hxxps://drive[.]google[.]com/file/d/115FKF4pbaPWv2y3q5s7InZtDr-yOS1RM/view?usp=sharing

Analysis

max time kernel
381s
max time network
395s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/115FKF4pbaPWv2y3q5s7InZtDr-yOS1RM/view?usp=sharing

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 4 IoCs

pid	Process
1652	blender.exe
3280	blender.exe
2388	blender-launcher.exe
2896	blender.exe

Loads dropped DLL 64 IoCs

pid	Process
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
1652	blender.exe
4152	regsvr32.exe
3280	blender.exe
3280	blender.exe
3280	blender.exe
3280	blender.exe
3280	blender.exe
3280	blender.exe
3280	blender.exe
3280	blender.exe
3280	blender.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\D:	blender.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\D:	blender.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\F:	blender.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\plistlib.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\Cython\Includes\libc\stdint.pxd	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\Cython\Utility\StringTools.c	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\cycles\shader\node_convert_from_color.oso	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\datafiles\locale\sw\LC_MESSAGES\blender.mo	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pip\_vendor\pygments\formatters\other.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\cycles\source\kernel\integrator\intersect_subsurface.h	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\presets\tracking_camera\RED_Helium_8K.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\cycles\source\util\types_float4_impl.h	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pip\_vendor\colorama\tests\winterm_test.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\distutils\checks\cpu_asimddp.c	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\freestyle\styles\qi2.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pip\_vendor\colorama\tests\utils.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\usd\hdSt\resources\shaders\terminals.glslfx	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\pbrlib\genglsl\mx_anisotropic_vdf.glsl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\io_scene_gltf2\io\exp\gltf2_io_user_extensions.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\datafiles\icons\brush.particle.length.dat	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\MANIFEST.in	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\rigify\metarigs\Animals\__init__.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\certifi-2021.10.8.dist-info\INSTALLER	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\setuptools\cli-64.exe	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\stdlib\genosl\mx_geompropvalue_vector2.osl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\cycles\source\kernel\svm\sepcomb_hsv.h	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\typing\tests\data\fail\einsumfunc.pyi	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\mesonbuild\modules\qt.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\stdlib\genglsl\mx_fractal3d_vector2.glsl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\materialx\libraries\pbrlib\genglsl\mx_artistic_ior.glsl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\modules\__pycache__\bpy_restrict_state.cpython-311.pyc.1933534976944	blender.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\materialx\libraries\stdlib\genosl\mx_fractal3d_fa_vector3.osl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\core\umath_tests.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pip\_vendor\cachecontrol\controller.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\_distutils_hack\__init__.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\stdlib\genosl\mx_noise3d_fa_vector3.osl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\datafiles\icons\ops.gpencil.draw.line.dat	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\startup\bl_ui\generic_ui_list.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\typing\tests\data\fail\constants.pyi	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\tests\test_numpy_version.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\cycles\shader\node_vector_displacement.oso	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\materialx\libraries\stdlib\genosl\mx_worleynoise3d_float.osl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\f2py\tests\test_return_logical.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\f2py\tests\test_array_from_pyobj.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\rigify\rigs\spines\spine_rigs.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\io_scene_gltf2\blender\exp\material\extensions\gltf2_blender_gather_materials_emission.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\startup\bl_ui\properties_paint_common.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\stdlib\genglsl\stdlib_genglsl_impl.mtlx	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\stdlib\genmdl\stdlib_genmdl_impl.mtlx	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\core\generate_numpy_api.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\mesonbuild\backend\xcodebackend.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\distutils\checks\cpu_vsx2.c	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pip\_vendor\urllib3\util\timeout.