69a38c4eb697c9275bf7e847e5eb90365d7b7862f26e82286a71b18947c902ff

Analysis

max time kernel
126s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mod Organizer 2-6194-2-5-0-1701057391.exe
Size

134.2MB
MD5

ffebbce45ad4ab2ec509f6f1fe7470ed
SHA1

0a4bae0b161920cb3bab57db7063d02071f1ea15
SHA256

69a38c4eb697c9275bf7e847e5eb90365d7b7862f26e82286a71b18947c902ff
SHA512

d4fc61759f0a9c135a1d2a63ab068d0e52ad4721e3a5d15be974f10ee6500a2f5f6291da6d4ea8e1deb07e8ff423a669e8b2cbcd4c09df34d5ff53a702d9aebb
SSDEEP

3145728:xzNk496Nvt60nwjCAtxUIk0Z1NY5ORZ6RaQTi:xWnvt60iDkki+Z6RU

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

3224 powershell.exe
2384 powershell.exe
4776 powershell.exe
3352 powershell.exe
4412 powershell.exe
4492 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.tmpModOrganizer.exe

pid process

4380 Mod Organizer 2-6194-2-5-0-1701057391.tmp
3172 ModOrganizer.exe

pid	process
3224	powershell.exe
2384	powershell.exe
4776	powershell.exe
3352	powershell.exe
4412	powershell.exe
4492	powershell.exe

Loads dropped DLL 64 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.tmpModOrganizer.exe

pid	process
4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 39 IoCs

Processes:

ModOrganizer.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	ModOrganizer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 5600310000000000ab58355510004d6f6464696e6700400009000400efbeab583555ab584e552e0000004e32020000000c000000000000000000000000000000c74990004d006f006400640069006e006700000016000000	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a00310000000000ab58495510004d4f3200380009000400efbeab583555ab584e552e0000004f320200000009000000000000000000000000000000c7fb0d004d004f003200000012000000	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	ModOrganizer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	ModOrganizer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	ModOrganizer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	ModOrganizer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	ModOrganizer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	ModOrganizer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

ModOrganizer.exe

pid process

3172 ModOrganizer.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeMod Organizer 2-6194-2-5-0-1701057391.tmpModOrganizer.exe

pid	process
4492	powershell.exe
4492	powershell.exe
3224	powershell.exe
3224	powershell.exe
2384	powershell.exe
2384	powershell.exe
2384	powershell.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe
3352	powershell.exe
3352	powershell.exe
3352	powershell.exe
4412	powershell.exe
4412	powershell.exe
4412	powershell.exe
4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp
4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp
3172	ModOrganizer.exe
3172	ModOrganizer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

ModOrganizer.exe

pid process

3172 ModOrganizer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeModOrganizer.exe

description	pid	process
Token: SeDebugPrivilege	4492	powershell.exe
Token: SeDebugPrivilege	3224	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	4776	powershell.exe
Token: SeDebugPrivilege	3352	powershell.exe
Token: SeDebugPrivilege	4412	powershell.exe
Token: SeDebugPrivilege	3172	ModOrganizer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.tmpModOrganizer.exe

pid process

4380 Mod Organizer 2-6194-2-5-0-1701057391.tmp
3172 ModOrganizer.exe

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

ModOrganizer.exe

pid	process
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe
3172	ModOrganizer.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

Mod Organizer 2-6194-2-5-0-1701057391.exeMod Organizer 2-6194-2-5-0-1701057391.tmp

description	pid	process	target process
PID 5004 wrote to memory of 4380	5004	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 5004 wrote to memory of 4380	5004	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 5004 wrote to memory of 4380	5004	Mod Organizer 2-6194-2-5-0-1701057391.exe	Mod Organizer 2-6194-2-5-0-1701057391.tmp
PID 4380 wrote to memory of 4492	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 4492	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 3224	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 3224	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 2384	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 2384	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 4776	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 4776	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 3352	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 3352	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 4412	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 4412	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	powershell.exe
PID 4380 wrote to memory of 3172	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	ModOrganizer.exe
PID 4380 wrote to memory of 3172	4380	Mod Organizer 2-6194-2-5-0-1701057391.tmp	ModOrganizer.exe

