74cab790e882ca4927005961f92bf026e8cbf78357810b6432c8c614486c4ba9

Analysis

max time kernel
1799s
max time network
1800s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08-09-2024 02:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FREE POSEIDON BYPASSER.exe
Size

361KB
MD5

1f11850fa6310c17e1ec655fa1daf275
SHA1

9d83bdbf9e250244065db14526eb92647a88bd62
SHA256

74cab790e882ca4927005961f92bf026e8cbf78357810b6432c8c614486c4ba9
SHA512

d4b8b41cf8893699d96c3a561d809e4ac24f122dd6f9f121f7995fa8512a7c4e8bffea8f8759d57249ca8eb5f742fb0d3d9602360381dad468af17a7725e82f4
SSDEEP

3072:bZOQE9Qi/GbtOFq8Rp9vNC5t+rgTuGXPR3zWBUWPjaO8qSeiO:4Q/i8E4kgSqWPjaO8qsO

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	VC_redist.x86.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	VC_redist.x86 (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	VC_redist.x64.exe

Executes dropped EXE 8 IoCs

pid	Process
2704	VC_redist.x86.exe
5944	VC_redist.x86.exe
6008	VC_redist.x86 (1).exe
1772	VC_redist.x86.exe
2752	VC_redist.x64.exe
2272	VC_redist.x64.exe
6464	Setup.exe
5920	Setup.exe

Loads dropped DLL 14 IoCs

pid	Process
2704	VC_redist.x86.exe
6008	VC_redist.x86 (1).exe
32	VC_redist.x86.exe
2752	VC_redist.x64.exe
6048	VC_redist.x64.exe
6896	MsiExec.exe
6464	Setup.exe
6464	Setup.exe
6464	Setup.exe
6464	Setup.exe
5920	Setup.exe
5920	Setup.exe
5920	Setup.exe
5920	Setup.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	vcredist_IA64.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{47109d57-d746-4f8b-9618-ed6a17cc922b} = "\"C:\\ProgramData\\Package Cache\\{47109d57-d746-4f8b-9618-ed6a17cc922b}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{47109d57-d746-4f8b-9618-ed6a17cc922b} = "\"C:\\ProgramData\\Package Cache\\{47109d57-d746-4f8b-9618-ed6a17cc922b}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e59fe86.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\mfc80FRA.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\mfc80JPN.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300212.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.manifest	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e59fe98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F82.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1031.tmp	msiexec.exe
File created	C:\Windows\Installer\e59fe99.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030259930.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300024.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\mfc80KOR.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240908030300024.0	msiexec.exe
File created	C:\Windows\Installer\e59fe6d.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4E4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2763.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300024.0\mfcm80u.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300259.1\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240908030259884.0	msiexec.exe
File opened for modification	C:\Windows\Installer\e59fe5b.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030259884.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300212.0\vcomp.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300259.1\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\Installer\e5f1327.msi	msiexec.exe
File created	C:\Windows\Installer\e5f1323.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA54.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI435C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4B8A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5f1323.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A55.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300024.0\mfc80.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\e59fe6d.msi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240908030259930.0	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300243.1\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\Installer\SourceHash{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240908030300212.0	msiexec.exe
File created	C:\Windows\Installer\e59fe5b.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030259930.0\msvcr80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\mfc80ENU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\mfc80DEU.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300243.0\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240908030300118.0	msiexec.exe
File created	C:\Windows\Installer\e59feae.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D8E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e59fe99.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI37D3.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030259884.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300259.0\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20240908030300243.0	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300024.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300118.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030300212.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat	msiexec.exe
File created	C:\Windows\Installer\e59fe86.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0C3457A0-3DCE-4A33-BEF0-9B528C557771}	msiexec.exe
File created	C:\Windows\Installer\e59fe82.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20240908030259884.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.cat	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 2 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4444	msiexec.exe
184	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_IA64.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86 (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDP481-x86-x64-AllOS-ENU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86 (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NDP481-x86-x64-AllOS-ENU.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f7b83aff83bcb26e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f7b83aff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f7b83aff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df7b83aff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f7b83aff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TypedURLs	taskmgr.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\ = "{0C3457A0-3DCE-4A33-BEF0-9B528C557771}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\899C6AE5CA5D9DE4983CF9521BC7DCD3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	taskmgr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\PackageCode = "829638B4928B2094C8872CEC8D04BB92"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\ProductName = "Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\PackageCode = "0F1976868EAF8784585CF1DB265C6A81"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_X86,V14\DEPENDENTS\{4D8DCF8C-A72A-43E1-9833-C12724DB736E}	VC_redist.x86.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\899C6AE5CA5D9DE4983CF9521BC7DCD3	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0A7543C0ECD333A4EB0FB925C8557717	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	taskmgr.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3\Servicing_Key	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.40,bundle\ = "{47109d57-d746-4f8b-9618-ed6a17cc922b}"	VC_redist.x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0A7543C0ECD333A4EB0FB925C8557717\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\899C6AE5CA5D9DE4983CF9521BC7DCD3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Version = "14.40.33810.0"	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1432	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1432	taskmgr.exe
Token: SeSystemProfilePrivilege	1432	taskmgr.exe
Token: SeCreateGlobalPrivilege	1432	taskmgr.exe
Token: SeBackupPrivilege	6080	vssvc.exe
Token: SeRestorePrivilege	6080	vssvc.exe
Token: SeAuditPrivilege	6080	vssvc.exe
Token: SeShutdownPrivilege	5944	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	5944	VC_redist.x86.exe
Token: SeSecurityPrivilege	5704	msiexec.exe
Token: SeCreateTokenPrivilege	5944	VC_redist.x86.exe
Token: SeAssignPrimaryTokenPrivilege	5944	VC_redist.x86.exe
Token: SeLockMemoryPrivilege	5944	VC_redist.x86.exe
Token: SeIncreaseQuotaPrivilege	5944	VC_redist.x86.exe
Token: SeMachineAccountPrivilege	5944	VC_redist.x86.exe
Token: SeTcbPrivilege	5944	VC_redist.x86.exe
Token: SeSecurityPrivilege	5944	VC_redist.x86.exe
Token: SeTakeOwnershipPrivilege	5944	VC_redist.x86.exe
Token: SeLoadDriverPrivilege	5944	VC_redist.x86.exe
Token: SeSystemProfilePrivilege	5944	VC_redist.x86.exe
Token: SeSystemtimePrivilege	5944	VC_redist.x86.exe
Token: SeProfSingleProcessPrivilege	5944	VC_redist.x86.exe
Token: SeIncBasePriorityPrivilege	5944	VC_redist.x86.exe
Token: SeCreatePagefilePrivilege	5944	VC_redist.x86.exe
Token: SeCreatePermanentPrivilege	5944	VC_redist.x86.exe
Token: SeBackupPrivilege	5944	VC_redist.x86.exe
Token: SeRestorePrivilege	5944	VC_redist.x86.exe
Token: SeShutdownPrivilege	5944	VC_redist.x86.exe
Token: SeDebugPrivilege	5944	VC_redist.x86.exe
Token: SeAuditPrivilege	5944	VC_redist.x86.exe
Token: SeSystemEnvironmentPrivilege	5944	VC_redist.x86.exe
Token: SeChangeNotifyPrivilege	5944	VC_redist.x86.exe
Token: SeRemoteShutdownPrivilege	5944	VC_redist.x86.exe
Token: SeUndockPrivilege	5944	VC_redist.x86.exe
Token: SeSyncAgentPrivilege	5944	VC_redist.x86.exe
Token: SeEnableDelegationPrivilege	5944	VC_redist.x86.exe
Token: SeManageVolumePrivilege	5944	VC_redist.x86.exe
Token: SeImpersonatePrivilege	5944	VC_redist.x86.exe
Token: SeCreateGlobalPrivilege	5944	VC_redist.x86.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe
Token: SeRestorePrivilege	5704	msiexec.exe
Token: SeTakeOwnershipPrivilege	5704	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe
1432	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5212	NDP481-x86-x64-AllOS-ENU.exe
6464	Setup.exe
5112	NDP481-x86-x64-AllOS-ENU.exe
5920	Setup.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 5152 wrote to memory of 2704	5152	VC_redist.x86.exe	144
PID 5152 wrote to memory of 2704	5152	VC_redist.x86.exe	144
PID 5152 wrote to memory of 2704	5152	VC_redist.x86.exe	144
PID 2704 wrote to memory of 5944	2704	VC_redist.x86.exe	146
PID 2704 wrote to memory of 5944	2704	VC_redist.x86.exe	146
PID 2704 wrote to memory of 5944	2704	VC_redist.x86.exe	146
PID 6076 wrote to memory of 6008	6076	VC_redist.x86 (1).exe	151
PID 6076 wrote to memory of 6008	6076	VC_redist.x86 (1).exe	151
PID 6076 wrote to memory of 6008	6076	VC_redist.x86 (1).exe	151
PID 6008 wrote to memory of 1772	6008	VC_redist.x86 (1).exe	152
PID 6008 wrote to memory of 1772	6008	VC_redist.x86 (1).exe	152
PID 6008 wrote to memory of 1772	6008	VC_redist.x86 (1).exe	152
PID 5944 wrote to memory of 1824	5944	VC_redist.x86.exe	159
PID 5944 wrote to memory of 1824	5944	VC_redist.x86.exe	159
PID 5944 wrote to memory of 1824	5944	VC_redist.x86.exe	159
PID 1824 wrote to memory of 32	1824	VC_redist.x86.exe	160
PID 1824 wrote to memory of 32	1824	VC_redist.x86.exe	160
PID 1824 wrote to memory of 32	1824	VC_redist.x86.exe	160
PID 32 wrote to memory of 5372	32	VC_redist.x86.exe	162
PID 32 wrote to memory of 5372	32	VC_redist.x86.exe	162
PID 32 wrote to memory of 5372	32	VC_redist.x86.exe	162
PID 920 wrote to memory of 2752	920	VC_redist.x64.exe	164
PID 920 wrote to memory of 2752	920	VC_redist.x64.exe	164
PID 920 wrote to memory of 2752	920	VC_redist.x64.exe	164
PID 2752 wrote to memory of 2272	2752	VC_redist.x64.exe	167
PID 2752 wrote to memory of 2272	2752	VC_redist.x64.exe	167
PID 2752 wrote to memory of 2272	2752	VC_redist.x64.exe	167
PID 2272 wrote to memory of 1608	2272	VC_redist.x64.exe	173
PID 2272 wrote to memory of 1608	2272	VC_redist.x64.exe	173
PID 2272 wrote to memory of 1608	2272	VC_redist.x64.exe	173
PID 1608 wrote to memory of 6048	1608	VC_redist.x64.exe	174
PID 1608 wrote to memory of 6048	1608	VC_redist.x64.exe	174
PID 1608 wrote to memory of 6048	1608	VC_redist.x64.exe	174
PID 6048 wrote to memory of 872	6048	VC_redist.x64.exe	175
PID 6048 wrote to memory of 872	6048	VC_redist.x64.exe	175
PID 6048 wrote to memory of 872	6048	VC_redist.x64.exe	175
PID 6288 wrote to memory of 4444	6288	vcredist_x64.exe	230
PID 6288 wrote to memory of 4444	6288	vcredist_x64.exe	230
PID 6288 wrote to memory of 4444	6288	vcredist_x64.exe	230
PID 5848 wrote to memory of 184	5848	vcredist_IA64.EXE	234
PID 5848 wrote to memory of 184	5848	vcredist_IA64.EXE	234
PID 5848 wrote to memory of 184	5848	vcredist_IA64.EXE	234
PID 6416 wrote to memory of 6896	6416	msiexec.exe	235
PID 6416 wrote to memory of 6896	6416	msiexec.exe	235
PID 6416 wrote to memory of 6896	6416	msiexec.exe	235
PID 5212 wrote to memory of 6464	5212	NDP481-x86-x64-AllOS-ENU.exe	289
PID 5212 wrote to memory of 6464	5212	NDP481-x86-x64-AllOS-ENU.exe	289
PID 5212 wrote to memory of 6464	5212	NDP481-x86-x64-AllOS-ENU.exe	289
PID 5112 wrote to memory of 5920	5112	NDP481-x86-x64-AllOS-ENU.exe	291
PID 5112 wrote to memory of 5920	5112	NDP481-x86-x64-AllOS-ENU.exe	291
PID 5112 wrote to memory of 5920	5112	NDP481-x86-x64-AllOS-ENU.exe	291