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\materialx\libraries\stdlib\genglsl\mx_dodge_color3.glsl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\pbrlib\genosl\mx_blackbody.osl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\datafiles\icons\ops.gpencil.sculpt_blur.dat	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\datafiles\icons\ops.pose.breakdowner.dat	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\scripts\addons_core\rigify\rigs\skin\basic_chain.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pxr\UsdUtils\usdzUtils.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\testing\__init__.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\datafiles\icons\ops.sculpt.box_trim.dat	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\stdlib\genosl\mx_noise3d_color4.osl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\materialx\libraries\stdlib\genosl\mx_geomcolor_float.osl	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\numpy\distutils\tests\test_fcompiler_gnu.py	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\usd_ms.dll	msiexec.exe
File created	C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\MaterialX\libraries\targets\genglsl.mtlx	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5b5d30.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFC7.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b5d30.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{40D07A01-07A9-450A-8271-9BB69187F4BA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7DB8.tmp	msiexec.exe
File created	C:\Windows\Installer\e5b5d32.msi	msiexec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001a73a27760024bf60000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001a73a2770000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001a73a277000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1a73a277000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001a73a27700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend\Treatment = "0"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InProcServer32\ = "C:\\Program Files\\Blender Foundation\\Blender 4.2\\BlendThumb.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend\ = "blender.4.2"	blender.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}\ = "{D45F043D-F17F-4e8a-8435-70971D9FA46D}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open\command	blender.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend\ShellEx	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\DefaultIcon	blender.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open	blender.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}\ = "{D45F043D-F17F-4e8a-8435-70971D9FA46D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open\FriendlyAppName = "Blender 4.2"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\DefaultIcon\ = "\"C:\\Program Files\\Blender Foundation\\Blender 4.2\\blender-launcher.exe\", 1"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\AppUserModelId = "blender.4.2"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend\ = "blender.4.2"	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend\OpenWithProgids	blender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend\OpenWithProgids\blender.4.2 = "0"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\DefaultIcon\ = "\"C:\\Program Files\\Blender Foundation\\Blender 4.2\\blender-launcher.exe\", 1"	blender.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open\command\ = "\"C:\\Program Files\\Blender Foundation\\Blender 4.2\\blender-launcher.exe\" \"%1\""	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\DefaultIcon	blender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InProcServer32\ = "C:\\Program Files\\Blender Foundation\\Blender 4.2\\BlendThumb.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open\command	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend\OpenWithProgids	blender.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\ = "Blender 4.2"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open\FriendlyAppName = "Blender 4.2"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\ = "Blender 4.2"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\AppUserModelId = "blender.4.2"	blender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open\command\ = "\"C:\\Program Files\\Blender Foundation\\Blender 4.2\\blender-launcher.exe\" \"%1\""	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend	blender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\ = "Blender Thumbnail Handler"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.blend\OpenWithProgids\blender.4.2 = "0"	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2	blender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\ = "Blender Thumbnail Handler"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{D45F043D-F17F-4e8a-8435-70971D9FA46D}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\.blend\Treatment = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell\open	blender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\blender.4.2\shell	blender.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 757147.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
8	msedge.exe
8	msedge.exe
2932	msedge.exe
2932	msedge.exe
4556	msedge.exe
1796	identity_helper.exe
4556	msedge.exe
1796	identity_helper.exe
3544	msedge.exe
3544	msedge.exe
5872	msedge.exe
5872	msedge.exe
5192	msedge.exe
5192	msedge.exe
5192	msedge.exe
5192	msedge.exe
3448	msedge.exe
3448	msedge.exe
6112	msiexec.exe
6112	msiexec.exe
6112	msiexec.exe
6112	msiexec.exe
2388	blender-launcher.exe
2388	blender-launcher.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1096	msiexec.exe
