51eb9c64889408fb5d3ade288b46686fb3690c6887bace384f8576f10ef9587e

Analysis

max time kernel
291s
max time network
272s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Icecream Video Editor Pro 3.17 Multilingual/video_editor_setup.exe
Size

69.0MB
MD5

c12e8a3bf193761868dd5319882988ab
SHA1

8032f1de9dfc3d97b00f60ca2d71e849323809f1
SHA256

5ecc3788aae277215f073973999b46a04dea04a30f3f5e62b6db0643eff42963
SHA512

025b79d672eeaea92128e798a273fccb04dd33e021755e4eb06bef14266fbae0abf3f3d2ce6de64bebc53a5094947dac120a044b979ed19c2c9e457c1a514600
SSDEEP

1572864:vcvu1/X53E/MVlc+nCrvVCn0SRi/MfnP00cFVLPAtuxrTlAAPk6V/xkMGo:EGH0/MtmvVoFRiYUFVcWTlZPkKiMGo

Score

4^/10

discovery persistence

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\api-ms-win-core-errorhandling-l1-1-0.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-S1OL5.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-NOARI.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\translations\is-7QOQ4.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-A4V6S.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\CrashSender1403.exe	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\api-ms-win-core-handle-l1-1-0.dll	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\uservice.exe	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\Qt5Gui.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-LDPBC.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-VSETA.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-V6GTK.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\imageformats\is-8GEU3.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\translations\is-BPRC4.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\api-ms-win-core-processthreads-l1-1-1.dll	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\platforms\qwindows.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-9K8TI.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\translations\is-ECJ99.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\imageformats\qicns.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-6S6JT.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\openh264.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-KP5LD.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-46JTN.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\api-ms-win-core-libraryloader-l1-1-0.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\unins000.dat	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-4OGJO.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-T23G7.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\imageformats\is-EG6C9.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\imageformats\is-JAEA9.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\imageformats\qgif.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-2Q9M2.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-IJOV2.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-3JTC4.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-8RR24.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\api-ms-win-core-processenvironment-l1-1-0.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-JVJAI.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\avutil-57.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-S43IP.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-MFRPM.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-2Q1U2.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\translations\is-21ANV.tmp	video_editor_setup.tmp
File created	C:\Program Files\Common Files\WebM Project\webmmf\webmmfsource64.dll	install_webmmf.exe
File opened for modification	C:\Program Files\Common Files\WebM Project\webmmf\webmmfvp8dec64.dll	install_webmmf.exe
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-G3E03.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\Qt5Widgets.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-AMP59.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-7JV76.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-BDU4V.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\translations\is-LDON0.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\unins000.dat	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\msvcp140_codecvt_ids.dll	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\msvcp140_1.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-UI3NP.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-8A5RN.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-PD7V0.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\unins000.msg	video_editor_setup.tmp
File created	C:\Program Files (x86)\Common Files\WebM Project\webmmf\webmmfvorbisdec32.dll	install_webmmf.exe
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\api-ms-win-core-memory-l1-1-0.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-AVMBI.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\is-R0DCS.tmp	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\translations\is-QPNF0.tmp	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\styles\qwindowsvistastyle.dll	video_editor_setup.tmp
File opened for modification	C:\Program Files (x86)\Icecream Video Editor 3\imageformats\qjpeg.dll	video_editor_setup.tmp
File created	C:\Program Files (x86)\Icecream Video Editor 3\imageformats\is-05C5H.tmp	video_editor_setup.tmp