C:\Users\Admin\AppData\Local\Temp\Mod Organizer 2-6194-2-5-0-1701057391.exe
"C:\Users\Admin\AppData\Local\Temp\Mod Organizer 2-6194-2-5-0-1701057391.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5004

C:\Users\Admin\AppData\Local\Temp\is-G6Q3G.tmp\Mod Organizer 2-6194-2-5-0-1701057391.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G6Q3G.tmp\Mod Organizer 2-6194-2-5-0-1701057391.tmp" /SL5="$C003C,139785235,822784,C:\Users\Admin\AppData\Local\Temp\Mod Organizer 2-6194-2-5-0-1701057391.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath "\"C:\Modding\MO2\""
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionPath "\"C:\Users\Admin\AppData\Local\ModOrganizer\""
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "ModOrganizer.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "usvfs_proxy_x86.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "usvfs_proxy_x64.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" Add-MpPreference -ExclusionProcess "nxmhandler.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Modding\MO2\ModOrganizer.exe
"C:\Modding\MO2\ModOrganizer.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3776 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Modding\MO2\ModOrganizer.exe
Filesize
4.7MB

MD5
ad741539da7f8528c4b7f8ddd9f34834

SHA1
8dd5b5330706e22e3c9aa0f18857abe5a015d6f8

SHA256
80ac43549d7e15249a5cba2f1e8509612b229ffc0e949a6b940137d87c27c226

SHA512
9a9899df9f2064ee21f0134c1d8ae3b7dbe8a57dbc20511da95be3f086c4420b97ea620c98d26d467449539b0dbf5ed8f43429e523b1b32990121a7f619ca814

Download Submit
C:\Modding\MO2\dlls\Qt6Concurrent.dll
Filesize
34KB

MD5
0126bdd26351b543ce386c0746888d7d

SHA1
234489549a120f2d3df42cd7406d79ccc439bb15

SHA256
715f7bfb77f7beadd6e1938884e8d38967d67c3d938bab31bdb943e214076572

SHA512
3c456ccaf0340259f92099a5c3823246194428fdd60cf541a1255c04976fea3e0262fbad3acca589a72857ec87e71dbfaa82e3c49c4993752be10f7a60070af4

Download Submit
C:\Modding\MO2\dlls\Qt6Core.dll
Filesize
5.5MB

MD5
a42d8142092885a83fc779f660466a0c

SHA1
106232efdb591364a78638f27fc2067717a65868

SHA256
abf826a5763c4b3517258f07060a7a93f4d47ae14f79253304dc2a4dbe0d98a2

SHA512
8ffbb942f996bb89b871b73494c0a9b913316e6440e263b3416604ac294cf987039db979f55aa61c34869a101cbc6a9db0323aee71a847840ace4e652639f98c

Download Submit
C:\Modding\MO2\dlls\Qt6Gui.dll
Filesize
7.4MB

MD5
b8f3c8eeaa963fd96c12fa36c5af6593

SHA1
64513814ebc555121a83102e27649f710c9fc37f

SHA256
d2da55714d56e0af7c033fd0a84dd1dcd669e976abc07861e70b054c7d08c01e

SHA512
b8d8cfe1f58bc77b8e90fb80996223b7df075113c113a2016b15840a04eb36a5cc687639ab267af5bec6185f5ca4d5b847e9ec3c2cc9ff38f9144852c2e94a42

Download Submit
C:\Modding\MO2\dlls\Qt6Network.dll
Filesize
1.3MB

MD5
4d101c62f1b454b432e66b29683b684a

SHA1
af7d8a756eaa146f8284f71a09a06a8f3f0fb0d0

SHA256
ad92ea3b43d4602b554a50d18d739ee2ee9fcaf47ac82f30aa8143f82fbea932

SHA512
681c80fa9388b8f4dafb5db651dda853bf7031b4ad3442d19d5c18946a90269c691fe9a36e89236c285d1a5f4f3bc44e8d52a0ccb0c459afc24203d4a5a88f20

