hxxps://admin[.]serai[.]pro/download_fn?id=66886de962e08

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://admin.serai.pro/download_fn?id=66886de962e08

Score

9^/10

discovery evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fortnitee.exe

Downloads MZ/PE file

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	fortnitee.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	fortnitee.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation	VC_redist.x86.exe

Executes dropped EXE 5 IoCs

pid	Process
388	fortnitee.exe
1464	VC_redist.x86.exe
4448	VC_redist.x86.exe
3588	VC_redist.x86.exe
5468	dismhost.exe

Loads dropped DLL 7 IoCs

pid	Process
4448	VC_redist.x86.exe
6108	VC_redist.x86.exe
5468	dismhost.exe
5468	dismhost.exe
5468	dismhost.exe
5468	dismhost.exe
5468	dismhost.exe

Themida packer 6 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000a00000001e561-42.dat	themida
behavioral1/memory/388-72-0x0000000140000000-0x000000014128A000-memory.dmp	themida
behavioral1/memory/388-73-0x0000000140000000-0x000000014128A000-memory.dmp	themida
behavioral1/memory/388-74-0x0000000140000000-0x000000014128A000-memory.dmp	themida
behavioral1/memory/388-75-0x0000000140000000-0x000000014128A000-memory.dmp	themida
behavioral1/memory/388-160-0x0000000140000000-0x000000014128A000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{46c3b171-c15c-4137-8e1d-67eeb2985b44} = "\"C:\\ProgramData\\Package Cache\\{46c3b171-c15c-4137-8e1d-67eeb2985b44}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	fortnitee.exe