Executes dropped EXE 2 IoCs

pid	Process
4212	video_editor_setup.tmp
416	install_webmmf.exe

Loads dropped DLL 7 IoCs

pid	Process
416	install_webmmf.exe
416	install_webmmf.exe
416	install_webmmf.exe
416	install_webmmf.exe
3680	regsvr32.exe
488	regsvr32.exe
2316	regsvr32.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ = "C:\\Program Files\\Common Files\\WebM Project\\webmmf\\webmmfvorbisdec64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ = "C:\\Program Files\\Common Files\\WebM Project\\webmmf\\webmmfvp8dec64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ = "C:\\Program Files\\Common Files\\WebM Project\\webmmf\\webmmfsource64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x000100000002a860-238.dat	nsis_installer_1
behavioral3/files/0x000100000002a860-238.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\Categories\d6c02d4b-6833-45b4-971a-05a4b04bab91	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebM Media File\ = "WebM Media File"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\ed311120-5211-11df-94af-0026b977eeaa	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ThreadingModel = "Both"	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec\CurVer\ = "Webm.MfVorbisDec.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\ = "WebM MF VP8 Decoder Transform"	install_webmmf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\ed311120-5211-11df-94af-0026b977eeaa\OutputTypes = 7669647300001000800000aa00389b714e56313200001000800000aa00389b717669647300001000800000aa00389b715956313200001000800000aa00389b717669647300001000800000aa00389b714959555600001000800000aa00389b71	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ThreadingModel = "Both"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec.1\CLSID	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec\ = "WebM MF VP8 Decoder Transform"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec.1\CLSID\ = "{ED311120-5211-11DF-94AF-0026B977EEAA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec\CurVer	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}\InprocServer32	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}\ = "WebM MF Vorbis Decoder Transform"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\ProgID\ = "Webm.MfVp8Dec.1"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\InprocServer32	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec\CLSID	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\ed311130-5211-11df-94af-0026b977eeaa\OutputTypes = 6175647300001000800000aa00389b710300000000001000800000aa00389b71	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\ed311130-5211-11df-94af-0026b977eeaa\InputTypes = 6175647300001000800000aa00389b710bd12f8d41586b4a8905588fec1aded9	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec\CurVer\ = "Webm.MfVp8Dec.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec.1\ = "WebM MF VP8 Decoder Transform"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}\ = "WebM MF Byte-Stream Handler"	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec\CurVer\ = "Webm.MfVorbisDec.1"	install_webmmf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4181651180-3163410697-3990547336-1000_Classes\.webm\ = "WebM Media File"	install_webmmf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\ed311120-5211-11df-94af-0026b977eeaa\OutputTypes = 7669647300001000800000aa00389b714e56313200001000800000aa00389b717669647300001000800000aa00389b715956313200001000800000aa00389b717669647300001000800000aa00389b714959555600001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\Categories\d6c02d4b-6833-45b4-971a-05a4b04bab91\ed311120-5211-11df-94af-0026b977eeaa	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\ed311120-5211-11df-94af-0026b977eeaa\InputTypes = 7669647300001000800000aa00389b715650383000001000800000aa00389b71	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\ = "WebM MF VP8 Decoder Transform"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311130-5211-11DF-94AF-0026B977EEAA}\VersionIndependentProgID\ = "Webm.MfVorbisDec"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}\VersionIndependentProgID\ = "Webm.MfVp8Dec"	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebM Media File\shell\open\command\ = "\"C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe\" \"%1\""	install_webmmf.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\ed311130-5211-11df-94af-0026b977eeaa\InputTypes = 6175647300001000800000aa00389b710bd12f8d41586b4a8905588fec1aded9	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\9ea73fb4-ef7a-4559-8d5d-719d8f0426c7\ed311130-5211-11df-94af-0026b977eeaa	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\ed311120-5211-11df-94af-0026b977eeaa	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec.1\ = "WebM MF Vorbis Decoder Transform"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WebM Media File\shell\ = "open"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec.1\CLSID	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebM Media File\DefaultIcon	install_webmmf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\ed311130-5211-11df-94af-0026b977eeaa\MFTFlags = "1"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}	install_webmmf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\ed311120-5211-11df-94af-0026b977eeaa\MFTFlags = "1"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MediaFoundation\Transforms\Categories\9ea73fb4-ef7a-4559-8d5d-719d8f0426c7\ed311130-5211-11df-94af-0026b977eeaa	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311120-5211-11DF-94AF-0026B977EEAA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec\CLSID\ = "{ED311120-5211-11DF-94AF-0026B977EEAA}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WebM Media File	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVorbisDec\CLSID	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec\CurVer\ = "Webm.MfVp8Dec.1"	install_webmmf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}\ = "WebM MF Byte-Stream Handler"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Webm.MfVp8Dec.1\ = "WebM MF VP8 Decoder Transform"	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\MediaFoundation\Transforms\Categories\d6c02d4b-6833-45b4-971a-05a4b04bab91	install_webmmf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{ED311111-5211-11DF-94AF-0026B977EEAA}	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4212	video_editor_setup.tmp
4212	video_editor_setup.tmp
688	msedge.exe
688	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
2360	msedge.exe
2360	msedge.exe
2008	identity_helper.exe
2008	identity_helper.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe
4904	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4212	video_editor_setup.tmp
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe
3492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3712 wrote to memory of 4212	3712	video_editor_setup.exe	78
PID 3712 wrote to memory of 4212	3712	video_editor_setup.exe	78
PID 3712 wrote to memory of 4212	3712	video_editor_setup.exe	78
PID 4212 wrote to memory of 416	4212	video_editor_setup.tmp	79
PID 4212 wrote to memory of 416	4212	video_editor_setup.tmp	79
PID 4212 wrote to memory of 416	4212	video_editor_setup.tmp	79
PID 416 wrote to memory of 3680	416	install_webmmf.exe	81
PID 416 wrote to memory of 3680	416	install_webmmf.exe	81
PID 416 wrote to memory of 488	416	install_webmmf.exe	82
PID 416 wrote to memory of 488	416	install_webmmf.exe	82
PID 416 wrote to memory of 2316	416	install_webmmf.exe	83
PID 416 wrote to memory of 2316	416	install_webmmf.exe	83
PID 4212 wrote to memory of 3492	4212	video_editor_setup.tmp	84
PID 4212 wrote to memory of 3492	4212	video_editor_setup.tmp	84
PID 3492 wrote to memory of 4996	3492	msedge.exe	85
PID 3492 wrote to memory of 4996	3492	msedge.exe	85
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 2020	3492	msedge.exe	86
PID 3492 wrote to memory of 688	3492	msedge.exe	87
PID 3492 wrote to memory of 688	3492	msedge.exe	87
PID 3492 wrote to memory of 1108	3492	msedge.exe	88
PID 3492 wrote to memory of 1108	3492	msedge.exe	88
PID 3492 wrote to memory of 1108	3492	msedge.exe	88
PID 3492 wrote to memory of 1108	3492	msedge.exe	88
PID 3492 wrote to memory of 1108	3492	msedge.exe	88
PID 3492 wrote to memory of 1108	3492	msedge.exe	88