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe
"C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe"
1⤵
PID:3812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1288,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:8
1⤵
PID:2288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --field-trial-handle=4416,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:1
1⤵
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --field-trial-handle=4064,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:1
1⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --field-trial-handle=5448,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:1
1⤵
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5736,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
1⤵
PID:2792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=6192,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:1
1⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=6248,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=6216 /prefetch:1
1⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=6472,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:1
1⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=6380,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:1
1⤵
PID:5456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5296,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=5256 /prefetch:8
1⤵
PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5680,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=5656 /prefetch:1
1⤵
PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=6840,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=6332 /prefetch:1
1⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=7040,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7008 /prefetch:8
1⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=7048,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:8
1⤵
PID:5964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=7208,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7244 /prefetch:1
1⤵
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=7252,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7368 /prefetch:1
1⤵
PID:6096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5716,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7404 /prefetch:1
1⤵
PID:5420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=7576,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7584 /prefetch:1
1⤵
PID:5124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=7512,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:8
1⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=7928,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7896 /prefetch:8
1⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=7932,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4500 /prefetch:1
1⤵
PID:4092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=7968,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7880 /prefetch:8
1⤵
PID:2620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=7744,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7720 /prefetch:1
1⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --field-trial-handle=8000,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8160 /prefetch:1
1⤵
PID:6052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7980,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8516 /prefetch:8
1⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=8104,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8544 /prefetch:1
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=7960,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8340 /prefetch:1
1⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --field-trial-handle=8636,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8656 /prefetch:1
1⤵
PID:6024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --field-trial-handle=8580,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8568 /prefetch:1
1⤵
PID:5076

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8024,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8500 /prefetch:8
1⤵
PID:4588

C:\Users\Admin\Downloads\VC_redist.x86.exe
"C:\Users\Admin\Downloads\VC_redist.x86.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5152
- C:\Windows\Temp\{C0B2B398-AB09-4BE1-B994-57DCD7FE016B}\.cr\VC_redist.x86.exe
  "C:\Windows\Temp\{C0B2B398-AB09-4BE1-B994-57DCD7FE016B}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x86.exe" -burn.filehandle.attached=676 -burn.filehandle.self=684
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\.be\VC_redist.x86.exe
    "C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{3972B445-74FD-4F8B-B81B-4EB32478B3E2} {1ACD4A3C-F313-4B25-A21C-B06FCEE4A685} 2704
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5944
  - - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
      "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=1092 -burn.embedded BurnPipe.{F3DCA4F0-E200-4B25-AF93-170830CAAF9C} {BE2413AA-4E02-404F-8FF0-31EC2F93C2A3} 5944
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1824
    - - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=1092 -burn.embedded BurnPipe.{F3DCA4F0-E200-4B25-AF93-170830CAAF9C} {BE2413AA-4E02-404F-8FF0-31EC2F93C2A3} 5944
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:32
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{66674612-C268-4FD7-9B45-4D4E70185B9F} {EB05823D-F2B0-4BEF-BDF4-A7FAC4C53B50} 32
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:6080

C:\Users\Admin\Downloads\VC_redist.x86 (1).exe
"C:\Users\Admin\Downloads\VC_redist.x86 (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6076
- C:\Windows\Temp\{D5CA698D-7CBB-472E-875C-12CF3D4EF5B5}\.cr\VC_redist.x86 (1).exe
  "C:\Windows\Temp\{D5CA698D-7CBB-472E-875C-12CF3D4EF5B5}\.cr\VC_redist.x86 (1).exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x86 (1).exe" -burn.filehandle.attached=568 -burn.filehandle.self=716
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6008
- - C:\Windows\Temp\{30CB421F-2C62-46C7-91B7-53F2293E0826}\.be\VC_redist.x86.exe
    "C:\Windows\Temp\{30CB421F-2C62-46C7-91B7-53F2293E0826}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{8902D44F-8B48-4760-B944-9D2B06CFFAAB} {27FB229D-199D-475C-9265-D80DB9221AC2} 6008
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1772

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:5704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=7472,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7508 /prefetch:1
1⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8256,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8536 /prefetch:8
1⤵
PID:5720