Download Submit
C:\Modding\MO2\dlls\Qt6OpenGL.dll
Filesize
1.8MB

MD5
cc057c650bc4d5e2f893e271a784150f

SHA1
4ec6e75775a0b28a7b0712dedbc8f8268dbf62bd

SHA256
35fe1c213c8a6b596e07674c3eba080845aef783d8241aaecbc59de3c13d13ca

SHA512
678b930d784a4368dc935c319a63b1c435d4a81e90cf86d0437a81898f11738dadb2511493f8e56156762deffd5faecc938887c866226b22fa4f67bb187ad197

Download Submit
C:\Modding\MO2\dlls\Qt6Positioning.dll
Filesize
471KB

MD5
eee3fa4d45a21736c9fedc6ede0905f7

SHA1
ec59352b5b20cc7b6b00616005875385e8316b40

SHA256
d3c9b15cb8f7245b955bc150fbeaac69108b2991db735d7cc2b0e0c26de09e3f

SHA512
0f793c8512bfc66bf6b2f7e97e3a449aea0b73bc1642735980517bcd5952426c7cf67abdf2d5e04bd67673ae96a5bbb145e6705c9bec3117f391d7ea92e27adb

Download Submit
C:\Modding\MO2\dlls\Qt6PrintSupport.dll
Filesize
385KB

MD5
6bd09ef9485b41d2f10c6ae6c5c048b7

SHA1
02edec88870273fe24e135db7672a14792a02341

SHA256
27990e4a027e8523873d6f845466a31a83048f48d32ac5e9f8b1c24bed0b453f

SHA512
5ef719fa750ba4b75054fa54ba3b78f0dcebfbe3b9ab02d461931b049b162e08c8c9a0a67ed4a225b1438c968eeded76688f6020d9e24b7d55d1eeb925d8d7ff

Download Submit
C:\Modding\MO2\dlls\Qt6Qml.dll
Filesize
4.4MB

MD5
78eb120c81df5606e8c753cc2fc13a04

SHA1
e4ed29d8ba4a10fe7b04f549d425f80a530cc8f4

SHA256
7f15ebaf44115ac977f6424356a4bb227efc1069779a949c21dba6b4fb770a0c

SHA512
74b0b19c1ef518b692ba90dc93bcd9b4a2830686e8a85c7cf3585fe384501dc5ceb639fda80ae104e7467583928926170251388b071d1334f074ced30f8ef0f4

Download Submit
C:\Modding\MO2\dlls\Qt6QmlModels.dll
Filesize
667KB

MD5
69534773867ec67b7f9878c98381c4ae

SHA1
a80ebe1aace97c9bef9e8e889c40716f126d63ea

SHA256
0d093f7a794d9690e68123efa1294757a1c04a4d528cb043bf6b2e14ab2fd507

SHA512
70268390676ef29ea6fe0d6366e140efdd4f592216df101bb0c25746ae50c7d424ad7fa89546ae6ec59d6550ef6dffc580a6da1d469f52b4655ed5ca8975609a

Download Submit
C:\Modding\MO2\dlls\Qt6Quick.dll
Filesize
5.0MB

MD5
447f2ce51fe0c0e7a4c593f87186723c

SHA1
7a9feaa055534994efae4f14c07909a799c95415

SHA256
bd6fdfb8f64e1273397b8985e9b538fffbb840360ebf9b01be6e20a76f71f73d

SHA512
00dcce8851065e123a68482d9b975a9bd561a0ab9ed012bfe55ca95c6ad8cb5cdb7ad543ccfa6bb363ee335fbcbaeff1e5466b6930f30cca8c4c73bd3bca714a

