hxxp://itch[.]io

max time kernel
1153s
max time network
1154s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02/10/2024, 18:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://itch.io

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
868	Project UroboroS.exe
584	Project UroboroS.exe
4864	MrTomatoS.exe

Loads dropped DLL 52 IoCs

pid	Process
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
868	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
584	Project UroboroS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe
4864	MrTomatoS.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Project UroboroS.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrTomatoS.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Project UroboroS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Project UroboroS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MrTomatoS.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Project UroboroS.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 201417.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MrTomatoS.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 238949.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
5092	msedge.exe
5092	msedge.exe
3388	identity_helper.exe
3388	identity_helper.exe
868	msedge.exe
868	msedge.exe
3092	msedge.exe
3092	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
1328	msedge.exe
3912	msedge.exe
3912	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
868	Project UroboroS.exe
4864	MrTomatoS.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	32	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	32	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
868	Project UroboroS.exe
584	Project UroboroS.exe
4864	MrTomatoS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 2848	5092	msedge.exe	79
PID 5092 wrote to memory of 2848	5092	msedge.exe	79
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 2412	5092	msedge.exe	80
PID 5092 wrote to memory of 4764	5092	msedge.exe	81
PID 5092 wrote to memory of 4764	5092	msedge.exe	81
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82
PID 5092 wrote to memory of 2324	5092	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://itch.io
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff3ef73cb8,0x7fff3ef73cc8,0x7fff3ef73cd8
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3092
- C:\Users\Admin\Downloads\Project UroboroS.exe
  "C:\Users\Admin\Downloads\Project UroboroS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:3264
- C:\Users\Admin\Downloads\Project UroboroS.exe
  "C:\Users\Admin\Downloads\Project UroboroS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7124 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,4868765069271247206,15144885279868900923,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Users\Admin\Downloads\MrTomatoS.exe
  "C:\Users\Admin\Downloads\MrTomatoS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C0 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:32

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\47e4c179-0b24-45d3-ae45-02964862c4d7.tmp

Filesize
10KB

MD5
de0eced6511467030faeca0af8959df2

SHA1
1d98440985dd5a5ed4ea5d89643fc3527d331e61

SHA256
80e7d25f44cd922f0eb28da7124dd898d23db594dde3b954a31f1d0d6b728c1d

SHA512
0f3a299833b04156d6648bd755a3e9d62b47c93157b70080cf6e211c5b03f7ccef01277c8164bf761ebfbb05ec7fe085dbeb6c9abb7251b424d29828c3cc315d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
95KB

MD5
828f74f1489e053379a3663d4e985c0e

SHA1
61228bc792d5441560915af02dd841375ba80df2

SHA256
c0128d4b5010e64162b73c2407deb762c938057828548f8245d29fcafd872632

SHA512
29caa771645a42e0d0ae2a52ef95b627073e88dab98d1bc6dacc0b24440c5c5a643ad2ec9af4599534bdb4d9894a9835a661c9a56e7ca13f5349a7831b10837c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9bf8e0b283deb22429bc2283b85a3775

SHA1
9b3ae0f310f8b42b57f695e1f3f4c8fed0efeb8c

SHA256
b77f6943c9628579c714736fd22f1fe7fcf720402fed37189098068ff7439021

SHA512
1b63c904ddbcbcca2c47b8ffd219bbbb51dfbe5ea9aebe16b47a8a71dd17adca727db0525e70fa2a57459ec0133f0392125a4b90f1d4ebbb414f284de2a43bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
b78a5b98f69b595d1ac0a3fe58924a26

SHA1
1627a3bec4171e6c464ebb867533feb053148cba

SHA256
8f6b8d6a78801e62c26dead48ec369f226db0968f8e4f3a66797ad8f21d71e69

SHA512
fbd3be5660ddae153f111ae963ed3411b52d496d5c81ad9bc9bc8540c10441d55ea968d16dd1e8bde9bdb4d975dee53254ef44ded50f44d36e7fe71c2f35672e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
5e1b38b891346f4ef2e453fc8a189f9f