C:\Users\Admin\Downloads\VC_redist.x64.exe
"C:\Users\Admin\Downloads\VC_redist.x64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\Temp\{F57917B9-5CEF-42F5-8A94-00B51D820951}\.cr\VC_redist.x64.exe
  "C:\Windows\Temp\{F57917B9-5CEF-42F5-8A94-00B51D820951}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=572 -burn.filehandle.self=576
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\Temp\{438F939A-6B5B-4F8B-A361-091D292B349E}\.be\VC_redist.x64.exe
    "C:\Windows\Temp\{438F939A-6B5B-4F8B-A361-091D292B349E}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{3CAFED49-A86C-4A67-AA14-86F04A2D81E6} {876150EA-18EA-4031-98F1-3EC7B1994571} 2752
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
      "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{78C1ACD6-507D-441D-B168-F25623B3590E} {7357A9AA-50BE-465A-AE03-5499A5E366BE} 2272
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1608
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=564 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=1088 -burn.embedded BurnPipe.{78C1ACD6-507D-441D-B168-F25623B3590E} {7357A9AA-50BE-465A-AE03-5499A5E366BE} 2272
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:6048
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{DC340DA9-6C6A-46AB-A965-D67EAE4F45CD} {97E71F21-6384-4BBE-9AD3-A5A63D90374F} 6048
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:872

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
1⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --field-trial-handle=8308,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7456 /prefetch:1
1⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=8556,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8520 /prefetch:1
1⤵
PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=7752,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7440 /prefetch:1
1⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=8920,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8928 /prefetch:1
1⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=7468,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8348 /prefetch:1
1⤵
PID:928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=9096,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7728 /prefetch:1
1⤵
PID:6236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=4088,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:1
1⤵
PID:6404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --field-trial-handle=5008,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7736 /prefetch:1
1⤵
PID:6460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=9044,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7448 /prefetch:1
1⤵
PID:6536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --field-trial-handle=8788,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7820 /prefetch:1
1⤵
PID:6628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --field-trial-handle=8908,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8220 /prefetch:1
1⤵
PID:6704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --field-trial-handle=9328,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9368 /prefetch:1
1⤵
PID:6820

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x46c
1⤵
PID:6940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=9388,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8236 /prefetch:1
1⤵
PID:7048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=8188,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9488 /prefetch:1
1⤵
PID:7128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=8960,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:1
1⤵
PID:5804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=7476,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7500 /prefetch:1
1⤵
PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=9344,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9368 /prefetch:1
1⤵
PID:6048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=9296,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9544 /prefetch:1
1⤵
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --field-trial-handle=9760,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9644 /prefetch:1
1⤵
PID:2976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --field-trial-handle=9244,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8776 /prefetch:1
1⤵
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --field-trial-handle=9676,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7768 /prefetch:1
1⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --field-trial-handle=9712,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9976 /prefetch:1
1⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --field-trial-handle=9752,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9936 /prefetch:1
1⤵
PID:4064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --field-trial-handle=9952,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:1
1⤵
PID:4704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --field-trial-handle=9972,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10068 /prefetch:1
1⤵
PID:5324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --field-trial-handle=9956,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:1
1⤵
PID:6532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --field-trial-handle=8116,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8072 /prefetch:1
1⤵
PID:6444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=10000,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9600 /prefetch:8
1⤵
PID:6464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=9604,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10008 /prefetch:8
1⤵
PID:6336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=9540,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9064 /prefetch:8
1⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe
"C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe"
1⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --field-trial-handle=9668,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10064 /prefetch:1
1⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --field-trial-handle=9992,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9276 /prefetch:1
1⤵
PID:6872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=9164,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8616 /prefetch:8
1⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7948,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7448 /prefetch:8
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --field-trial-handle=9660,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9264 /prefetch:1
1⤵
PID:2020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --field-trial-handle=8004,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10076 /prefetch:1
1⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --field-trial-handle=10140,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10168 /prefetch:1
1⤵
PID:6100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --field-trial-handle=3884,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9700 /prefetch:1
1⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --field-trial-handle=10364,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10380 /prefetch:1
1⤵
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --field-trial-handle=10060,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10148 /prefetch:1
1⤵
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --field-trial-handle=10228,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10220 /prefetch:1
1⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --field-trial-handle=10556,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10520 /prefetch:1
1⤵
PID:5156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --field-trial-handle=10564,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=3876 /prefetch:1
1⤵
PID:2504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --field-trial-handle=10528,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10576 /prefetch:1
1⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=7768,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10216 /prefetch:8
1⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --field-trial-handle=11104,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10220 /prefetch:1
1⤵
PID:6616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --field-trial-handle=11080,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11128 /prefetch:1
1⤵
PID:5736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --field-trial-handle=10396,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10148 /prefetch:1
1⤵
PID:5272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --field-trial-handle=10276,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9880 /prefetch:1
1⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --field-trial-handle=10972,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10984 /prefetch:1
1⤵
PID:6200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --field-trial-handle=11480,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11316 /prefetch:1
1⤵
PID:440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=10592,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10020 /prefetch:8
1⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --field-trial-handle=10052,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10212 /prefetch:1
1⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --field-trial-handle=11888,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11972 /prefetch:1
1⤵
PID:1932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --field-trial-handle=11912,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10124 /prefetch:1
1⤵
PID:7008

C:\Users\Admin\Downloads\vcredist_x64.exe
"C:\Users\Admin\Downloads\vcredist_x64.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6288
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i vcredist.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - System Location Discovery: System Language Discovery
  PID:4444

C:\Users\Admin\Downloads\vcredist_IA64.EXE
"C:\Users\Admin\Downloads\vcredist_IA64.EXE"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5848
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i vcredist.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - System Location Discovery: System Language Discovery
  PID:184

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:6416
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8AFEB713690F137A49DABC16E2B835E6
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_Visual-C-Runtimes-All-in-One-May-2024.zip\install_all.bat" "
1⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe
"C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe"
1⤵
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --field-trial-handle=11260,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11552 /prefetch:1
1⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --field-trial-handle=11576,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10932 /prefetch:1
1⤵
PID:2508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --field-trial-handle=12244,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11956 /prefetch:1
1⤵
PID:6900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=10956,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12184 /prefetch:8
1⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --field-trial-handle=11364,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11368 /prefetch:1
1⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --field-trial-handle=10892,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10512 /prefetch:1
1⤵
PID:6812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --field-trial-handle=11768,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11268 /prefetch:1
1⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --field-trial-handle=11388,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12132 /prefetch:1
1⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --field-trial-handle=12296,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9996 /prefetch:1
1⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --field-trial-handle=11120,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10888 /prefetch:1
1⤵
PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --field-trial-handle=11004,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12532 /prefetch:1
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --field-trial-handle=10968,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11508 /prefetch:1
1⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --field-trial-handle=12552,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10948 /prefetch:1
1⤵
PID:4224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --field-trial-handle=11636,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10908 /prefetch:1
1⤵
PID:6784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --field-trial-handle=12256,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12604 /prefetch:1
1⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --field-trial-handle=12624,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12504 /prefetch:1
1⤵
PID:5624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --field-trial-handle=12348,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=11248 /prefetch:1
1⤵
PID:6568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x46c
1⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --field-trial-handle=12264,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12812 /prefetch:1
1⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=12180,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12736 /prefetch:8
1⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --field-trial-handle=12540,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=10900 /prefetch:1
1⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=13096,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=13192 /prefetch:8
1⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=118 --field-trial-handle=13284,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=13292 /prefetch:1
1⤵
PID:456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=119 --field-trial-handle=6896,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=13180 /prefetch:1
1⤵
PID:5384

C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe
"C:\Users\Admin\AppData\Local\Temp\FREE POSEIDON BYPASSER.exe"
1⤵
PID:1784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --field-trial-handle=4996,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8504 /prefetch:1
1⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=120 --field-trial-handle=9020,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9272 /prefetch:1
1⤵
PID:1424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --field-trial-handle=8644,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=6024 /prefetch:1
1⤵
PID:6924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=123 --field-trial-handle=4708,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=7316 /prefetch:1
1⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=124 --field-trial-handle=9200,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4292 /prefetch:1
1⤵
PID:5204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=125 --field-trial-handle=13100,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=12676 /prefetch:1
1⤵
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=126 --field-trial-handle=8136,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=13120 /prefetch:1
1⤵
PID:1192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=127 --field-trial-handle=7732,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8900 /prefetch:1
1⤵
PID:6556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=128 --field-trial-handle=13492,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=8280 /prefetch:1
1⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=13704,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=9852 /prefetch:8
1⤵
PID:1704