Download Submit
C:\Modding\MO2\dlls\Qt6QuickWidgets.dll
Filesize
110KB

MD5
efa460e18dbbd4856e7a8386349a0d8c

SHA1
602fa67d8d27770a7d9b866a04b15c523b9f21b2

SHA256
036bb47ac43441eb419662c7ccf509a994f673db1e2ff8a758e1367aa3d7ba37

SHA512
c8588c8bbf24495ee7a45a637e7955c19ba385e88cebcc2f3d8ed7af379b4572d30a8eafa8a3f95c8c977d57980a32149ee6bb0568f920bb72797b3ca2fd10ec

Download Submit
C:\Modding\MO2\dlls\Qt6WebChannel.dll
Filesize
248KB

MD5
dd73f19caf71f7b5f7c42fc7403d9c62

SHA1
7d915da78dab51806f42ff4634a4d9c2d00b87f4

SHA256
e64f2003db034afe021a1e87aedd38e01a1239b03a2ce96c7595c5bc54d3c0aa

SHA512
d4d1d66d294351aedd312ab7d408db8174ff80cd1a10a5d9262ac3500ba07b5a4581a1ee04f81c1d8942c50b41fea0fa904fb3f7ddcc8547b36aa4a1b1aa2f0e

Download Submit
C:\Modding\MO2\dlls\Qt6WebEngineWidgets.dll
Filesize
170KB

MD5
cd3500ddda592f652a8af5d8bd2af3b9

SHA1
8348e34f14bdb6e9450716c3f9f5337f04596fa3

SHA256
f43a1d32684dda770577e5b26dbe1087250b730615541113a94f226c93ff13cc

SHA512
4092dc77e6eb1eed1a4f837bf306e5f3a69acf91723f830458172340219419234d1703cefa1f79a015f49e77c4596be280014de968e8127a62f590e71da08a85

Download Submit
C:\Modding\MO2\dlls\Qt6WebSockets.dll
Filesize
196KB

MD5
8d810b4de286085986a2668436bcb55a

SHA1
19e8f86d494c37a3a3b8eb374fa6dc6bbff030d5

SHA256
68bc940b8dd442ee70c42fceabfbfb843592a148be2b125a8ad40bcd60ec94ed

SHA512
5fff163c7e0cec9c079faddd596fb1b78638e948f22a8e037fb10963fded904cf32da3825574051b2d3138bdab78b1d708c914175aeba3ef891d9e0df33069d1

Download Submit
C:\Modding\MO2\dlls\Qt6Widgets.dll
Filesize
5.8MB

MD5
c34ca583731d7fd60a9575aadfc0fbe2

SHA1
96e86d5eb5f7755dff0c71a52057d53d5af8a760

SHA256
37f8afad175e298e9cb2f4aaa33a0c1817f39cc0435afae7e160d0ea16d808da

SHA512
0c3137f0a3fa52a442e92cdfb9579f0be24a637c17ea6648701646c21c2a60ea156d4530f83cc532204ec6dd359e29d8d70ebd1fd6453dffbd3a225a86c18a97

Download Submit
C:\Modding\MO2\dlls\archive.dll
Filesize
206KB

MD5
fc5e89d142961c51539c8a1ce5dbbde1

SHA1
e57ae790463afd527b8c1a11bab0870a79745bff

SHA256
e68058f497602bb0719579aab6790115a093b2a3d0f100000c220d206fceef8f

SHA512
5f4794169b108468cb1c2596fecc41255169ae9542cadc7bd17a9e6283e655f73e6383510e3409c6fdf9ef8db9ad1822c3be6674de06814f2e9479fdcb061b5b

Download Submit
C:\Modding\MO2\dlls\libbsarch.dll
Filesize
2.0MB

MD5
26c4522601dc0ba58de70438f293d045

SHA1
aecba5add036896fcf9222996ef5d04fd2ce2bbe

SHA256
a7e552d027cbd6fe5fa407ab0272599be1c43d28c3a1026643178c2e839da25f

SHA512
851282c6fb132a7bc326f32b937cc66e66187ad73996d8e9bdc6536a44cb06b985676dfe5d42585bad34750d7e83ae3d7e28419c543557df26406b930281f103