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\F:	cleanmgr.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in System32 directory 53 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setupact.log	cleanmgr.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagwrn.xml	cleanmgr.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\diagerr.xml	cleanmgr.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\LogFiles\setupcln\setuperr.log	cleanmgr.exe
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
388	fortnitee.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C49.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	cleanmgr.exe
File created	C:\Windows\Installer\SourceHash{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}	msiexec.exe
File created	C:\Windows\Installer\e583a76.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI418A.tmp	msiexec.exe
File created	C:\Windows\Installer\e583a8b.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File created	C:\Windows\Installer\e583a64.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DEF.tmp	msiexec.exe
File created	C:\Windows\Installer\e583a75.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI439F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e583a64.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e583a76.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9C19C103-7DB1-44D1-A039-2C076A633A38}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 41 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	cleanmgr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	cleanmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f796c98383de23ea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f796c9830000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f796c983000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df796c983000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f796c98300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005\	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0005	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0015	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	cleanmgr.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0004	cleanmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	cleanmgr.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0014	cleanmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Version = "14.38.33135.0"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}v14.38.33135\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\VC,REDIST.X86,X86,14.30,BUNDLE\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D\Provider	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\301C91C91BD71D440A93C270A636A383	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.38.33135"	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\ = "{46c3b171-c15c-4137-8e1d-67eeb2985b44}"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Version = "237404527"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}v14.38.33135\\packages\\vcRuntimeMinimum_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D\VC_Runtime_Minimum	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1\B93CD6827BF5FFA4D94D22BD7466C47D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\PackageCode = "5DCA9E92B1C69C843A615368658FB324"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\301C91C91BD71D440A93C270A636A383\VC_Runtime_Additional	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Version = "14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\ProductName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.38.33135"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{9C19C103-7DB1-44D1-A039-2C076A633A38}v14.38.33135\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\AuthorizedLUAApp = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B93CD6827BF5FFA4D94D22BD7466C47D\Language = "1033"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.38,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.38.33135"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\301C91C91BD71D440A93C270A636A383\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{9C19C103-7DB1-44D1-A039-2C076A633A38}v14.38.33135\\packages\\vcRuntimeAdditional_x86\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\Dependents\{46c3b171-c15c-4137-8e1d-67eeb2985b44}	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{286DC39B-5FB7-4AFF-9DD4-22DB47664CD7}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B93CD6827BF5FFA4D94D22BD7466C47D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\679E80FBE29B63345BF612177149674C	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 376101.crdownload:SmartScreen	msedge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3436	PING.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4636	msedge.exe
4636	msedge.exe
4036	msedge.exe
4036	msedge.exe
3208	identity_helper.exe
3208	identity_helper.exe
3540	msedge.exe
3540	msedge.exe
5648	msiexec.exe
5648	msiexec.exe
5648	msiexec.exe
5648	msiexec.exe
5648	msiexec.exe
5648	msiexec.exe
5648	msiexec.exe
5648	msiexec.exe
1500	powershell.exe
1500	powershell.exe
1500	powershell.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe
4716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	4244	vssvc.exe
Token: SeRestorePrivilege	4244	vssvc.exe
Token: SeAuditPrivilege	4244	vssvc.exe
Token: SeShutdownPrivilege	3588	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	3588	VC_redist.x86.exe
Token: SeSecurityPrivilege	5648	msiexec.exe
Token: SeCreateTokenPrivilege	3588	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	3588	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	3588	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	3588	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	3588	VC_redist.x86.exe
Token: SeTcbPrivilege	3588	VC_redist.x86.exe
Token: SeSecurityPrivilege	3588	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	3588	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	3588	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	3588	VC_redist.x86.exe
Token: SeSystemtimePrivilege	3588	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	3588	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	3588	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	3588	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	3588	VC_redist.x86.exe
Token: SeBackupPrivilege	3588	VC_redist.x86.exe
Token: SeRestorePrivilege	3588	VC_redist.x86.exe
Token: SeShutdownPrivilege	3588	VC_redist.x86.exe
Token: SeDebugPrivilege	3588	VC_redist.x86.exe
Token: SeAuditPrivilege	3588	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	3588	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	3588	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	3588	VC_redist.x86.exe
Token: SeUndockPrivilege	3588	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	3588	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	3588	VC_redist.x86.exe
Token: SeManageVolumePrivilege	3588	VC_redist.x86.exe
Token: SeImpersonatePrivilege	3588	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	3588	VC_redist.x86.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe
Token: SeTakeOwnershipPrivilege	5648	msiexec.exe
Token: SeRestorePrivilege	5648	msiexec.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe
4036	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
388	fortnitee.exe
1464	VC_redist.x86.exe
4448	VC_redist.x86.exe
3588	VC_redist.x86.exe
6088	VC_redist.x86.exe
6108	VC_redist.x86.exe
1868	VC_redist.x86.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4684	4036	msedge.exe	82
PID 4036 wrote to memory of 4684	4036	msedge.exe	82
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4200	4036	msedge.exe	85
PID 4036 wrote to memory of 4636	4036	msedge.exe	86
PID 4036 wrote to memory of 4636	4036	msedge.exe	86
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87
PID 4036 wrote to memory of 2404	4036	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://admin.serai.pro/download_fn?id=66886de962e08
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1b8446f8,0x7ffd1b844708,0x7ffd1b844718
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3540
- C:\Users\Admin\Downloads\fortnitee.exe
  "C:\Users\Admin\Downloads\fortnitee.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ping -c 1 serai.pro > NULL 2>&1
    3⤵
    PID:872
  - - C:\Windows\system32\PING.EXE
      ping -c 1 serai.pro
      4⤵
      Runs ping.exe
      PID:3436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c echo DONE! > C:\TRT\doni.ac
    3⤵
    PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -L --silent -o C:\TRT\VC_redist.x86.exe https://download.visualstudio.microsoft.com/download/pr/71c6392f-8df5-4b61-8d50-dba6a525fb9d/510FC8C2112E2BC544FB29A72191EABCC68D3A5A7468D35D7694493BC8593A79/VC_redist.x86.exe
    3⤵
    PID:4500
  - - C:\Windows\system32\curl.exe
      curl -L --silent -o C:\TRT\VC_redist.x86.exe https://download.visualstudio.microsoft.com/download/pr/71c6392f-8df5-4b61-8d50-dba6a525fb9d/510FC8C2112E2BC544FB29A72191EABCC68D3A5A7468D35D7694493BC8593A79/VC_redist.x86.exe
      4⤵
      PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\TRT\VC_redist.x86.exe /install /quiet /norestart
    3⤵
    PID:664
  - - C:\TRT\VC_redist.x86.exe
      C:\TRT\VC_redist.x86.exe /install /quiet /norestart
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1464
    - - C:\Windows\Temp\{A2B78893-D43D-457D-AF17-AA3575FDB3E1}\.cr\VC_redist.x86.exe
        