C:\Users\Admin\Downloads\NDP481-x86-x64-AllOS-ENU.exe
"C:\Users\Admin\Downloads\NDP481-x86-x64-AllOS-ENU.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5212
- F:\7ffe69bbb56cbe6114ec77bc0755de85\Setup.exe
  F:\7ffe69bbb56cbe6114ec77bc0755de85\\Setup.exe /x86 /x64 /redist
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:6464

C:\Users\Admin\Downloads\NDP481-x86-x64-AllOS-ENU.exe
"C:\Users\Admin\Downloads\NDP481-x86-x64-AllOS-ENU.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5112
- F:\88b1624370930ae05e\Setup.exe
  F:\88b1624370930ae05e\\Setup.exe /x86 /x64 /redist
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:5920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e59fe60.rbs

Filesize
16KB

MD5
773b18b6ac7e4a23401d8882a479d74e

SHA1
d696ac28d936539449d2f906144ef86b99c1fa04

SHA256
ef7b9388f8674a6d8cb284d0b31008ba31c2fde094196ed837e681c423610079

SHA512
1b183cf36f2ce5cc69fa14822e2ccf10e2664b69740c06408325cbb84b12947c9cecd5665d19ab83bcda6b548d00847a42fccc4f7f73f4b39f120425d06ac79e

Download Submit
C:\Config.Msi\e59fe65.rbs

Filesize
18KB

MD5
7384d3e7698bb69b55d7b06d085b69d9

SHA1
a327403a978d1c20947dd48c4c08699f3e5d88c8

SHA256
870755e98782fa5f1a136167a8a9c60dcc728c1a41064fb8cad8ec51fc5b0fc0

SHA512
7f87e2fd33f9f737b3d01aa6cb52ce5f8bff83d37c6124ec15aca5774435173a194941edee901376571e1afd68fda5d2409190248ca317d6819c48390ea9f94e

Download Submit
C:\Config.Msi\e59fe72.rbs

Filesize
20KB

MD5
c71f2821eb9a73095dd0cdf4d8f97d77

SHA1
4aa5b260211e34a564af4e082b251b3a99fa6ac6

SHA256
c4393c52917abc003000da24dfe9aba9df91367351e014bdf08da64aad040519

SHA512
b3c4d2e807f4591fac61d839cd82383cd3b1c866113b08ab8c5fee5a93fdcf45cd3376157c0c8a97c8ea4e7fe197077d0f9e7becaee38f2cc3632051b1a24db6

Download Submit
C:\Config.Msi\e59fe81.rbs

Filesize
19KB

MD5
19f94e2072559ac5fc60e96f36f511ce

SHA1
ba0d4ebff22fd00f3a50e7b52eca873b0ee9ab65

SHA256
88acfb13b547b2e4e641e429b375b921063bdd8db4c101615688f6c041cda792

SHA512
981d2f870960056915c09abe2b70559cf674f0ab8365e3543c7f1423edbc79328123c4ae6feef309286415097975bfc5eaabb3b509bcd4b5301239ad9d8f62ac

Download Submit
C:\Config.Msi\e59fe85.rbs

Filesize
3KB

MD5
f53e54d15c142a4449a043b24fd76677

SHA1
c7bbc3a0cb8e9824893903f32de8d8c567613ddb

SHA256
2bee557dbee8360886dd77708880f3cb3f227ef92cc867001ccca41f6f878503

SHA512
6bf69fe99f78e440aa0d2c7d99e16282113ec709c72b38a346a9f90b1e20186a7274fb0bdb85b26bf80ae2a6ba62de91a8ec39078dedb3b4bd631b7c591d917d

Download Submit
C:\Config.Msi\e59fe8b.rbs

Filesize
19KB

MD5
6fb42b95954982e8a517970571a1a645

SHA1
2a934d692192ef476c49a3b2bf86ea7f33f2a6b2

SHA256
1832d03bb9125c2dc32ce4800c8743461038d93eaa1a1ee2ae6a186c65262fda

SHA512
a5a78d2bfe3c9ec52875ad45c8d9a77c4e80ef3b2e112086155d8786bfb4d7107dfa1812eadf5470f1198adf15aae45330f3b56b8073bae4af1709888304bf39

Download Submit
C:\Config.Msi\e59fe97.rbs

Filesize
19KB

MD5
ed7050178725958057b9399b722e1ade

SHA1
dfa5d5213286662f22cff608bcc6cda54e1b23d1

SHA256
9308744c5b06704f1cb769dc5d51947c90a07435c4b0dea25a2e3a60c26e832b

SHA512
0e5436c426f20e9606a5c0cef2597e047ff6d8c6125c2874910e0bcb85242a5fb9c66c6af726c65d8ee32af2961ba5d7818841c8ae08ca61f81cc523b74fedd1

Download Submit
C:\Config.Msi\e59fe9e.rbs

Filesize
21KB

MD5
5983d8f7d917ffdf2e95402c3541e64b

SHA1
59dfa7838d0b205d998decf3331f52c187522aa2

SHA256
7f1b2c5ea6bf488ee0348a21a5df2835d0b571726e4e3d109ac808516afb7321

SHA512
1215d6c382c141dc740fa85b6680648a68883d9b815fce021b687211f4b87a1350f73c049b1c8f21f7a07ba703c2d1a9f6c930aa582d8caa52dbbc4d289022fd

Download Submit
C:\Config.Msi\e59fead.rbs

Filesize
21KB

MD5
306b7f0ddaeb66e1c8c5204536296c57

SHA1
3f8052317ff63da87a65aeaeb8bf7b8b1535cff2

SHA256
03baeb6ed69553e7718169e0840d8e45995e2771bca28d61317da5abb7a120c2

SHA512
3048cebd90a14fba425e7aa81e5f18868714dffc74b4ab9b8369ade837ad246ff02f464654f9ea772e4810aea0034167d2d24e57e455a4949692238f01e7247c

Download Submit
C:\Config.Msi\e59feb1.rbs

Filesize
3KB

MD5
fc701123a869171ed0b2d80d4f4f9d70

SHA1
54d44fbf9e89dff5886e48a792635770ab576cb1

SHA256
8167fc35b72477760613e80e9b6d248014cb1e7dd8dd1996b53becd6b58a6c36

SHA512
ba02c4ec8c4c04f7526b38bcda2dce34d891007f7d8cad04d26f61ad3d99f4ccdb458ff2589f6e29416eee62d3fc692b49616316aa2fdd3e8964bb970d4ca9e5

Download Submit
C:\Config.Msi\e5f1326.rbs

Filesize
73KB

MD5
d647da0b389a13ac96b6887bc7e87654

SHA1
ee5e6fad228efaa3449fdbdf5da58a1d39179bcc

SHA256
449859fd30750cbba17f71fa0d67af42f29d23beca21c20a680d401440666b8f

SHA512
1ee9157f7c001067b38d31ecc8668b7c6adac47de555a4d10e07f909992b73fe9317fa3c6f36040589b1c5380dec17ae167c0cb1fe08df88106c720ce9b180a0

Download Submit
C:\ProgramData\Package Cache\{47109d57-d746-4f8b-9618-ed6a17cc922b}\state.rsm

Filesize
884B

MD5
5e85efa9bc6df5f36a6adb7be1a7744b

SHA1
a37ac573392b173359f5fda281147f46f3f4fecc

SHA256
9ea2beaee1d023d0d4cdcfb6bc76fb0b4d6b1e8b1b13f398c497d47e09898875

SHA512
51c54a3104c65c2d8f896089e160c1bc44213ff8f87b52e8a4c45459237d30a67b1d1bbf8edb2cff214a872557befe94c332478d154d0a88236b39ac777b6361

Download Submit
C:\ProgramData\Package Cache\{47109d57-d746-4f8b-9618-ed6a17cc922b}\state.rsm

Filesize
876B

MD5
c2de5d31f2127d227ee1ffbd912d7912

SHA1
6e25631fa73cc46c7c70f02b79035b5765ca772e

SHA256
0b3277b517d52bc7f93b402d55abd0ca66b9c4b775ecb7d94a886ba5aa24c6c8

SHA512
6350d8169d380213d41ffe9b06cb621a733bf265bfe8f921ef7f450f35b5534e922d72869946ed4ead51e2d4b20855c76acc9baa1ad658e4ece668a9361a46e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\HFIFC69.tmp.html