Download Submit
C:\Modding\MO2\dlls\liblz4.dll
Filesize
118KB

MD5
0cf5434d1f11a2370409c2b1a0f46c0c

SHA1
26c7ce22792c90e0a3a6987c1b463b97aefdad7b

SHA256
33e2aada9d545756e5ebcff86bcfa0b91ed17008875ed4802c26a78bb6f724f4

SHA512
7179889c6305678cdf99a3f09698adbb66dc3ab583926dfea2594888d51c90d585a25d553508ff69241e3c08451b766e306b27065341e3196e39964713f55a58

Download Submit
C:\Modding\MO2\dlls\opengl32sw.dll
Filesize
19.7MB

MD5
22be32c27456eff9117b84b751608bf1

SHA1
bebf0c129a041a6a2cc24d3e55acf6bad2a896ea

SHA256
bca15d37fdd6dcec34a01459f7710a572b9eb7f6f8b5d382a8d66c65d65b16d5

SHA512
3b6b1f715e618c973e452c94beb0a8963fcc0c587edd3790c6dcb9c10cbd240857665b4cea419713879df07e886a6b0ff9199497f494df4855586e42a63877de

Download Submit
C:\Modding\MO2\platforms\qwindows.dll
Filesize
821KB

MD5
0404eeccb09fa3f382ce5252f71832b7

SHA1
1ef9226cbd6e39244b8bc326bd297fcdf89aa6e5

SHA256
2b4457c2bff34ef5897c899209a16a5a45bb6094bd6a0b604a0cea4df272fb77

SHA512
b418b006f85e14086793774b43cb9067dff391f5d29156b6b2e1246bcce4700e73ea89402b33c7fb96103ae6c05939260c32eb05f5e23574749d4d44b5cf0023

Download Submit
C:\Modding\MO2\plugins\bsa_extractor.dll
Filesize
168KB

MD5
29747207a905615b41aec2b1ad77717a

SHA1
f8ba3bc7298c8824fcea5ecb2d03427f2bb1e15d

SHA256
e4c2ad826d668946e371d69aa881aace88f71c6040daf382ee44c415252d43b2

SHA512
4b4efa1fd0abc4a6facb77a2020a6f6002d8d0b9b071f295f4294a23f9176991bc7b41d6cbf18af9ddbd1081422d59b81ca5db52359de0586aad16eedab6f6be

Download Submit
C:\Modding\MO2\plugins\bsa_packer.dll
Filesize
246KB

MD5
e1fc6276fd9dd820fa996494f26fc48c

SHA1
9a82af2d8cc01fb925c97db08c51437dd486a6e9

SHA256
421c95bde4f2105125ae99d229b8e5bc2781c6c85ac72652b0e2760c650f63ed

SHA512
d45e4d60c6455657d66a6081fbfce65ed22bd2321afe5922e80f93538a4d4a0baca6344ab369daae86954fa5e34c1a94c65b04536e5c662cf36cf0ff2e1243e5

Download Submit
C:\Modding\MO2\plugins\installer_wizard\lib\antlr4\error\is-GN49Q.tmp
Filesize
28B

MD5
5025560e7b6aaf7da18be5c9eaafddb8

SHA1
9852553fb683d73b97fc0793d45ac981822d2338

SHA256
82c9d076d4c7f085200a2554a507f3871c76a4546f92c5bbe928f0224ddf6129

SHA512
f6c7f92d5cc88956d8d384f97d7d9c51f07c8968977edca894d706104112b1a60eb5c2abc1a6a0846a8e1ae935ad2ef2682a9a0709c29a4c257ab7b72ad2d286

Download Submit
C:\Modding\MO2\plugins\installer_wizard\lib\chardet-5.2.0.dist-info\is-L0AV1.tmp
Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Modding\MO2\qml\QtQuick\Controls\Universal\is-63VNQ.tmp
Filesize
1KB