SHA1
aa0beabf7da14942933234a2a1736edbac32e202

SHA256
ce2dd282282b4ec34366268c6f567bec8cb88f490325bea317d3f344b1e8c8de

SHA512
be95f77a0a61e6dcfb1c7fa69cd5cb626778ff0285e9bf29b5b93c455a98b5eded2df0d6f3ae11339b9fd2bc2abf229f9857115d2e79e181210d85cc30c21473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
e3a446e6db62c113dd4ec75386ceb6ba

SHA1
f1a2f30ac08f71d2e48d2bf380ed3474b4e76b9e

SHA256
870056e421d23aa1055c50df79c04ed3ca2e1013e01a2433e47730c06a2c384e

SHA512
3954b6c6769e9aa6a0879f47f29f0970336cba467c73f36df171da49cf4223ca35c3877dfc9f6cba19d1943a363cc94d3bf1eced44477b19492728acc1aabc80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9f04569d28c8ce0e34c9c033f726bc1f

SHA1
34e7efb37b48ecb78e978b820d63f6813b64c3cb

SHA256
8b2bd218c5281b8bca3ef9e9e467f1007e142ca6a2e6d0815adb8998d27ee8fa

SHA512
773f3392e1eaf2d8621eeb8ba4d8b264aedaf84da8f808f66003f8cad535533f8f2335d4000c44b56cda068cc20f1f3ae78b9848730b7b9582fe42a683b5be92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dd693477cb62f4adbf66bc825fbb783d

SHA1
cfcada4cb943e35e9aaa83df455f45f45c45968a

SHA256
aa00062d1de063d146f5983c988280f29bf1acac8b7f82f189b6e665e53d0b4d

SHA512
5ee5e27d2878ce257f82ad4ace810ef83c120c797024021caa1cfb763e1e0c02810b363569329d449b3151c02e2cbf5917721ace21d94863807ce07b25971081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
704B

MD5
8f8eaf89190996ef010f11e79c86d24b

SHA1
926d206838fbb364a45190c6dbb60e33a0ccf569

SHA256
d9c7190b5b23af2a12b350ac9689dbecd33e10f0c7c2ebeea513858e8901e45d

SHA512
da17d5e847e4ebeec2cb2cbf8aece73b1d4e966bb4555c36c64cd8926c27759143a9a8a9cc75a08a3e181b564b92414e154cab35e8bf0870152a7ccb2363153a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
124650d004b792412a5f025f4757c52d

SHA1
47849ebbe8d7a765ed29a66d4bcce7e6528df174

SHA256
9044a63b02fc26def87d76553afc95a4a841a7bddbc97e9c87b6036187b4ab52

SHA512
b9bdc536fbf49a9d2e5d358264788881694b09f635f6b6119519f5225454b9c11b755b8ff6fb1447b509b63617c6786e625424f318839b7daf19a6a324559051

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581a69.TMP

Filesize
371B

MD5
4f1b4c656c47869ac8ee09834f06d601

SHA1
9d19319ba98cf30092aad62ce7fbea90001afb89

SHA256
eeb43c9f6e158d9f480d730832847f52f834114e812e05d74f8dd97732c8fb1f

SHA512
a36fb9f96d4780d268a8f5c13cc78243f08537e8e6d4e24453a5cf071bae374e817c4f41bb7c3f72195af630807a9bcdbb137bbac4df59b9257b06428668c091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a3101aa6-d22c-45f1-91a5-b2515963736a.tmp

Filesize
5KB

MD5
28e860521635bc536cf058822f6a38fa

SHA1
58a044d12e1a271677db131e01e1573bda3131a5

SHA256
0da3731fc50621f2e1c473523c91a67a36a345163b63b54742b1ca6c575719dd

SHA512
d26e1392b369eb5059b17ec4f2cf3a0f12fcf9feda10c76702fff98629bc52f959c2701389e8a958fbb9b7bd0e498c38f1330afb0237e3473cf2f13b0d524f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
060a1177cdf725562535bfcb18bd37d8

SHA1
4559fea2b4304552e13f31f070a46d8edcd3770f

SHA256
577f55692d571a5a3f7d81b3681322fb71f54157fedd74677caf3b55876ecc2c

SHA512
24703ed44325edd0892a8f633fabc0ba3eb5529f4335ce0c04f0ffe1bb5dc2030684e62e70271a24770defdc6e0dac7057da5ec610f3d0d1a454a8b50be413ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0421e48e2eb142fbb7bfc0c7030f97e1