        "C:\Windows\Temp\{A2B78893-D43D-457D-AF17-AA3575FDB3E1}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\TRT\VC_redist.x86.exe" -burn.filehandle.attached=580 -burn.filehandle.self=568 /install /quiet /norestart
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:4448
      - C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\.be\VC_redist.x86.exe
        
        "C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{833D771F-4C2F-4DF0-BE82-47D0F137C9E2} {4F093A59-403F-443D-84DE-BA6752B6ACD1} 4448
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3588
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=1180 -burn.embedded BurnPipe.{12AFDE29-AE00-40E5-B2A0-16EE4E624510} {844D7463-1544-472E-84AA-8DC17122098C} 3588
        7⤵
        Suspicious use of SetWindowsHookEx
        
        PID:6088
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={46c3b171-c15c-4137-8e1d-67eeb2985b44} -burn.filehandle.self=1180 -burn.embedded BurnPipe.{12AFDE29-AE00-40E5-B2A0-16EE4E624510} {844D7463-1544-472E-84AA-8DC17122098C} 3588
        8⤵
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:6108
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F92DE780-1382-4E0E-8CA6-B777F76EFB0F} {39E28ED7-94AB-4267-96A5-874273B48701} 6108
        9⤵
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cleanmgr.exe /sagerun:1
    3⤵
    PID:5788
  - - C:\Windows\system32\cleanmgr.exe
      cleanmgr.exe /sagerun:1
      4⤵
      Enumerates connected drives
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      PID:5804
    - - C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\dismhost.exe {D0C7FD6A-F78B-40CA-AC35-AB149BA81B39}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:5468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c curl -L --silent -o C:\TRT\chrome-win.zip https://storage.googleapis.com/chromium-browser-snapshots/Win_x64/1289194/chrome-win.zip
    3⤵
    PID:5264
  - - C:\Windows\system32\curl.exe
      curl -L --silent -o C:\TRT\chrome-win.zip https://storage.googleapis.com/chromium-browser-snapshots/Win_x64/1289194/chrome-win.zip
      4⤵
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell Expand-Archive -Path C:\TRT\chrome-win.zip -DestinationPath C:\TRT
    3⤵
    PID:4664
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Expand-Archive -Path C:\TRT\chrome-win.zip -DestinationPath C:\TRT
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,7927632433683794022,3006959831986031620,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4612 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4244

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:5504

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583a69.rbs

Filesize
16KB

MD5
4a0f087ee9ea9034ec52e59ba7b7beba

SHA1
2b47e3b7b156e4e6072b90e502cd7cfc91a81beb

SHA256
87af04583a3813c6562b3431e30479ecffcb10a68be3413067673ae3a01dc90d

SHA512
a14c23556c549e45533d44fdda8e779583a4de3568a17ef5aaddf25d9e9834659e421be21450d48ca6aaaf075d72f235debd9f444d2defdbfb4ce7ffa11a0ba9

Download Submit
C:\Config.Msi\e583a6e.rbs

Filesize
18KB

MD5
d6e66ca3c825c65677093d9b2cb5702a

SHA1
b2be2a9844457f5f016ff8980cdf06d3e9c16191

SHA256
a48161c12eb043a5eddaab8a5f0cea29c621d460b91377d927686f32ba4b77a6

SHA512
706710f3c8275666c0c7d5665f2b54b7c7d5478ba267c77c62674716d15c31cfede7c1b4c7b44d0ff7c726c7b1eebcce8825c0a03d04b444032c73d908e68cd0

Download Submit
C:\Config.Msi\e583a7b.rbs

Filesize
20KB

MD5
1448be438e00aa3e506c904665774842

SHA1
ddbae29c5740fa52807b7ee1edcf745554f309eb

SHA256
00ff8ec1ff9a24e5bacc5e0c50ee0bd49ee214a2d5978cdce7713c877d0a2ff3

SHA512
c33ae42abd0f7a467a38bdf56c66026dfada6574a3a6f90d42278f5ecfb7266b7f53910e562410b2e17b71e91748b8da483cec720935eeeb889f3d9900230382