C:\Users\Admin\AppData\Local\Temp\Icecream Video Editor Pro 3.17 Multilingual\video_editor_setup.exe
"C:\Users\Admin\AppData\Local\Temp\Icecream Video Editor Pro 3.17 Multilingual\video_editor_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3712
- C:\Users\Admin\AppData\Local\Temp\is-1EBV2.tmp\video_editor_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1EBV2.tmp\video_editor_setup.tmp" /SL5="$700DA,71765481,232448,C:\Users\Admin\AppData\Local\Temp\Icecream Video Editor Pro 3.17 Multilingual\video_editor_setup.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\is-EORQ0.tmp\install_webmmf.exe
    "C:\Users\Admin\AppData\Local\Temp\is-EORQ0.tmp\install_webmmf.exe" /S
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:416
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Common Files\WebM Project\webmmf\webmmfsource64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:3680
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Common Files\WebM Project\webmmf\webmmfvorbisdec64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:488
  - - C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\Common Files\WebM Project\webmmf\webmmfvp8dec64.dll"
      4⤵
      Loads dropped DLL
      Registers COM server for autorun
      Modifies registry class
      PID:2316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://icecreamapps.com/Video-Editor/thankyou.html?v=3.17
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd540d3cb8,0x7ffd540d3cc8,0x7ffd540d3cd8
      4⤵
      PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
      4⤵
      PID:2020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
      4⤵
      PID:1108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
      4⤵
      PID:2932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
      4⤵
      PID:4972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
      4⤵
      PID:4208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
      4⤵
      PID:3532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2360
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
      4⤵
      PID:2496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5148 /prefetch:8
      4⤵
      PID:572
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,16106127613819084283,6060673447410546085,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\WebM Project\webmmf\webmmfsource32.dll

Filesize
327KB

MD5
5a4aecb37c68f77040d4455a37b88617

SHA1
321211f97da1c02e72ae08181f1365abe76f8875

SHA256
5bc05bb2af53519316381a691ae2e223579319f8827ed2635568d8be3e89b484

SHA512
ea29309ad4456d52b9b0004e26e58e1bbad1514c15270c7aa3bf2366053b24dec3cd391bd4ff741d6693115d3ec140414ec307a748ecfeab5bf609d85f0b3f2f

Download Submit
C:\Program Files (x86)\Common Files\WebM Project\webmmf\webmmfvorbisdec32.dll