Filesize
17KB

MD5
f318d03e95d1521f80700363e6ecfe29

SHA1
b0e3fb4f29370b55e22a5e86eb9b960d5f9e6a4d

SHA256
2ef5ef12dffb837048b75f1d6d2a2cacd408f1c0f906650e8dd2677c56b36e13

SHA512
8115292c5304c1f24ccde5f3941018486cda2733a8730ede3eab583f7aa4b738ed532ba7470aa6c8d1224cd0e4452d93c63e189d5348e86c42aee88e24157942

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
312KB

MD5
77a9bff5af149160775741e204734d47

SHA1
7b5126af69b5a79593f39db94180f1ff11b0e39d

SHA256
20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038

SHA512
bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
3.0MB

MD5
6dbdf338a0a25cdb236d43ea3ca2395e

SHA1
685b6ea61e574e628392eaac8b10aff4309f1081

SHA256
200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb

SHA512
6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vcredist.msi

Filesize
6.1MB

MD5
3a56b28f1249d13ef1a4475c99175d3c

SHA1
5fdde80286e24bd5446150aa9e70e8b44157e793

SHA256
c894f1bc63fb6e6ddbf945097922e64a07e3124b43a1f1bd278439a84de87862

SHA512
abc6e7d483dcb9712da9312ef164597daecb788ba30a9dd4684fb157337712932d74a2258c805b636621a72746914942a97790c4b1d4525fbafa5d098c31bef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240908025723_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
bf66b190330bdaae3ab5db87aa24a27b

SHA1
2cf61a25db562679fb7dcf267b8b8cccd7587bbf

SHA256
2f557017c33498cf9e3a494c08744139e460063944c3a44557dc1d6cc2db44c9

SHA512
2d991a3c1a70c3c244eb69b169bda0194023daf204401fcf64f73c93fc30e3f8702b4577bd75f0196b602007dd4ad349287f8e959e0e3e6a5cc68d879399788b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240908025723_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
cd6d409f4903f924ce2899081e61d7fa

SHA1
a9d43758fb4072c5187cb951796fe710b446f41b

SHA256
6594f6b8e76ddb2f456f8a857377a30fe1b444dc49d996f11722c85052ab3169

SHA512
38bdde2edc12a8a92aba58efbf1898e81cbb801620ca24838af6ebd4b6c189679c33662db818210d2d9d0883796e7ce32def3eb6e24cd598e47a9c544462f8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240908025658_000_vcRuntimeMinimum_x86.log

Filesize
2KB

MD5
478c8715096d039718fae9b25d6a45a2

SHA1
de8616e00651b02328dc87a95d2406337928bf54

SHA256
641049b3686a3a44040bdb68815bd60e4c6b71d9e936a29b323e8c858090d9f0

SHA512
68a67fedba75bfef20577c1eedafe9418ef3cacb1aaedd23dc796c818c32e3a3be58461d1b7f005267d956dd3664d3c47ba8344a84434bb058e0685ec297a9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240908025658_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
6ea15677852d371a1f1e8edbccf51974

SHA1
e3578f1fd165af42ea3b04da0b7fc9039bcd4398

SHA256
c6eb7dad3020e8d1e3f9eee75f985250f894d33a5bd45d33e0698cc0a2cad339

SHA512
45d0ab00686a840d24a3dca9ed4ad4bfdc6c39c52da3207ff2fe827352081a351350a78f3a009a519c64d154210f4bfac4f6b1d98c2586d7ac9ca3e162b0fe41

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240908025704_000_vcRuntimeMinimum_x86.log

Filesize
6KB

MD5
dbf8bb5a65d49ac2699c0ad36782d4c6

SHA1
8746758a28772ab6699377ed0488144f60612ed3

SHA256
4244726296599f7758add9d4aa4d5b492652e9aa8ca081b2f32d356a180221fc

SHA512
fc919a22edb142ad178db9bc787695bc54ae9e88f97bbc567e882b59991bba9d3315c46f02058d42b8ece86398de9bbfb0014dfe332ca1813a47f7e2c6a12481

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240908025704_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
7baae1404c032d4e1929721cff7eba2f

SHA1
19d5e13f005aeb84a762d90553059648b9339166

SHA256
fd9314d4f51f1250458ce2801a8a9abbcd611a8b7b02af43d8f16db20b0094b7

SHA512
940f6179867a7aee13df0160ecfb8c15e0a422783acc6b155bb093f723727400c6dd060fc7d9a2dc7edbbedbd2c18be1b840a61eed14fb25a3b7644d9b6f90ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240908025704_001_vcRuntimeAdditional_x86.log

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20240908025704_001_vcRuntimeAdditional_x86.log

Filesize
2KB

MD5
d0875dc963da67e07277ae92eb979b04

SHA1
7b9e0e36c871817a71dd2f0bc9883aa710c5cbdf

SHA256
453197c60af38f9c09c68c9b6756243b3f2a1ccec56d9e9a50d0c15bef232d6b

SHA512
d395fb5e593156bd932c0eaacc8fa112be4db17eede39e6f22c58951a1c751649cebfb900b7c4c742d49b9bbfeb7dca291540d495ceaee05c3bc6f457f3c9cf6

Download Submit
C:\Windows\Installer\MSI2A55.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
155KB

MD5
bea3a2b145b87cb593746d656804fe5e

SHA1
2cf03530c303706baff43fac23a6716a60d0892e

SHA256
a5c96468875d9a32c438426f76fdf0ae49b19b972127e034ae668e1fe699b013

SHA512
cf9ee2e963c23c48185bab6d656a348ee055be1ac00b180605087ca92ccb6e070c69633456d142296650537b3a41ffde9fc47b2c40d60fc086a4fa8823f8cdff

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1028\license.rtf

Filesize
17KB

MD5
2b063d92663595dfe4781ae687a03d86

SHA1
0fb582e756dbc751ea380593ac4da27ddb4ebb06

SHA256
44c76290f7a2e45940e8338912feb49bcf4e071cfa85d2d34762857743acbc8d

SHA512
94c8fda6173c7f5740f206190edcd1f1f1c309596b710d400e23cd363a619d707a5d4576d4fe63ab7cb68947f009efd29a1fbe04743a294698bf2ae17e92c214

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1028\thm.wxl

Filesize
2KB

MD5
472abbedcbad24dba5b5f5e8d02c340f

SHA1
974f62b5c2e149c3879dd16e5a9dbb9406c3db85

SHA256
8e2e660dfb66cb453e17f1b6991799678b1c8b350a55f9ebe2ba0028018a15ad

SHA512
676e29378aaed25de6008d213efa10d1f5aad107833e218d71f697e728b7b5b57de42e7a910f121948d7b1b47ab4f7ae63f71196c747e8ae2b4827f754fc2699

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1029\license.rtf

Filesize
12KB

MD5
e7dc9ca9474a13fa4529d91bcd2ab8cc

SHA1
511f5de8a99c09ec3766c5e2494a79eacca261c8

SHA256
503c433dcde2f3a9e7d388a5ff2b0612e7d8f90f5188d5b2b60228db33044fde

SHA512
77108e53cd58e42f847d8ef23a07723c4849dc41dbe1c3ef939b9170e75f525bec9d210d6c1fbfeb330ece2e77b8a8e2808730d9e6f72f5b3fe626d58b6068c6

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1029\thm.wxl

Filesize
3KB

MD5
16343005d29ec431891b02f048c7f581

SHA1
85a14c40c482d9351271f6119d272d19407c3ce9

SHA256
07fb3ec174f25dfbe532d9d739234d9dfda8e9d34f01fe660c5b4d56989fa779

SHA512
ff1ae9c21dcfb018dd4ec82a6d43362cb8c591e21f45dd1c25955d83d328b57c8d454bbe33fbc73a70dadf1dfb3ae27502c9b3a8a3ff2da97085ca0d9a68ab03

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1031\license.rtf

Filesize
12KB

MD5
2ddca2866d76c850f68acdfdb696d6de

SHA1
c5076f10b0f0654cde2c990deeb2772f3cc4844b

SHA256
28f63bad9c2960395106011761993049546607f8a850d344d6a54042176bf03f

SHA512
e3a3693b92873e0b42007616ff6916304edc5c4f2eee3e9276f87e86dd94c2bf6e1cf4e895cdf9a1aa0cac0b381b8840eee1f491123e901dee75638b8bc5ce1b