Download Submit
C:\Config.Msi\e583a8a.rbs

Filesize
19KB

MD5
8e90d9f4f36d38194732069017a136b9

SHA1
ec4b70d2f2c531482cbfbdefa9a43ae157ac3611

SHA256
6b27215e83218fd4aa37fe3b133afc5fbaa79b31fa5b2c8ff06d1ece0076a088

SHA512
70500926ce65cefb7c237726df9870d974a710917bb4552a7f268f94bff70cd648233a4ba77357179622858714ce6a4d7862d03c2fc3a90babdc1733660630b8

Download Submit
C:\TRT\VC_redist.x86.exe

Filesize
13.2MB

MD5
9882a328c8414274555845fa6b542d1e

SHA1
ab4a97610b127d68c45311deabfbcd8aa7066f4b

SHA256
510fc8c2112e2bc544fb29a72191eabcc68d3a5a7468d35d7694493bc8593a79

SHA512
c08d1aa7e6e6215a0cee2793592b65668066c8c984b26675d2b8c09bc7fee21411cb3c0a905eaee7a48e7a47535fa777de21eeb07c78bca7bf3d7bb17192acf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
de1d175f3af722d1feb1c205f4e92d1e

SHA1
019cf8527a9b94bd0b35418bf7be8348be5a1c39

SHA256
1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924

SHA512
f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
06b496d28461d5c01fc81bc2be6a9978

SHA1
36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa

SHA256
e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507

SHA512
6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
473B

MD5
3f5e73815eb0a6d3d0d2555cc060a1c5

SHA1
8a7c5c63e781bb5db72ee1df61be20ff927bb53b

SHA256
b4ff702325986ebe3908d6b50c87c270e8bf4528f10ede9e85bc395cd8b67a71

SHA512
0298be8eec7222ed553b55114dc3e1a1c5cfdd08fa47b1b2fcae2085142d896f5ab7d6dfcd49eb94cd75a0421a1db70096b0dea952e290cc6a3d5dae4d96f45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
54df85a7f096b008707a0cc40c410f0e

SHA1
b72620b707c2b1efd5f6d4e1f48b9c9e5f69cc07

SHA256
3c9287aa7027fa57e99290f44c4c08baf01a051aaaf8dd3f583a25d5ee9af010

SHA512
d0febcebff6f7406857c9995ccd1af1d4a102eec076213a9535e2de99d21865217cd483369f01f96fa2d03cdca71e4864586ed9e60a30e535792c6f1fa2b38e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5af57035ad73bc99cc889d1d0da246ca

SHA1
58a63abf880f48e61ac2f0baa56c351abc2aedc7

SHA256
b62c1469404b06989ee976dd30388c98649c2ca87b83a3867b60d90757d3e6f0

SHA512
05d124da0aa5e69ebdc314e1daa8b47b420dd23696f4b873e3a4d2cc130c230772e12c39cc1f5349c8a9d8a4a54b5757708b6b50d099a477e94d243dc15e7db1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d6e910bc073a29223a7ea44cc2763753

SHA1
76b70a30c840fa639c6de22da614e32d5211dbe5

SHA256
14dcfec0f8a68d0a5949cd712395bc76c2984e259ed01e852fb2f35fe95caeff

SHA512
702f6aa786a64e7ec6cd71075079b1e85d2596b639eb38dbb38cbbf7515b5830390a81caede83425f5f466bb0a2fc90394595b7dfe1d930abfd237a5d5a50a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e6121aef4c2fac8581b69c4cfca09a6e

SHA1
f88c2829dd773400089f61de46c11b13a775f173

SHA256
a8b6dd0b6093ec9604e655799e572d0ce06390146c536971c6e6b5f23b2b0b98

SHA512
50e094cbaed5b87b5a953f2e8820994cb944d56f8a7ffc51fb27b964a9eb893d67afb9c3191c5ca2c77c0fe7539e486ac11fd4540cdba5e70940f7de0786b8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7772b8b240d8d12f3605d54228f6ab9c