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	6112	msiexec.exe
Token: SeCreateTokenPrivilege	2960	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2960	msiexec.exe
Token: SeLockMemoryPrivilege	2960	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2960	msiexec.exe
Token: SeMachineAccountPrivilege	2960	msiexec.exe
Token: SeTcbPrivilege	2960	msiexec.exe
Token: SeSecurityPrivilege	2960	msiexec.exe
Token: SeTakeOwnershipPrivilege	2960	msiexec.exe
Token: SeLoadDriverPrivilege	2960	msiexec.exe
Token: SeSystemProfilePrivilege	2960	msiexec.exe
Token: SeSystemtimePrivilege	2960	msiexec.exe
Token: SeProfSingleProcessPrivilege	2960	msiexec.exe
Token: SeIncBasePriorityPrivilege	2960	msiexec.exe
Token: SeCreatePagefilePrivilege	2960	msiexec.exe
Token: SeCreatePermanentPrivilege	2960	msiexec.exe
Token: SeBackupPrivilege	2960	msiexec.exe
Token: SeRestorePrivilege	2960	msiexec.exe
Token: SeShutdownPrivilege	2960	msiexec.exe
Token: SeDebugPrivilege	2960	msiexec.exe
Token: SeAuditPrivilege	2960	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2960	msiexec.exe
Token: SeChangeNotifyPrivilege	2960	msiexec.exe
Token: SeRemoteShutdownPrivilege	2960	msiexec.exe
Token: SeUndockPrivilege	2960	msiexec.exe
Token: SeSyncAgentPrivilege	2960	msiexec.exe
Token: SeEnableDelegationPrivilege	2960	msiexec.exe
Token: SeManageVolumePrivilege	2960	msiexec.exe
Token: SeImpersonatePrivilege	2960	msiexec.exe
Token: SeCreateGlobalPrivilege	2960	msiexec.exe
Token: SeCreateTokenPrivilege	1096	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1096	msiexec.exe
Token: SeLockMemoryPrivilege	1096	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1096	msiexec.exe
Token: SeMachineAccountPrivilege	1096	msiexec.exe
Token: SeTcbPrivilege	1096	msiexec.exe
Token: SeSecurityPrivilege	1096	msiexec.exe
Token: SeTakeOwnershipPrivilege	1096	msiexec.exe
Token: SeLoadDriverPrivilege	1096	msiexec.exe
Token: SeSystemProfilePrivilege	1096	msiexec.exe
Token: SeSystemtimePrivilege	1096	msiexec.exe
Token: SeProfSingleProcessPrivilege	1096	msiexec.exe
Token: SeIncBasePriorityPrivilege	1096	msiexec.exe
Token: SeCreatePagefilePrivilege	1096	msiexec.exe
Token: SeCreatePermanentPrivilege	1096	msiexec.exe
Token: SeBackupPrivilege	1096	msiexec.exe
Token: SeRestorePrivilege	1096	msiexec.exe
Token: SeShutdownPrivilege	1096	msiexec.exe
Token: SeDebugPrivilege	1096	msiexec.exe
Token: SeAuditPrivilege	1096	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1096	msiexec.exe
Token: SeChangeNotifyPrivilege	1096	msiexec.exe
Token: SeRemoteShutdownPrivilege	1096	msiexec.exe
Token: SeUndockPrivilege	1096	msiexec.exe
Token: SeSyncAgentPrivilege	1096	msiexec.exe
Token: SeEnableDelegationPrivilege	1096	msiexec.exe
Token: SeManageVolumePrivilege	1096	msiexec.exe
Token: SeImpersonatePrivilege	1096	msiexec.exe
Token: SeCreateGlobalPrivilege	1096	msiexec.exe
Token: SeBackupPrivilege	2956	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe
2932	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5216	OpenWith.exe
5260	OpenWith.exe
5540	OpenWith.exe
5636	OpenWith.exe
5744	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2932 wrote to memory of 404	2932	msedge.exe	83
PID 2932 wrote to memory of 404	2932	msedge.exe	83
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 2072	2932	msedge.exe	85
PID 2932 wrote to memory of 8	2932	msedge.exe	86
PID 2932 wrote to memory of 8	2932	msedge.exe	86
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87
PID 2932 wrote to memory of 984	2932	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/115FKF4pbaPWv2y3q5s7InZtDr-yOS1RM/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b7b46f8,0x7ff99b7b4708,0x7ff99b7b4718
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:3320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6180 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
  2⤵
  PID:6036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1708 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,2318406250889743502,10490244190898794033,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3448
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\blender-4.2.3-windows-x64.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\blender-4.2.3-windows-x64.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  PID:1096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6112
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2340
- C:\Program Files\Blender Foundation\Blender 4.2\blender.exe
  "C:\Program Files\Blender Foundation\Blender 4.2\blender.exe" --register-allusers
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies registry class
  PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\regsvr32 /s "C:\Program Files\Blender Foundation\Blender 4.2\BlendThumb.dll"
    3⤵
    PID:1292
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32 /s "C:\Program Files\Blender Foundation\Blender 4.2\BlendThumb.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:4152
- C:\Program Files\Blender Foundation\Blender 4.2\blender.exe
  "C:\Program Files\Blender Foundation\Blender 4.2\blender.exe" --register-allusers
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies registry class
  PID:3280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\regsvr32 /s "C:\Program Files\Blender Foundation\Blender 4.2\BlendThumb.dll"
    3⤵
    PID:4560
  - - C:\Windows\system32\regsvr32.exe
      C:\Windows\system32\regsvr32 /s "C:\Program Files\Blender Foundation\Blender 4.2\BlendThumb.dll"
      4⤵
      Modifies registry class
      PID:5520