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1031\thm.wxl

Filesize
3KB

MD5
561f3f32db2453647d1992d4d932e872

SHA1
109548642fb7c5cc0159beddbcf7752b12b264c0

SHA256
8e0dca6e085744bfcbff46f7dcbcfa6fbd722dfa52013ee8ceeaf682d7509581

SHA512
cef8c80bef8f88208e0751305df519c3d2f1c84351a71098dc73392ec06cb61a4aca35182a0822cf6934e8ee42196e2bcfe810cc859965a9f6f393858a1242df

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1036\license.rtf

Filesize
12KB

MD5
a6e352e5804313ccde3e4d5dddde122d

SHA1
834e3aaa07dc675589a9e5fcd23ce5586c2739e8

SHA256
5c13a65870d770d1642a4259eecb436257ca39016a0500f747be9c79be0c7009

SHA512
6578ac6467f61930bc1b20e404441725c63790c65aec1ace297429ead15f50e68d5fe9cc1451ac86ae23dc1a7fe967650166293010d687785fb81fb4492b87c4

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1036\thm.wxl

Filesize
3KB

MD5
7b46ae8698459830a0f9116bc27de7df

SHA1
d9bb14d483b88996a591392ae03e245cae19c6c3

SHA256
704ddf2e60c1f292be95c7c79ee48fe8ba8534ceb7ccf9a9ea68b1ad788ae9d4

SHA512
fc536dfadbcd81b42f611ac996059a6264e36ecf72a4aee7d1e37b87aefed290cc5251c09b68ed0c8719f655b163ad0782acd8ce6332ed4ab4046c12d8e6dbf6

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1040\license.rtf

Filesize
11KB

MD5
bc58ad6abb16b982aebadc121b37e706

SHA1
25e3e4127a643db5db2a0b62b02de871359fae42

SHA256
70ecf23c03b66a2b18e173332586afa8f00f91e02a80628f4f9cb2521e27f6ac

SHA512
8340452cb5e196cb1d5da6dbb3fa8872e519d7903a05331055370b4850d912674f0b6af3d6e4f94248fe8135eb378eb36969821d711fe1624a04af13bbe55d70

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1040\thm.wxl

Filesize
3KB

MD5
d90bc60fa15299925986a52861b8e5d5

SHA1
fadfca9ab91b1ab4bd7f76132f712357bd6db760

SHA256
0c57f40cc2091554307aa8a7c35dd38e4596e9513e9efae00ac30498ef4e9bc2

SHA512
11764d0e9f286b5aa7b1a9601170833e462a93a1e569a032fcba9879174305582bd42794d4131b83fbcfbf1cf868a8d5382b11a4bd21f0f7d9b2e87e3c708c3f

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1041\license.rtf

Filesize
29KB

MD5
47c315c54b6f2078875119fa7a718499

SHA1
f650ddb5df2af2ee7555c410d034b37b9dfd055b

SHA256
c3061a334bfd5f02b7085f8f454d5d3d97d477af14bab497bf31a7887bc90c5b

SHA512
a0e4b0fcccfdd93baf133c2080403e8719e4a6984237f751bd883c0d3c52d818efd00f8ba7726a2f645f66286305599403470f14d39eedc526dde59228a5f261

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1041\thm.wxl

Filesize
3KB

MD5
dc81ed54fd28fc6db6f139c8da1bded6

SHA1
9c719c32844f78aae523adb8ee42a54d019c2b05

SHA256
6b9bbf90d75cfa7d943f036c01602945fe2fa786c6173e22acb7afe18375c7ea

SHA512
fd759c42c7740ee9b42ea910d66b0fa3f813600fd29d074bb592e5e12f5ec09db6b529680e54f7943821cefe84ce155a151b89a355d99c25a920bf8f254aa008

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1042\license.rtf

Filesize
27KB

MD5
641d926354f001034cf3f2f3b0ff33dc

SHA1
5505107fff6cf279769a82510276f61ea18637ae

SHA256
3d4e9c165cbeab829d608106f0e96450f839ffa8adbd755f0b51867e89da2ae0

SHA512
b0339664434b096abc26d600f7657919ef3689b4e0fdfd4edd8e479859a51ef51be8f05fa43e25567ffd6c1c2bcc6ef0d7a857b6d666d264c7783bad3a383d0e

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1042\thm.wxl

Filesize
3KB

MD5
b3399648c2f30930487f20b50378cec1

SHA1
ca7bdab3bfef89f6fa3c4aaf39a165d14069fc3d

SHA256
ad7608b87a7135f408abf54a897a0f0920080f76013314b00d301d6264ae90b2

SHA512
c5b0ecf11f6dadf2e68bc3aa29cc8b24c0158dae61fe488042d1105341773166c9ebabe43b2af691ad4d4b458bf4a4bf9689c5722c536439ca3cdc84c0825965

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1045\license.rtf

Filesize
13KB

MD5
f140fd8ca2c63a861d04310257c1b1db

SHA1
7bf7ef763a1f80ecaca692908f8f0790a88c3ca1

SHA256
6f94a99072061012c5626a6dd069809ec841d6e3102b48394d522a0c2e3aa2b5

SHA512
a0bd65af13cc11e41e5021df0399e5d21b340ef6c9bbe9b1b56a1766f609ceb031f550a7a0439264b10d67a76a6403e41aba49b3c9e347caedfe9af0c5be1ee6

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1045\thm.wxl

Filesize
3KB

MD5
15172eaf5c2c2e2b008de04a250a62a1

SHA1
ed60f870c473ee87df39d1584880d964796e6888

SHA256
440b309fcdf61ffc03b269fe3815c60cb52c6ae3fc6acad14eac04d057b6d6ea

SHA512
48aa89cf4a0b64ff4dcb82e372a01dff423c12111d35a4d27b6d8dd793ffde130e0037ab5e4477818a0939f61f7db25295e4271b8b03f209d8f498169b1f9bae

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1046\license.rtf

Filesize
10KB

MD5
9a8d2acf07f3c01e5cbc461ab932d85b

SHA1
8781a298dcc14c18c6f6db58b64f50b2fc6e338e

SHA256
27891eec899be859e3b4d3b29247fc6b535d7e836def0329111c48741ec6e701

SHA512
a60262a0c18e3bef7c6d52f242153ebe891f676ed639f2dacfebbac86e70eebf58aa95a7fe1a16e15a553c1bd3ecaccd8677eb9d2761cb79cb9a342c9b4252e2

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1046\thm.wxl

Filesize
3KB

MD5
be27b98e086d2b8068b16dbf43e18d50

SHA1
6faf34a36c8d9de55650d0466563852552927603

SHA256
f52b54a0e0d0e8f12cba9823d88e9fd6822b669074dd1dc69dad6553f7cb8913

SHA512
3b7c773ef72d40a8b123fdb8fc11c4f354a3b152cf6d247f02e494b0770c28483392c76f3c222e3719cf500fe98f535014192acddd2ed9ef971718ea3ec0a73e

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1049\license.rtf

Filesize
31KB

MD5
62229be4447c349df353c5d56372d64b

SHA1
989799ed24913a0e6ae2546ee2a9a8d556e1cb3b

SHA256
1bb3fb55b8a13fa3bafffe72f5b1ed8b57a63bd4d8654bb6dc5b9011ce803b44

SHA512
fa366328c3fd4f683fdb1c5a64f5d554de79620331086e8b4ccc2bfc2595b1fded02cec8aa982fcd8b13cc175d222af2d7e2cd1a33b52f36afd692b533fdbf13

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1049\thm.wxl

Filesize
4KB

MD5
17c652452e5ee930a7f1e5e312c17324

SHA1
59f3308b87143d8ea0ea319a1f1a1f5da5759dd3

SHA256
7333bc8e52548821d82b53dbd7d7c4aa1703c85155480cb83cefd78380c95661

SHA512
53fd207b96d6bcf0a442e2d90b92e26cbb3ecc6ed71b753a416730e8067e831e9eb32981a9e9368c4cca16afbcb2051483fdcfc474ea8f0d652fca934634fbe8

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1055\license.rtf

Filesize
13KB

MD5
9625f3a496dbf5e3e0d2f33d417edbbf

SHA1
119376730428812a31b70d58c873866d5307a775

SHA256
f80926604e503697247353f56856b31de0b3fc1319f1c94068363952549cc9b1

SHA512
db91a14fc27e3a62324e024dd44e3b5548af7e1c021201c3d851bd2f32537885aacfc64adae619bac31b60229d1d5fc653f5301cd7187c69bd0acecce817d6a3