SHA1
61401539a557bde1213030f37f5e267da9dd1b66

SHA256
f3c7b384d112b779363d5e72b67b553657646660f87eae2ff1f95a71914ef621

SHA512
0733a609e0f0465c7242131720c6a596e9c5ac5af92daca91f237a257b20eb2a0920037307a05aea0cf52976c97bca701d4ab4491859f49fae67a40ee3b3130d

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\IBSProvider.dll

Filesize
59KB

MD5
120f0a2022f423fc9aadb630250f52c4

SHA1
826df2b752c4f1bba60a77e2b2cf908dd01d3cf7

SHA256
5425382aaa32ffc133adb6458ff516db0e2ad60fac52dd595d53c370f4ba6fa0

SHA512
23e50735c06cef93d11873fc8e5e29fc63dcf3f01dc56822a17c11ca57bbfb10d46fac6351f84ba30050a16d6bd0744a08a4042a9743a6df87ac8a12e81e2764

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\ImagingProvider.dll

Filesize
218KB

MD5
35e989a1df828378baa340f4e0b2dfcb

SHA1
59ecc73a0b3f55e43dace3b05ff339f24ec2c406

SHA256
874137ee906f91285b9a018735683a0dd21bdeaf2e340cbc54296551ccf8be2d

SHA512
c8d69e37c918881786a8fdab2a2c5d1632411b1f75082aeb3eb24a8ba5f93dcb39b3f4000e651f95452263525d98fd1d3cb834de93bed16fa6f92ef271c3a92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\IntlProvider.dll

Filesize
296KB

MD5
510e132215cef8d09be40402f355879b

SHA1
cae8659f2d3fd54eb321a8f690267ba93d56c6f1

SHA256
1bb39f3389aa4258a923fa265afa2279688e6cdb14ff771f1621a56b03ddcf52

SHA512
2f7b2ec0e94738838f755759cd35e20ab2138b8eca023ee6ef630ab83a3de1bc0792f12ea0d722abe9a6953626cbddf8ba55ea32fc794d2df677a0625e498ab0

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\GenericProvider.dll.mui

Filesize
5KB

MD5
d6b02daf9583f640269b4d8b8496a5dd

SHA1
e3bc2acd8e6a73b6530bc201902ab714e34b3182

SHA256
9102fa05ed98d902bf6e95b74fdbb745399d4ce4536a29607b2156a0edfeddf0

SHA512
189e87fcc2902e2a8e59773783d80a7d4dd5d2991bd291b0976cbd304f78bd225b353703735b84de41b5f59c37402db634c4acc805d73176cde75ca662efff50

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\IBSProvider.dll.mui

Filesize
2KB

MD5
d4b67a347900e29392613b5d86fe4ac2

SHA1
fb84756d11bfd638c4b49268b96d0007b26ba2fb

SHA256
4ccfe7883bce7785b1387ad3872230159899a5337d30a2f81a937b74bcbc4ce5

SHA512
af0a2a3f813e1adfff972285c9655f50ce6916caaeff5cb82f6c7d76491ffc9b365a47f19750fc02d7122182bf65aae79ed167886c33f202d5a781ab83d75662

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\ImagingProvider.dll.mui

Filesize
18KB

MD5
f2e2ba029f26341158420f3c4db9a68f

SHA1
1dee9d3dddb41460995ad8913ad701546be1e59d

SHA256
32d8c8fb9a746be209db5c3bdad14f361cf2bef8144c32e5af419c28efd35da3

SHA512
3d45d7bcf21d5df56b516fc18f7dc1bf80e44258b0c810b199a7bc06047a547060956c9d79575b82d9b6992fb5fe64f5b0ef1e408363887ae81a64b6ff9fa03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\IntlProvider.dll.mui