MD5
63340c8fcb71734ce4bbac29a86821b5

SHA1
0cfd02b3e95fa482cbd4bd83b0f2d9214acc9709

SHA256
78b5fc58e6d881d16351e92d32b8cadea6b14fbf8c20c1bc7e56d02946467ae8

SHA512
fe035bb77a32d0fe9d4983d90c65d4c2600a019ac20743dbec409f29ffbfbecd8bca2d15abfffb2e71b77e3c105e248627a176942cdf9d7b98ed9113e6f73ba0

Download Submit
C:\Modding\MO2\qml\QtQuick\Controls\Windows\is-HVJ2J.tmp
Filesize
215B

MD5
2006d4b7d0da455aa4c7414653c0018a

SHA1
6685b8360b97799aa4d6b18789bf84a343e9e891

SHA256
a96c7bf5832767bdc9d91e2290a3920aec3abfbf2e3814bce38b49483f16f84a

SHA512
703804e6fab0cf44317b7292c547a1348e2e7395e4b71367c32c3b097bcfb3344d3296179bf4ba33a4c752ae58a3873af57d8cdef35a34564205356bb4e6fd84

Download Submit
C:\Modding\MO2\styles\qwindowsvistastyle.dll
Filesize
138KB

MD5
d0b55c8de245f7cbab74845e79363764

SHA1
8a7bbac5eef0c1dc34bf506bcc6e80fe985a67af

SHA256
0af61f91b0b6f7ab8fa07efa6b8302ac4c968abe3fce3c09cebc28244c3149e6

SHA512
c9b61dfe2c1ee0a134426f7e5581af52c5af212faa4f1b1899bd2f108e2d529dfa7625975b9c520e16a06b7ac4ee0652e5fdb0060cdd1c49fade9b53028c8a53

Download Submit
C:\Modding\MO2\stylesheets\Paper\Light\Toolbar\is-LD5PM.tmp
Filesize
6KB

MD5
76babafdbbcaf4fc7678d13734c6abeb

SHA1
de88aff436509f1f9adaef52b74c9ceded5e4434

SHA256
c705366459c6d7f78e1f88286aba0d06b2734db8fc9d7ae91b3d32034879b440

SHA512
eab9cc976780137c0381981b08e6300ef3a2c1aa97d57c7294ae2d6756002bdfbeb94518f05204d5e8e4d20e112fa4e66fc8faec57d3bed1326c921e811b32c5

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-BHCS7.tmp
Filesize
226B

MD5
efe7e95bc3aa955e45d093239525d321

SHA1
6fc2a76b0e0a7efd8ce3bc926fd077fc3839361c

SHA256
484225e6610f9fdab1f7c217ed2a98567c5287785f1dbf264cc9bf55f990acac

SHA512
d9582fb34cba1e3cf31cb91e5e33487271df710336141ec31c5c0c8e17abac66f6bcdd121b3caa50680ec50a8c85d988565deec7f7adf06fe971218d43094037

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-EQCN7.tmp
Filesize
217B

MD5
dd54c7493117a47005abab57cf0462b4

SHA1
a108be01c4e8ad09dccf0ec19ad9317a859df38d

SHA256
eb5085354f04df39f56fa1b0adf2ce3fac5fbcd0bcb22624bbb78730f93bb7d4

SHA512
7d1fe9b7c856cdc40dd3afd44283fe98adb47c870eaaee6ed69af2b07b278d4c43c1f6feba8a6c9a7fb67df6bcff2cda84e572871c647df736336a3bcbc9af91

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-F79FG.tmp
Filesize
219B

MD5
8ed1109e1ca16283d5fd6d6f0b6b2154

SHA1
43a36180306b12cc89df8a30e8cff910140a8741

SHA256
2214bcafe812565643824ca4df6cecf763279cffa84dab02bc2d62a1bac21d06

SHA512
b83a4219c78cb49bdf20959467cfc7cffb790f0116b4c3a31475aba23bda18ce42e0a9f7829f92ade4f750ed3aa89aaa23d639451cfeba1f83c1c3b33ad67295