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2956

C:\Program Files\Blender Foundation\Blender 4.2\blender-launcher.exe
"C:\Program Files\Blender Foundation\Blender 4.2\blender-launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2388
- C:\Program Files\Blender Foundation\Blender 4.2\blender.exe
  "C:\Program Files\Blender Foundation\Blender 4.2\blender.exe"
  2⤵
  - Executes dropped EXE
  PID:2896

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x42c 0x318
1⤵
PID:5164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5b5d31.rbs

Filesize
1.6MB

MD5
24164229df217fa7568604238edec62b

SHA1
f0250f27440c114ccf4585e9cc99f7c526794ebd

SHA256
78d275eaa711d2f53960a8474ebf69f9166903e67df41a5b682c8d8148297d1b

SHA512
90e5193cefdc4d1e5d106a8b49f77350b9b5f298fc1421d6f7268e8e93483b51d17134e5865eb7dc9349c220982aa3070bb4578ac7bc397e1fd212c9ad423ff1

Download Submit
C:\Config.Msi\e5b5d33.rbs

Filesize
222KB

MD5
510b921002f7d0a795abe595b158a24a

SHA1
2dd78d53ced25b8e2e7eceac3a2a2602ca816ca3

SHA256
f60f198a4907f915696f09b71242bb1d5fc5d8d18fa823f63e2568b177a641e1

SHA512
ad6a9a1e4ce33f6de41c8774e1dd158d8d64fc81ea3e890899625bbb0daaf1688fc18bbcc54cc6f2e0e1632984c99250389acd862d9ddfe56a7528bd38f11381

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\Cython\Tests\__init__.py

Filesize
14B

MD5
c34aba81b82bc8a5a69b95cc5eb4b3e6

SHA1
17edf5bb6e605baacf70f826a5361057b40eda17

SHA256
a93afb978b35bb5d2970c7c58cff5c159192d4f293eafd8c97fbf2dddadeb68d

SHA512
1961a2914539f67d5c352e7e434463f47d6d71ace5de5bc52d6fea8e8b453d962546c5b668a07199e3b8ae56553c71fa2297ad76acc24af0d4a6f96094182938

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\certifi-2021.10.8.dist-info\WHEEL

Filesize
116B

MD5
325a7162f4b2770d339d6744af88e2be

SHA1
684b975b1f12f3d38841c6361d3d61c3d15c9f2a

SHA256
56d0811de0aa7a612ef5cfead2a0452d7d5d265badcf16d891baf19b1d290ef5

SHA512
451d323b81f25ac04017a65601b7b3bdf29529935389afd0abdcd385fe6d44c18508b67c4a6ed091d7848433334e4ae6ed3309cbec252fa21398d997fa429aa6

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pxr\UsdShade\__init__.py

Filesize
1KB

MD5
0178e13da7bcd3357e0f2d39044bb026

SHA1
b165a569397955eb9e165915fc41b1c9f4d1e4ff

SHA256
8bf3dbee76cd86f924fadd8960c94444b4ca1125af2eaca3cca9f70a9240f703

SHA512
e2f582ecedda15ce98cc372f71f97a92cb51c15d402d2887f0eabb0f3ce1bf29f00aead952ede5a90323b8faeedf959d6420fbd15f1f96500469aacadaf8293f

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\4.2\python\lib\site-packages\pycodestyle-2.8.0.dist-info\INSTALLER

Filesize
5B

MD5
00305bc1fb89e33403a168e6e3e2ec08

SHA1
a39ca102f6b0e1129e63235bcb0ad802a5572195

SHA256
0b77bdb04e0461147a7c783c200bc11a6591886e59e2509f5d7f6cb7179d01ab

SHA512
db43b091f60de7f8c983f5fc4009db89673215ccd20fd8b2ced4983365a74b36ac371e2e85397cac915c021377e26f2c4290915ea96f9e522e341e512c0fc169

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender-launcher.exe

Filesize
1.0MB

MD5
917cd3d4913b45e8dd1902089d3fe1d3

SHA1
33e55f9aa098addf5d238bda1c2754a359de2bc8

SHA256
5caa067eb77db3b392584822278fdacf02a7668ad1f1e4a2cee2f4dd82f4d3c1

SHA512
fd01eef42f800f7e398d05ad1dfcb8c42c33eadb49d9d7d97bae98c36c366f643fab483be9e7b7f11b822ccea0aac79fd8250566f56e38a48c4cab8543430fb4

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\OpenColorIO_2_3.dll

Filesize
4.1MB

MD5
a31065bdc5c10695e4e833746e348e6a

SHA1
016e9d395fb7b25ab58fafa40aac6dbcee58c8ec

SHA256
98ac33134af7792227615d0793efb9c7f8c0d7212e40bb1f8009554d75b4173c

SHA512
964c1032c507562e927302beca60f88134284d8725ef75b3517fa24efec0dbf16c3843a85f27e3e303c445c6dd8af263b71d51f21af46c5db16078d8be78584d