Filesize
27KB

MD5
2eb303db5753eb7a6bb3ab773eeabdcb

SHA1
44c6c38e6ae5f9ce9d7ca9d45a3cc3020b1353e4

SHA256
aa43b64db4fdcd89e56ba5309f3ba2ffac2663ba30514e87c160687f4314221f

SHA512
df1c8cefed4b5ef5a47f9bc0c42776611b3af709938a0900db79c6c9f4fae21acbbb6c4b1cad3c5a2051b622fe7e6e01486d34622742a981623fed933f1b1427

Download Submit
C:\Users\Admin\AppData\Local\Temp\80BAFAD7-BF4D-4988-B234-918C786B92B3\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vinpqsl.23q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240705222846_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
d34a82220bae236cef4d785a4fa3e1d7

SHA1
13fba0d5da5697537ac7b08c0627b72f431fea8a

SHA256
4b25876252e5c6af477416e46005d60ec0ec0bcf783f9733c85c59e6673c8507

SHA512
36c8d082e8cbd410620b63dc7719296ce70332ac58a2fe584877665aa43bdc4d39881c8bcc4dd489e17fb0f7cabfadf500a7df60201b292b70613356acb635ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240705222846_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
248a5c43357d1cc08772a4f40c19159b

SHA1
be4ed2491f307b1f7a37dc3e6b10ac633b3de4db

SHA256
e079d03089bd5a72e3b632647d68b87f807b472476478bcf2acfe684e1db8bd9

SHA512
2b3a6b8b93877d58a3b940036105e3b6dfc7bfb62ec5c291c2b8debe346204ab3bd7e89cc728fe71baf1129334ebde357efbdcf72b8290de05ea77ef2cf5500d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 376101.crdownload

Filesize
6.9MB

MD5
7cb942f8bb86ae4896fb306dcf71ca6c

SHA1
4a9c1507557ed12fd83495f427410b6d56032903

SHA256
91d1e4c00cacb30b0f12c4b319cf86cc44339ee4ec924f721bfb31dbd8094443

SHA512
c9656b7b7ca468c2ce021e3675f5afd62ee61c422fdb06681ce063fffa8e92496fcafac644ccfe1bfb30496259211d2cbff6918474ac5702fee3c510955df6cd

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
230KB

MD5
7088d685b52d43da87cbe4d09e334e9a

SHA1
31af7ad55a6592a0911394313635a86e9e131895

SHA256
5c5718756cfd7a1eabfa0e042ea928172622d5c1f44f056f67fe7e71dacb8b3a

SHA512
22cf8ebc3690d0dff4321e3356bc0d454428b3a1e83805ea98dcfe3968ae77fd51df16083b64aea26187ee35de3080a32ce724bc5bf6f7bee0aaf1c10e908f66

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagerr.xml

Filesize
10KB

MD5
c8eca443fe2f9e623034ac3da77df4f2

SHA1
bcbca8126b1247cafd4c3cb86dc11243d3790b94

SHA256
397c3be66a04531e8c50d97cb4cf03c5e10715e28ca0def387b1117f62546c9d

SHA512
89aacbaf33b7663dcfdf385819a9795d16cd29c0edd652287a398074354dcc6d65863e3e7132c68fa5d9e2a4c9f06e81d9dd295a329a008f6b116d1aef778d76

Download Submit
C:\Windows\System32\LogFiles\setupcln\diagwrn.xml

Filesize
9KB

MD5
ef82b304067edcf3cf990a42de93b695

SHA1
a2a2af4015e81562bab4454232bbcb69708f5cd9

SHA256
63a505045b1d4549428a469bf00b0f83aaf58cfd9eb2c32b24f17336e323ab31

SHA512
8f5e17ed20bd033370220c7dc9f1373cd9aa79d3fe3b73cef1dbf0134f8705997f1287427c03d87e16a5932855a553501988b3c43b4ca2329d4d8f153dbe5d41

Download Submit
C:\Windows\System32\LogFiles\setupcln\setupact.log

Filesize
14KB

MD5
dc9d4418b057fcd3f68d168fb9b0ee78

SHA1
3afd9685bc7052b22014b694cc56c8d6345b545c

SHA256
c473c35e8b7e5a82d09090a258610d00a141a9b56faa6fc8bca8bca57fffee82

SHA512
702015dff7c7c9a4839b3b9cae4713a144d633c2f309282ff9263d28276f1f4d9767d3688ff5a2acf864002f24c31c4875326a1ae94e03e4667ea0701f8db9e9