SHA1
dc1435bce5b7f8a46514f0e15c68207692347ffb

SHA256
92cff50fcc29d5ea089a4304e67ee1ef75b6dc872a5fa8535289be7c6009149c

SHA512
6f24cb9c98bae188abdc303208a1439ec00ccc5a2882b37293e22c1846dd0ae5c946425f4a46a0defc280ea5ec7616f38e4150b46c6e89cc675bef73487173b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\Blowfish.mfx

Filesize
16KB

MD5
46b4e07996614b78dfede54705b97091

SHA1
f4634f2fb6d1e512cda68e41c89ee8c2277b59ca

SHA256
6923e91a2ea3d49b9bf807ace894016a0f03c2b5aedb9b2e7da23aab58f83fc7

SHA512
a90929d1dd1daa17e4d2da0934e8fa7d29f98e7681fcb840cb3b20efbb5503e3c9256290c1d4ebd02167db7706f4c33bda433729d2d65575884b232cff0fd573

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\Yaso.mfx

Filesize
58KB

MD5
b4507e6a8030e670b5c3b1d774826584

SHA1
f252cc0f0c4f8b80073306fa3deb222fc25b7b73

SHA256
4d0b438258cc4ef0043e5ef78142db6fcf8bb34197116d4440d3988d13562b4a

SHA512
8eb6b82fc09d7dbbf5367ef1cf4e128854b3c225aa4acc5955f155680eb59d246c6d325c9f329c5d1d8e450c65741fd38c471c77fd8645da2f978cc514c7148b

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\clickteam-simple_ellipse.mvx

Filesize
28KB

MD5
44acbfa6bc341c33bfb1be7a891b9307

SHA1
fd5005905f632c3456e5bc2f141db11d9fcd67ed

SHA256
73ea8b5011b1c8e18e5c3f12ee4adc33fcc28385593d1371e828d6b9237ce33c

SHA512
a2ee76974cae652cb80e1e1b6ae678b6e38092fdcf813570db40a63c71cb8e07d8c234808833ed2cd1982c392d979f3adcd1b57a52a2da6239005a6e7e1073f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\fontembed.mfx

Filesize
15KB

MD5
f38352c344bd71eb21a78a1b69dcade8

SHA1
eca1053fa4ce77f96752f400d4ffac8f2f158d15

SHA256
38b5dba1524e47ff474d29bb0fb3d7b0476e554cdb82f2de09c4a761ab5645b1

SHA512
70134d7e2d4c589fc3ca5c52e005852d07e6b3cce91db00d32bf121611480601d007ead98c3e2febfdd1ca03a0c723fa46e9b73c0f497b315a6cdcb9f15afd56

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\kcini.mfx

Filesize
114KB

MD5
7c0cb7fdc0d3519520cd4b8137edbd80

SHA1
bd4eddd8316a51baf4a3ae68b56acfbba734f46c

SHA256
d1471b2685d45956c323baa2cab11dfe479eb1021f04e2949f03557527c5fc84

SHA512
601c16892bef77d5842e0778f27d4f82e19ae66333b2b75c9a34b3ba6441169946e1167ceb21ed270bddba305abfe50f2e8f8ab2e9dc410c96a31944e597034a

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\kcwctrl.mfx

Filesize
79KB

MD5
2c34e977f898ab60eddb72075c4be223

SHA1
adf883dd06e5ae340a03e6c22a56a4c0caf909ea

SHA256
a0ada42e3a4760097c1c2f98905f12b19de47159543aa21e1c604dbcac7337f2

SHA512
73402857d09e5a0e8049bb7adf3bbfdfc9ac65966217751cbf6db2bf532aa3f92ffc3a1a5dcda638e83d6ede29ebe6e760cbad74d27aa6fa006c9296607d3c37

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\mmf2d3d9.dll

Filesize
1.1MB

MD5
72bb9180f8905c0da95566b778cdac5e

SHA1
e96145e8120514092b35f67f1f120b958997f921

SHA256
3cde7a9181ab63a42cd3535d279d0ab1397b7b78fa3ddddef832757ab2024101

SHA512
c2c8d8c74c53a78545e69f27a7fe1a6d1291888158962e93e16e6ec9950f86e74c68bd2eb50d04db0bff58e8dc93455aa384245991c5afe34abee36fef53710f

