BF37297BB7928664C9503

Filesize
955KB

MD5
3d14b0e254ea96fef419e6da38eb25e4

SHA1
93341ef98a0e2ae2cccc7e467af23bcc477d9a5c

SHA256
8717dc81d0345d8b81aa85e776fd3e0e6010dba974bf0f5660071e6d680c4526

SHA512
64a656648c16aa78ed74196e327126f6a9eb5d89052cdcd8f83eb655842e41c4f42be7f61541371f36ce322d208d1d707f485e99a79aa799fad7fd2c51553811

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
d5a907e3b279f26804af0c56b0c65d52

SHA1
63bf7f0afd12ef21781dc14dd3b14c59d9e66518

SHA256
401ffa2ef4f070e211ef3f6e4f8a2a7af2bc9ea0119bbacad040669ab6221bba

SHA512
8d23fed4d26f0e2d1e40d5993ab2f588be1e7873cbcbe2064351ca8ef705bf74535225e9d0c2adf93fabfd45691077c7abb3991a013c8b4b234b9751c991f327

Download Submit
C:\Windows\Temp\{BEC671C9-A094-47D1-B87B-9763AB3AE319}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
e312d6be7dee2b8f3737e0a1bc92e3aa

SHA1
72487572a3f8b8eff93489997c8a5041ea7a6867

SHA256
d48c8e848a219bceb638b2505132756cb908703fe75dee78bdf475435420dc49

SHA512
b39a0c18aa242887e3f9ae3d49bc9d6765ce15097718964cccd86b824d13481cbd53175105db29d17e3a08f74fe4d20dfb3f9989eca5276c3f5fbb255b80f8ae

Download Submit
C:\Windows\Temp\{C6E6970F-D12E-46A9-8AD4-857EAFB62537}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
b73be38096eddc4d427fbbfdd8cf15bd

SHA1
534f605fd43cc7089e448e5fa1b1a2d56de14779

SHA256
ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a

SHA512
5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603

Download Submit
memory/5012-912-0x0000024D46F40000-0x0000024D47A01000-memory.dmp

Filesize
10.8MB

Download