Download Submit
C:\Modding\MO2\stylesheets\Transparent-Style\Starfield\is-QDB6R.tmp
Filesize
218B

MD5
9a36c217d63cb84cfe10dc76c5f2df68

SHA1
ecc9cbec26bfa08b4d1e8e5be58403588a7f19b2

SHA256
95a45b41ebe19f5f3e4ddcbf9ce5c595ada45cd3eaa22a07ec3209fc037481a7

SHA512
c73290fe3deb589b8e856af864c0723b239d3cebe7908054669ed8129a85ab1d687280f0f077b886892b98ebae8d4ca54f3448be4b85571ad0b60e573afd11a6

Download Submit
C:\Modding\MO2\translations\is-G41RD.tmp
Filesize
33B

MD5
aaea7ba475c961f941d0a23488457beb

SHA1
2bf0054002c8f7d85dd080df332553bf9b3a8e26

SHA256
494ac9a2b2cb2fdeced353f4a9f898ed8dcf616e9bc667438c62681e3f7f79cf

SHA512
5b408c36c8f93f71e73e3d3b1c0c2ad699e92a6088604b8adf8e588e8a75fc3fc92828199b7f00f5b05b224ae819220d07e56d610a76a267594870bec77172be

Download Submit
C:\Modding\MO2\uibase.dll
Filesize
958KB

MD5
bf8ee1801e96290cadd22cd229ab2a8b

SHA1
83586fd54e0d22deff8d5e3bb07c6e43ceb1b65b

SHA256
b52ff121ab23e0e6a4cf4d12722b3447579047fdcd42582bbfcda94be7bc7c07

SHA512
4079147474e0205fcd0c84f6f7fba7b90177f9b4ee37355548681cf833367f48a32c4b215dd114ccf956c1661f0c62dd6bbed970520ae4290d8d5c96d26b772c

Download Submit
C:\Modding\MO2\usvfs_x64.dll
Filesize
1.5MB

MD5
7927f823423755d32640176e0acee3f6

SHA1
e49a6f01d22e9178180b1c556f60c3d450c5ca4e

SHA256
f608075b1a882ad4ae23e7b607da0b8591d7a36a81c4ccfc11913b012d33eb97

SHA512
6176ee78f31dbd41e7ef6c8e3fefe9e30294263bccd8b6819ad7fe8e5f2a1f4a2fc58dfe8f094afe47c57c7ea4d901adc0be7f325aad643b693371ee88eba987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
b51dc9e5ec3c97f72b4ca9488bbb4462

SHA1
5c1e8c0b728cd124edcacefb399bbd5e25b21bd3

SHA256
976f9534aa2976c85c2455bdde786a3f55d63aefdd40942eba1223c4c93590db

SHA512
0e5aa6cf64c535aefb833e5757b68e1094c87424abe2615a7d7d26b1b31eff358d12e36e75ca57fd690a9919b776600bf4c5c0e5a5df55366ba62238bdf3f280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
110b59ca4d00786d0bde151d21865049

SHA1
557e730d93fdf944a0cad874022df1895fb5b2e2

SHA256
77f69011c214ea5a01fd2035d781914c4893aee66d784deadc22179eadfdf77f

SHA512
cb55ac6eca50f4427718bace861679c88b2fdfea94d30209e8d61ca73a6ce9f8c4b5334922d2660a829b0636d20cbdf3bae1497c920e604efe6c636019feb10e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8f659389c6e21eb0c627fbae833500c7

SHA1
ae632f1e4af08587934ff168155b30e2b28d7475

SHA256
a12763453f79453dd8f25f0c90d001ffb5d409ec698491666c9f076c6bc60d8c

SHA512
f4849e0b1d6ab3d4dd054f590a359af8dd1b9d3df2ad78033ad1a59ebafb1ca96aa76fa9061a466d74e8e3266dc882818d79db47908b21ca3ef8be20e427d327