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\1055\thm.wxl

Filesize
3KB

MD5
defbea001dc4eb66553630ac7ce47cca

SHA1
90ced64ec7c861f03484b5d5616fdbcda8f64788

SHA256
e5abe3cb3bf84207dac4e6f5bba1e693341d01aea076dd2d91eaa21c6a6cb925

SHA512
b3b7a22d0cdada21a977f1dceaf2d73212a4cddbd298532b1ac97575f36113d45e8d71c60a6d8f8cc2e9dbf18ee1000167cfbf0b2e7ed6f05462d77e0bca0e90

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\2052\license.rtf

Filesize
17KB

MD5
d083c7e300928a0c5aea5ecbd1653836

SHA1
08f4f1f9f7dfa593be3977515635967ce7a99e7a

SHA256
a808b4933ce3b3e0893504dbef43ebf90b8b567f94bd6481b6315ed9141e1b11

SHA512
8cb3ffad879baba36137b7a21b62d9d6c530693f5e16fbb975f3e7c20f1db5a686f3a6ee406d69b018aa494e4cd185f71b369a378ae3289b8080105157e63fd0

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\2052\thm.wxl

Filesize
2KB

MD5
3d1e15deeace801322e222969a574f17

SHA1
58074c83775e1a884fed6679acf9ac78abb8a169

SHA256
2ac8b7c19a5189662de36a0581c90dbad96df259ec00a28f609b644c3f39f9ca

SHA512
10797919845c57c5831234e866d730ebd13255e5bf8ba8087d53f1d0fc5d72dc6d5f6945dbebee69acc6a2e20378750c4b78083ae0390632743c184532358e10

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\3082\license.rtf

Filesize
10KB

MD5
873a413d23f830d3e87dab3b94153e08

SHA1
24cfc24f22cef89818718a86f55f27606eb42668

SHA256
abc11bb2b04dff6afe2d4d4f40d95a7d62e5af352928af90daa3dade58dd59bd

SHA512
dc1eccb5cc4d3047401e2bc31f5eb3e21c7881c02744a2e63c10d3c911d1158dcfac023988e873c33dc381c989304fe1d3cb27ed99d7801285c4c378553cd821

Download Submit
C:\Windows\Temp\{03F5D4E6-4EBA-4449-AD03-C55FA1365168}\.ba\3082\thm.wxl

Filesize
3KB

MD5
47f9f8d342c9c22d0c9636bc7362fa8f

SHA1
3922d1589e284ce76ab39800e2b064f71123c1c5

SHA256
9cbb2b312c100b309a1b1495e84e2228b937612885f7a642fbbd67969b632c3a

SHA512
e458df875e9b0622aebe3c1449868aa6a2826a1f851db71165a872b2897cf870ccf85046944ff51ffc13bb15e54e9d9424ec36caf5a2f38ce8b7d6dc0e9b2363

Download Submit
C:\Windows\Temp\{438F939A-6B5B-4F8B-A361-091D292B349E}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d5a3fd8ad806f66d33d652d5913a95b3

SHA1
7b1bb6cdbe700acc2434dc52c40cdd96a6462a17

SHA256
cc001c20f85e16015e0d23eb0c3a9bc3c3cdcc1adda53f88ac77dd29705ba01a

SHA512
594d710133f44049546c62c3c89614415ad776c24f3ada0a8d1724e6daf27f941eba43a05a096d90cdf51ad51c02462edd6308e2aa393cb8325fde256ed77037

Download Submit
C:\Windows\Temp\{438F939A-6B5B-4F8B-A361-091D292B349E}\cab5046A8AB272BF37297BB7928664C9503

Filesize
962KB

MD5
8eccd85b6c4273a28a54b0687feb6a96

SHA1
be791128af5713d407df2f7436ea8de1a80ca725

SHA256
8fafd6d0754ee53125902df1b67ef2db86eb7af4c097522f2fb58443501fecdd

SHA512
9fdcb359a5748d0d920e1e12cf31de42fa224840fd11e5878f7caff7c4495b4facacf1a58cdaf0caadd0d9a3af871870b755245d2c1af33f07f3229b85101da0

Download Submit
C:\Windows\Temp\{438F939A-6B5B-4F8B-A361-091D292B349E}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
5fc68510b7425822a9d0928567ffbd1b

SHA1
f506d97ceac3c435ce6bafda7c47d9a35fc57714

SHA256
7489cdde6a0c8aadb3253f22c460c2dc8099ba677f42d46b277f7040327c9b28

SHA512
4dd4d99ace30eb1add9ae225f159f68636d42d1899acb50f616717f05045e402a2bbb76e4d86569a08ae74bb161b3911a73910fcc7044429da34159cf6b9f473

Download Submit
C:\Windows\Temp\{438F939A-6B5B-4F8B-A361-091D292B349E}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
C:\Windows\Temp\{C0B2B398-AB09-4BE1-B994-57DCD7FE016B}\.cr\VC_redist.x86.exe

Filesize
634KB

MD5
337b547d2771fdad56de13ac94e6b528

SHA1
3aeecc5933e7d8977e7a3623e8e44d4c3d0b4286

SHA256
81873c2f6c8bc4acaad66423a1b4d90e70214e59710ea7f11c8aeb069acd4cd0

SHA512
0d0102fafb7f471a6836708d81952f2c90c2b126ad1b575f2e2e996540c99f7275ebd1f570cafcc945d26700debb1e86b19b090ae5cdec2326dd0a6a918b7a36

Download Submit
C:\Windows\Temp\{D8E92BB5-F6E5-450E-847F-47BF1F33C895}\.ba\license.rtf

Filesize
9KB

MD5
04b33f0a9081c10e85d0e495a1294f83

SHA1
1efe2fb2d014a731b752672745f9ffecdd716412

SHA256
8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b

SHA512
d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685

Download Submit
C:\Windows\Temp\{D8E92BB5-F6E5-450E-847F-47BF1F33C895}\.ba\thm.wxl

Filesize
2KB

MD5
fbfcbc4dacc566a3c426f43ce10907b6

SHA1
63c45f9a771161740e100faf710f30eed017d723

SHA256
70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

SHA512
063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

Download Submit
C:\Windows\Temp\{D8E92BB5-F6E5-450E-847F-47BF1F33C895}\.ba\thm.xml

Filesize
8KB

MD5
f62729c6d2540015e072514226c121c7

SHA1
c1e189d693f41ac2eafcc363f7890fc0fea6979c

SHA256
f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916

SHA512
cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471

Download Submit
C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\cab54A5CABBE7274D8A22EB58060AAB7623

Filesize
822KB

MD5
25bd21af44d3968a692e9b8a85f5c11d

SHA1
d805d1624553199529a82151f23a1330ac596888

SHA256
f4576ef2e843c282d2a932f7c55d71cc3fcbb35b0a17a0a640eb5f21731cc809

SHA512
ed3660183bf4e0d39e4f43a643007afc143b1d4ec0b45f0fdce28d8e896f646ec24a2a7a5429e8b10f4379cb4ffd1572adba10fc426990d05c0cafefdd87a4fb

Download Submit
C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\cabB3E1576D1FEFBB979E13B1A5379E0B16

Filesize
4.9MB

MD5
3a7979fbe74502ddc0a9087ee9ca0bdf

SHA1
3c63238363807c2f254163769d0a582528e115af

SHA256
7327d37634cc8e966342f478168b8850bea36a126d002c38c7438a7bd557c4ca

SHA512
6435db0f210ad317f4cd00bb3300eb41fb86649f7a0e3a05e0f64f8d0163ab53dbdb3c98f99a15102ce09fcd437a148347bab7bfd4afe4c90ff2ea05bb4febff

Download Submit
C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\vcRuntimeAdditional_x86

Filesize
180KB

MD5
2ba51e907b5ee6b2aef6dfe5914ae3e3

SHA1
6cc2c49734bf9965fe0f3977705a417ed8548718

SHA256
be137dc2b1ec7e85ae7a003a09537d3706605e34059361404ea3110874895e3a

SHA512
e3ba5aa8f366e3b1a92d8258daa74f327248fb21f168b7472b035f8d38f549f5f556eb9093eb8483ca51b78e9a77ee6e5b6e52378381cce50918d81e8e982d47

Download Submit
C:\Windows\Temp\{DCC86FA3-0C60-4340-B54B-57FD87E45799}\vcRuntimeMinimum_x86