Filesize
329KB

MD5
83030f92d7ecce3a68092a0d283b2ab5

SHA1
7ff418192c8ef65a00c295554646cc3f9cc84add

SHA256
2f4c39a93eba890f144bc3921c082e6a93834814d495518788efc72de5fa9923

SHA512
cff3d657e61ebdf42f0bdf3ae6ab883ee579f90df8f8d4ce51d71f5043471011a0ab48fe21a7160f5bc84130b9d969716a66c53f0e9ac0926684f67cab537405

Download Submit
C:\Program Files (x86)\Common Files\WebM Project\webmmf\webmmfvp8dec32.dll

Filesize
377KB

MD5
f21b43d6e09e9ab36bc288ddec600bfc

SHA1
32f20a744029dfaf771b2eda957898cb33abe2d8

SHA256
f27b43bbae0c376e750f700665ebb0c2300f3a8d5e77f288fa5544e4041adef5

SHA512
5b28ca3d91928bb38131aa3af7f76ecff248c9c4324242bdcbd45b5ee59050e2288c5acaad9cf413178dab0288e692be2a6513f58320cc03f64871bbc9c7fd07

Download Submit
C:\Program Files (x86)\Icecream Video Editor 3\videoeditor.exe

Filesize
7.5MB

MD5
df5e7bcb6a01f01888ff4d46693da06a

SHA1
5c8fa3382458fa336ce64f2dee43c9f1f08361cf

SHA256
e8c50267ab6dc7cf4fec9cc94e1a4815fafdd1cea0d7fc1732af73286202c677

SHA512
ccd9a7f7698fd8ba7413d11b19689d246e9311ad35196b518f9ba75ae84f764e56ed968c008a4943e70711bad0f5448d69f618f8d84c75ab6e0ba09c06dfc8c0

Download Submit
C:\Program Files\Common Files\WebM Project\webmmf\webmmfsource64.dll

Filesize
218KB

MD5
0fc60ac80e2c1de2f7807d3b90bd2a1a

SHA1
046eecb532a7fbe25cfe03a1e95bdb5f4a481275

SHA256
5ef9beaf9df4c66f0522609fbd49d8c53f11bdf93573eb1da367e31a6a69af59

SHA512
c01185d97c30d39d79a36f822eb37b2807623b9acdb7691cb7f8d3ed1212690d5d3c60106e536af17d0f0dc37fd9116fce7b33ec467c11bd9e96daf399db8a4e

Download Submit
C:\Program Files\Common Files\WebM Project\webmmf\webmmfvorbisdec64.dll

Filesize
343KB

MD5
6c951bf14543d253131bd9f7478286fe

SHA1
a18b2b50f7c378747f090d94b293f02f9c5cf955

SHA256
fb7099c4221a09daa98c43223b5fbfc8572dda1bca7b3ec24d9f2d55c6925a83

SHA512
08d6ae3b782537a7fe87ccae2a9accd4a25eedf77b7321f19644785364b2e45709d42e3d98ffeea48b8444858ec17b92c5ec35b093312f54c84767e10c8cf460

Download Submit
C:\Program Files\Common Files\WebM Project\webmmf\webmmfvp8dec64.dll

Filesize
411KB

MD5
f18a9cfc088243448f873b4cf30384bf

SHA1
e64b2561c0aff950d7be281fc18d23d7c84afe41

SHA256
96f5961b125445e9fcb612a5266f8e34c3503e9b720b70c56d33e71085c9ffe0

SHA512
fcefcbbba91b8b491ab4b90d3b360fc6feafa03831b0a859e92c52679a94f3cb21ff55623f4ecbff875e08bf2619f5a0288f5a1dade95006b520a5e02f99d45e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0e10a8550dceecf34b33a98b85d5fa0b

SHA1
357ed761cbff74e7f3f75cd15074b4f7f3bcdce0

SHA256
5694744f7e6c49068383af6569df880eed386f56062933708c8716f4221cac61

SHA512
fe6815e41c7643ddb7755cc542d478814f47acea5339df0b5265d9969d02c59ece6fc61150c6c75de3f4f59b052bc2a4f58a14caa3675daeb67955b4dc416d3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3b1e59e67b947d63336fe9c8a1a5cebc

SHA1
5dc7146555c05d8eb1c9680b1b5c98537dd19b91

SHA256
7fccd8c81f41a2684315ad9c86ef0861ecf1f2bf5d13050f760f52aef9b4a263

SHA512
2d9b8f574f7f669c109f7e0d9714b84798e07966341a0200baac01ed5939b611c7ff75bf1978fe06e37e813df277b092ba68051fae9ba997fd529962e2e5d7b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2e553cd1-723c-47f0-afa8-b3d13248204a.tmp