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
18470dd1aa7811c5a9825ea59429223b

SHA1
75859ea7baf1a8f5ba652ca783bb15f07615cc32

SHA256
98616a32e387ad9ae2f6faddc53cd60e0ba50fe4088abdc51b82b309cc8771bd

SHA512
cc8ff35595460d3ef16589cbab347ac07eff8b62766bfbceb386507ac631d433a2aa9187b0d6cef2b30b1fa08c92bc5a0061e984cc37c378119dcf51212f3def

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_osuqu3u4.4j4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G6Q3G.tmp\Mod Organizer 2-6194-2-5-0-1701057391.tmp
Filesize
3.0MB

MD5
2358bc3d6a1e649694f23d8426278b3a

SHA1
f505fad0e1159bd07244a811256e8b64af23e35c

SHA256
94e4c45cc6a333d645489ee5094a693bb7f0d83fb6881200197f128a9c580281

SHA512
d1bb45c83a73e4971a28c1fe85abe2369b9865bb4428019a112c843b0b9d4713bc8da654a118b0d765602294936e7df3a146f1ea674266a16d34e836f1b10a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-G8U2T.tmp\isxdl.dll
Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
memory/3172-4376-0x0000025033550000-0x00000250335D3000-memory.dmp

Filesize
524KB

Download
memory/3172-4356-0x00007FF7D2690000-0x00007FF7D2B47000-memory.dmp

Filesize
4.7MB

Download
memory/3172-4794-0x0000000060570000-0x0000000060778000-memory.dmp

Filesize
2.0MB

Download
memory/3172-4789-0x0000000060570000-0x0000000060778000-memory.dmp

Filesize
2.0MB

Download
memory/3172-4384-0x00007FFC41660000-0x00007FFC41B27000-memory.dmp

Filesize
4.8MB

Download
memory/3172-4350-0x00007FFC4E0F0000-0x00007FFC4E6B5000-memory.dmp

Filesize
5.8MB

Download
memory/3172-4383-0x00007FFC49290000-0x00007FFC494AD000-memory.dmp

Filesize
2.1MB

Download
memory/3172-4382-0x00007FFC49930000-0x00007FFC49B89000-memory.dmp

Filesize
2.3MB

Download
memory/3172-4378-0x0000025033AC0000-0x0000025033B7A000-memory.dmp

Filesize
744KB

Download
memory/3172-4379-0x00007FFC49DA0000-0x00007FFC49E5A000-memory.dmp

Filesize
744KB

Download
memory/3172-4377-0x00007FFC4A1D0000-0x00007FFC4A253000-memory.dmp

Filesize
524KB

Download
memory/3172-4351-0x00007FFC4C860000-0x00007FFC4CD55000-memory.dmp

Filesize
5.0MB

Download
memory/3172-4354-0x00007FFC26FD0000-0x00007FFC27FD0000-memory.dmp

Filesize
16.0MB

Download
memory/4380-2235-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-76-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-6-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-1179-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-77-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-1109-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-4374-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-4310-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-4057-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4380-13-0x0000000000400000-0x0000000000712000-memory.dmp

Filesize
3.1MB

Download
memory/4492-14-0x00007FFC4E1D3000-0x00007FFC4E1D5000-memory.dmp

Filesize
8KB

Download
memory/4492-25-0x00007FFC4E1D0000-0x00007FFC4EC91000-memory.dmp

Filesize
10.8MB

Download
memory/4492-29-0x00007FFC4E1D0000-0x00007FFC4EC91000-memory.dmp

Filesize
10.8MB

Download
memory/4492-15-0x0000026C76960000-0x0000026C76982000-memory.dmp

Filesize
136KB

Download
memory/4492-26-0x00007FFC4E1D0000-0x00007FFC4EC91000-memory.dmp

Filesize
10.8MB

Download
memory/5004-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/5004-12-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5004-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/5004-4375-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download