Download Submit
C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
814KB

MD5
a57efc0afffdf914cbc76bb882cad37e

SHA1
732dbef27c49c27d9f1c00eba177eabc21650fb8

SHA256
c384da7cc6ead2ce054a67fded26d7e4cff2f981a83c64de62e53864665e5f45

SHA512
ad2cfc0fd199fe2726fd18c0a5972185e8331fe49807ca6340212901dd61d30853e2c72015ee9bac0425e287ef488190a245676173194fafbf8f6fc7fbf9baba

Download Submit
C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
4.9MB

MD5
4a17e4da145fa1ea92a52266221ad628

SHA1
f6304de9d73609f6b9717d6a4d44efd7ab7ffe9e

SHA256
9544abbd46b39bec491cf63076fb109306e519f303df9cd583a28956172bf038

SHA512
de9a6a1391070a9470f78208ff74120cffd2a1e2580af4add87914ba6dd27e07b092e66caa847726e05eb5fae0c1252681de37f34b560d4d95f3b76f3599e16c

Download Submit
C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\vcRuntimeAdditional_x86

Filesize
180KB

MD5
a37983d3fca236d6ae2d22ab0fa9f1d4

SHA1
82f77032813aeddf321d681da4e1aa50786258dd

SHA256
a7f13351ce5b41fcf6c2ed95f223f5e2aab5411bf8499a772f69ad8ffb87f96b

SHA512
619467e6d4aa6bc8f1cc02daf52330e28c313d774a1d0b0bb96d40a2ed2dc3697cee738463faed040e1bca407c3471ae1bc8dd91472682b25c579caacdbf7374

Download Submit
C:\Windows\Temp\{44C0DD56-B3C1-4CC3-8FDF-F03C70046C92}\vcRuntimeMinimum_x86

Filesize
180KB

MD5
3ca6b74aefe34587f479055f5915e136

SHA1
61771e0a8ccabac8783a22f67adcbce612f11704

SHA256
a6f3a8e4e2162d8df176418e9a238becb645b2db31d8073bfc4f4cdb7fb1aa22

SHA512
3949cb3fdad3e8d5e9c649141a72783e0b403d3e835433d4d456654bcdad1290258f6d023ce127740f9c82459d337b9f8731c799efcf99775955d38cf3fef750

Download Submit
C:\Windows\Temp\{A2B78893-D43D-457D-AF17-AA3575FDB3E1}\.cr\VC_redist.x86.exe

Filesize
634KB

MD5
7bd0b2d204d75012d3a9a9ce107c379e

SHA1
41edd6321965d48e11ecded3852eb32e3c13848d

SHA256
d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2

SHA512
d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0

Download Submit
memory/388-74-0x0000000140000000-0x000000014128A000-memory.dmp

Filesize
18.5MB

Download
memory/388-72-0x0000000140000000-0x000000014128A000-memory.dmp

Filesize
18.5MB

Download
memory/388-73-0x0000000140000000-0x000000014128A000-memory.dmp

Filesize
18.5MB

Download
memory/388-160-0x0000000140000000-0x000000014128A000-memory.dmp

Filesize
18.5MB

Download
memory/388-75-0x0000000140000000-0x000000014128A000-memory.dmp

Filesize
18.5MB

Download
memory/1500-816-0x000001D0BC520000-0x000001D0BC542000-memory.dmp

Filesize
136KB

Download
memory/1500-817-0x000001D0D4A00000-0x000001D0D4A12000-memory.dmp

Filesize
72KB

Download
memory/1500-818-0x000001D0BC560000-0x000001D0BC56A000-memory.dmp

Filesize
40KB

Download
memory/1868-305-0x0000000000610000-0x0000000000687000-memory.dmp

Filesize
476KB

Download
memory/6088-343-0x0000000000610000-0x0000000000687000-memory.dmp

Filesize
476KB

Download
memory/6108-342-0x0000000000610000-0x0000000000687000-memory.dmp

Filesize
476KB

Download