Filesize
1KB

MD5
7e5bcc499109e3d446945b21b4fe320f

SHA1
6c59ff5c50eda695c9488b26d2fcab3456381833

SHA256
20d9abaf20b0e33fc9ca3025da8e70f3a050487b39edd073648a2ecc2359a0d9

SHA512
4a0efef53bba66f8b7363e5ad5204898cbf6482740d27d4cb05cf9d145ba2d106389710554c832733a0c001d771b2761cb5a4ff183ea93ca4456cc95b52b88a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
ed02cf16a19b26953d80096099c20b72

SHA1
05dc32cf66a5fdb2d4fea952e53dc8924fadef91

SHA256
b29bc74b9ee7a22e08568f1406a0b050b489dea6d605960bb79c4094487dbac5

SHA512
54b2c8ddc07699518110cd8560481a5a827c83b79f9b5c99d9a7ac11a36cc60da5db8d2496e0ab9013ad8e15bf04557419a95c1c6ac9366b8c8494448dd86950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7bf2fa413e2ad7356b5cde33fb92cb13

SHA1
ef6f01c4f39b116c250e4d84b1ab72698f985bbe

SHA256
362e1f404286c3003378f28a35608933ff93f59c5319a91a107590e957c481d0

SHA512
6765a880b8316cb170968e5decfddcee52b2756fbaaedb7b1e8234c9d853e032ac61975a5883f83db26d0d72795597a865a77efccaed0d8f6b2994db43d11695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2881a02fe02c348eb2c885fcd000e20b

SHA1
1533c8ce036ea5e18b819a10396e630d22915d6e

SHA256
e009fba2ae551024762471919254e4bd794ae2285d03ddffa731d63b455e399f

SHA512
1cd1fbcf69d5885bfed2a4dbd727735cea350ace7667a59ec9d7a92f89fd418e55d994403719e55ab50c7d757dc6ab88dde1b0996b08cba1acadac475331b05e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96448304d7b688061ba139d447106ee3

SHA1
0a5705b60e5da69142fb690f0b8f05798563cefe

SHA256
c3925b631b5a9f3293f94e49293891f0585336074bab23b19d5d354389b5d345

SHA512
35801371a7bda0087a20ff7ae20b038aa20282dd74a9e7cf9a3816357aae90204cafb7585b2d21e68220a1ddf3066cdddd4cdafc7ab27e3bf97966992f93c040

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
df47f270957e018e4d332d019c350837

SHA1
657f125f00a79c26b5eef5ed54701481f3b1246b

SHA256
0cb0d9337b7c518dd05bf6f9c629ba96b398441811b6b4efac0b14573804b170

SHA512
22b7c2a42ece0e2baca601b1bad4e46decab779c0dffa027e1a735f070a3d15020625c9a24df035ab437a3624abea1b9781d851d7c2457a05e5976b4cbba5fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1EBV2.tmp\video_editor_setup.tmp

Filesize
1.2MB

MD5
57014e8e67093872ae0b00209c9fd497

SHA1
0d8d5f8a9852a9b3955d56c989e5902206ec11cf

SHA256
6195f2bb53441db263a58a583bf803c59eaa277d15de191844c976473e7f8888

SHA512
31f69073a04dc8bab1762b622d41586957b0a40793590ebda22c06341ad0ec561e3ac5376b88a111bccc762c065eb39d6f401d6406a2ac9a160fce4be457fb1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EORQ0.tmp\install_webmmf.exe

Filesize
701KB

MD5
ae6b9ae87f88a6aca974d2eed932938a

SHA1
9705acae4a461b06bd68d4ddc349ca5365e79730

SHA256
958f249888e50cd54d8eee4dfb8203f7ec9d07205759b816237e1aed70542829

SHA512
57a8588855e15b35edf7960ef2242209566aee7fbc4d88150cadffb80b2f34668a037d1dfbea9287d39e5b4df00420d0c51a82efb848b20a4c8af052d37f6317

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxCCD7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
memory/3712-0-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3712-2-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4212-272-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/4212-359-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/4212-335-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/4212-6-0x0000000002650000-0x0000000002651000-memory.dmp

Filesize
4KB

Download
memory/4212-9-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download