Filesize
180KB

MD5
828f217e9513cfff708ffe62d238cfc5

SHA1
9fb65d4edb892bf940399d5fd6ae3a4b15c2e4ba

SHA256
a2ad58d741be5d40af708e15bf0dd5e488187bf28f0b699d391a9ef96f899886

SHA512
ffc72b92f1431bbd07889e28b55d14ea11f8401e2d0b180e43a898914209893941affacc0a4ea34eeefc9b0ca4bc84a3045591cd98aae6bdb11ae831dc6bb121

Download Submit
C:\Windows\Temp\{F57917B9-5CEF-42F5-8A94-00B51D820951}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\1025\LocalizedData.xml

Filesize
81KB

MD5
075961c7e742c66ee4cd8b614a778141

SHA1
a5541fa0487135aaed1c336bba79e8025ac2804c

SHA256
4198a6ae89b0be8bd07ed3c18dea6ca87239a5a47343b73ff612ce0ab47e08dd

SHA512
c6881fc501805d0cb5aa9b42fc14029404a236166699e3845586e0609c26e4536bdd6ca2181e1139f83d5cb78c35d0fa7d158134f522fb9f4736880e330fc8f6

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\1028\LocalizedData.xml

Filesize
70KB

MD5
8b37256ce099957b91ebe1d51ad8f61c

SHA1
6bf4bcf46781126ffdce92e39ad4d1d912e75ac5

SHA256
7d6777e8c9484229c1b8e3f2e354a88f57539503c2c56f2b0ee47679a6ef9cc0

SHA512
6659dec6fae7a7f733a0c9e44a04f178a6732e1b9b785833c63efd8ed6e25adabb58e37b2ec039dacdb071732f8ee42ceb297cb2ec72b67e8d25eb093d5423a5

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\1029\LocalizedData.xml

Filesize
87KB

MD5
aadf97951359a8267f7990cdd2cc950d

SHA1
61f626b44e252e916c9c70a4222efc9c21d951c6

SHA256
e28d2d89fc269d25272956cee4d7150a30706f58ad305e84e3c1c9fe7ac0ee86

SHA512
2d352cf7d8d167b2a9fd4416582328d894619f2eb213fd334e1b15ef1044735a69ffca36fba02d9d1af6355e9d1a55d38c3b7f5339ecacb8c1dfdc4cc50c5342

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\1030\LocalizedData.xml

Filesize
84KB

MD5
e1f2f586d75650df1a751d86bb659df8

SHA1
283097241e6b1acc8f30ca822585df104c918e51

SHA256
615a6380adcfa3a0e7a5db2df9b98dad650678d8c46b1c7c3f2d2854204f079e

SHA512
b7fb3e366a7e5cbaaf99e8e14731653dd14885cd0b3d5462c091113f12800478ff2e5bd351bd403abaeef3041cdd5a7693825e488f27ec48d087686c95daa774

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\1031\LocalizedData.xml

Filesize
89KB

MD5
74d28384c38283518c6490bfd068ebf1

SHA1
c52d2fd41a59691e18871ec64db10c43f241fb6c

SHA256
01afd814b009538f387812f6940c863a9d0cd7dc4159050f34f82e50ecbc33f8

SHA512
e23ae604eafab0c3a0d8aeb07321c0dd629d21c5ba47d37958f48f1b9f27d89de4db880ec3958ad1e5f2165a69bed18d61f73f71fd743a2d7eaafdc0ef8d1cc0

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\1033\LocalizedData.xml

Filesize
84KB

MD5
31bff8efc0cc701092ab7fe606271d65

SHA1
844cc4837ebe3eea9563df6613989b4588d6f19c

SHA256
b3048715a23d9bd77e9b3e1ec8577f94cfc8c2dd30b61dbf326871a97aa6e22c

SHA512
472b881df9128c93f9183ab05d2406146aeef8ce9723c9dcfa6e93d093d90b2db75bb4a3f784d26db187436242409f021fa8b7844aa04bf9cb58f48a6c4822d5

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\DHTMLHeader.html

Filesize
15KB

MD5
cd131d41791a543cc6f6ed1ea5bd257c

SHA1
f42a2708a0b42a13530d26515274d1fcdbfe8490

SHA256
e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb

SHA512
a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\ParameterInfo.xml

Filesize
1.0MB

MD5
9784c43155cbd739deb47b74873a8c88

SHA1
fbcb130964d0a75d90e5dd7a1a4e2fe49b3645c3

SHA256
550768047e10744538c5629b536f89865fc0ee2d52e4950a336ce59492365ef3

SHA512
e3d6ba5ec0c206e4ac87f56d3bfc0fa697ff862f683daab4dc54ade62b71104a604bfed1e3161feaf5b9ad501ca65e85d18f0e1e12a5ceaea0ede6dd7b55c171

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\Setup.exe

Filesize
118KB

MD5
f7a63e2d4217b71d39e4b18b3dadf632

SHA1
c3446cd1a50f6374c3ad3446607864bee97426d9

SHA256
43290269962f9edb13d042d54973a76570f6e4b6a4af33e7362f8284b9083720

SHA512
1703b6c1b1f96febdee8663fa9e8e11939715781810f5feccc6f11b0298fed4f83f6decd975ed1c05dd0e976a12b0738040d0c09db46389a2720462a6624c942

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\SetupEngine.dll

Filesize
899KB

MD5
9964ce1f4874a686910dbc1aeec1a326

SHA1
0b434c566f6722c765245a1228b7600fd10ba1c9

SHA256
3a45fbe9c5e03f67b49808c068eb2ce831e4eebdd1b38e520e4be5a5537a72e4

SHA512
8d123ab8e6b767a80d122b021a77460373e2b0841c92375ba1f56830529a2610bbf3749ce95aa64b67f45591378246409f035518feced582c7ebe1b6609dba99

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\SplashScreen.bmp

Filesize
117KB

MD5
bc32088bfaa1c76ba4b56639a2dec592

SHA1
84b47aa37bda0f4cd196bd5f4bd6926a594c5f82

SHA256
b05141dbc71669a7872a8e735e5e43a7f9713d4363b7a97543e1e05dcd7470a7

SHA512
4708015aa57f1225d928bfac08ed835d31fd7bdf2c0420979fd7d0311779d78c392412e8353a401c1aa1885568174f6b9a1e02b863095fa491b81780d99d0830

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\UiInfo.xml

Filesize
63KB

MD5
c99059acb88a8b651d7ab25e4047a52d

SHA1
45114125699fa472d54bc4c45c881667c117e5d4

SHA256
b879f9bc5b79349fa7b0bdbe63167be399c5278454c96773885bd70fbfe7c81d

SHA512
b23a7051f94d72d5a1a0914107e5c2be46c0ddee7ca510167065b55e2d1cb25f81927467370700b1cc7449348d152e9562566de501f3ea5673a2072248572e3b

Download Submit
F:\7ffe69bbb56cbe6114ec77bc0755de85\sqmapi.dll

Filesize
221KB

MD5
6404765deb80c2d8986f60dce505915b

SHA1
e40e18837c7d3e5f379c4faef19733d81367e98f

SHA256
b236253e9ecb1e377643ae5f91c0a429b91c9b30cca1751a7bc4403ea6d94120

SHA512
a5ff302f38020b31525111206d2f5db2d6a9828c70ef0b485f660f122a30ce7028b5a160dd5f5fbcccb5b59698c8df7f2e15fdf19619c82f4dec8d901b7548ba

Download Submit
memory/32-312-0x0000000000410000-0x0000000000487000-memory.dmp

Filesize
476KB

Download
memory/516-723-0x00007FF714890000-0x00007FF714910000-memory.dmp

Filesize
512KB

Download
memory/516-722-0x00007FF714890000-0x00007FF714910000-memory.dmp

Filesize
512KB

Download
memory/872-561-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1432-3-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-2-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-12-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-11-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-10-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-13-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-7-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-1-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-9-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1432-8-0x000002539A0D0000-0x000002539A0D1000-memory.dmp

Filesize
4KB

Download
memory/1608-599-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1784-845-0x00007FF714890000-0x00007FF714910000-memory.dmp

Filesize
512KB

Download
memory/1824-313-0x0000000000410000-0x0000000000487000-memory.dmp

Filesize
476KB

Download
memory/3812-0-0x00007FF714890000-0x00007FF714910000-memory.dmp

Filesize
512KB

Download
memory/5100-610-0x00007FF714890000-0x00007FF714910000-memory.dmp

Filesize
512KB

Download
memory/5372-275-0x0000000000410000-0x0000000000487000-memory.dmp

Filesize
476KB

Download
memory/6048-598-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download