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\mmfs2.dll

Filesize
509KB

MD5
98f647d1ed220e1d715aed9dcf69f387

SHA1
d1d9f5361672553a394bee9afe1d30814dd0ac53

SHA256
3a288448e88a296b2bceeaf093e76a22e3083e937a3c4efeb6a61565ca7e35df

SHA512
e950658b0afdad722a9f243bb8ae7fbc1c541dd0513379ef9e1d99becf8b31b4098c6789204baf3f15ea26f43af665edaa9799a6617373009def81bb20f02a06

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\mp3flt.sft

Filesize
24KB

MD5
dadc138be9d36e6e4b8e4bf9ef2de4bc

SHA1
2758db786c544ec7889f26edf9bc4634c9240af0

SHA256
ddeafda7b28bf7545e3ba164aa4a74219eb961c36bb974e0f5085a07daf18f44

SHA512
63a21c5eda225c7fb8a67595c3180d4fdc1bc37d3b45f839e1b562ef946bf5b2237a9ff17c3f6f5de489779bbb9652ac2a1a74b83f153883bd436756acf249e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\23bda4e4-22b1-4c22-9338-be12a8a850cb.FusionApp\waveflt.sft

Filesize
8KB

MD5
57ea61dd14314ef155e80c6a0be8a664

SHA1
963b0ef2fe976ff77044a821fe1e29be4a8cf8a7

SHA256
92a5053cf5973a6aa228c738d55387f12f1dfa8a837d7b938c60f05b6b56b3ad

SHA512
cc23cb30d76d22500c3ed7ce9ee0388588309d0779441b95559fce25a42f1eff52ca285c347655f8b33c15b75f9d2067738a151f81f605d3b563799a3a06c9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b59e8d51-6ba2-40a0-836b-403a0024f5c9.FusionApp\Box2DBase.mfx

Filesize
287KB

MD5
0572d03da13e13cecdccff2e64f9f4f5

SHA1
a1fcc08ac261edeb3c2b95f007c93fe1398583c7

SHA256
c4507e348be20dacff1caf80047009924a7dafde2f6d4fcd3a119e36c3b0a259

SHA512
68790d0a9b0ccac5389e551408c10bcb2430daa28162bf8de29fe327c78c72bc61181366d6e0f61ba661977daa825aa865255b71ba4cd0ecbc0f403d608d71d0

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\MrTomatoS v2

Filesize
32B

MD5
54040a6a70fd243646e5123cd9a432d8

SHA1
0b6f9e6f565bf666aa636b2cd7294fd3477167ba

SHA256
6799156695e927ff205958bfbe8ccdb416408881d18fc7f7f999a29a4f5f4990

SHA512
1602dbbf4581e55ce38daf85670f6b7136e3df26ab5b3d9a8b7e2856e0341fd6a7df251c2dd609695a8b0668bfb1d1441a2ad9a624237586a8a4174a6f06da73

Download Submit
C:\Users\Admin\AppData\Roaming\MMFApplications\UroboroS

Filesize
32B

MD5
11822677f818ac903f7941fb8463d048

SHA1
d6c52c515c94354ebb4a7ad35dcf1b71ff2a3340

SHA256
a61cc720b2cfc04b93504969bc2c64fdddefe849c7227d3e62fdc858db7f10aa

SHA512
d8e1f39bd8c3a49c9e12557b82a09806ff13b1f21501990de2ea41f72cd1756beaeda886ed8528c2a629a056e3525acc79d124a2be9911c48d4226abdb0594d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Project UroboroS.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 238949.crdownload

Filesize
8.5MB

MD5
07d1f1241c250f48987f9e930efc2d52

SHA1
9d576d38d22188616685c96ee370e18d173256b4

SHA256
968b48ed1b85ac728f604f06206d02bc719f43d7ed5c135c0fbb9f4b2eaa6207

SHA512
f522311838106b95f3ec0f5c1eee4a85a80d4a91f3cdd6f7a6fe3004a630dd47283aba4b10389a031a36bf8f33c4107df046168f19dc15897f5a2970eaa806a9

Download Submit
memory/4864-812-0x0000000002950000-0x0000000002961000-memory.dmp

Filesize
68KB

Download
memory/4864-803-0x0000000002900000-0x0000000002949000-memory.dmp

Filesize
292KB

Download