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\OpenImageDenoise.dll

Filesize
159KB

MD5
c2cbaa8f5fb7f4f1b49d1da69783b6bd

SHA1
6cd09948497c5f38e67b071dc3335a60868a5794

SHA256
3d55d155ea1b002b41132c19793ce0767ab6fcb45632b7af30d88982473e9b19

SHA512
e2b30121daf454cdb23614cdda31837692a3a75281d796531c5201ba6911fdcb94a9cb2452137e2f97c35a18088d5afc0dcb9ee10536e6a264c9943e4d740262

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\SDL2.dll

Filesize
1.6MB

MD5
5519060c0a3732dd3e182ff5ffa1b37d

SHA1
84c14c4ecb8647aee1759e867937b81a2265d9bb

SHA256
2bb6bf95076c2e41ea9d496212e3cb4a04ee6799f72a7d0bc0cec6f127970f26

SHA512
ead883708d143283de4f5c8a8379b5ea35a95670d78ccb17da7cd07932c59079431a454940ee1e9326f1b6a75b404b538173f80378f295382969284412b421ce

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\boost_python311-vc142-mt-x64-1_82.dll

Filesize
188KB

MD5
8f21487f8d189942eaf8cf821b549c5d

SHA1
4e7173333b73997699c65d7daf22c4e1424e8d8f

SHA256
2fae83f3d942da8b4ccf974546e26da82bb55bc2372c04d299a41c65541b3acc

SHA512
fd3fd4d0d629d47c8fc29cfcfa20bd9886c0393ee1e44460416e78473e8f1a1af86c551dd73ec51b4d2335ec4d202712a495f1323c7af79e55508b133f4c3ec7

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\embree4.dll

Filesize
25.4MB

MD5
83d232ba43e8065cb01f4b2c291e7f19

SHA1
098a2c35ada3c35c814e0cf49d0f11f64ff1cb13

SHA256
4bebd29ca111987fc6c9de52ae9365b72a3d8c1929ea720d7f745707ba9e5dff

SHA512
4b80a74ffdf45fe27396d0416a1662bc99b00b258724728a5a7ba28d528f540a202e313ea360ca4e55467bd07b82883b41554130d3cca3f7ca4f21e66ee099a8

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\openimageio.dll

Filesize
9.0MB

MD5
158e94e4f435e543db28c7d1cf3756e8

SHA1
807b5d3177161da499910dd7761e31ff16b6f4ab

SHA256
d2d2fc31dafb093426487e41d2b1e6d770e51bc9b3a4bbba9cc912a28125a825

SHA512
87bd90db88618b6976c6ef16fc0ea7b7dacd52020f07d40eea97e661df84b4066178abb49a4facb8fa8912ae7bfa7e0056c380c1905761d831d3cb0560750cd6

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\openimageio_util.dll

Filesize
753KB

MD5
395068c7e2feceada87dfdf9f84c902d

SHA1
165a2f515b3837496fc82ef236a41ed375ef7229

SHA256
3f10e9b96edd550769e188e04d483a0c22d5071c9271cd36647e3983ddb23104

SHA512
cf1d5f97a780dc088fd223bd7fdecd0c7157753c95ed3d07cdf2305d3e46eefe2efaa6400a002d2eac3e1fb3220075d95b2e110aad6e7b4c799db4ea760b0bed

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\oslcomp.dll

Filesize
21.6MB

MD5
5ffb4504b20ead019782ac9d1417bb7c

SHA1
34da8d005a5a7ceeb4699c60beb8395b59a12f61

SHA256
9a42e36a09ae2315b30bcf61db00d7d8a49ec5cc6206c4440f649621b7ced544

SHA512
b48f7102960235d050ca251ad8ba29d4aea1ed12f498b4e278a76ada8de70a7845b0b3a4110dd8319d589978b9c412addd4f68ef7a47fde81ebb41c8a32cb037

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\oslquery.dll

Filesize
155KB

MD5
15be9a6dd75dc34b68f713b62d430655

SHA1
bdd083c23692c396fe488a20487b9adfb05034e1

SHA256
14419a023b62ae52eab2c0b9b05c777b3bd3783b4ec00bb7758353cdc4251221

SHA512
849529caf53eefd49db2ca64b84ba1ab9f4fc76c918d792f58d420ca000d432ab141fbf9c24765665c2c509878de25461e5594a0eba5819d720bbbd886974e5c

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\sycl7.dll

Filesize
4.6MB

MD5
bf8ab503a4faf844cb7027a1483cab74

SHA1
a3b727402fad5c31c5a587b9ef8adbfa2112cd09

SHA256
b61ddeb950b71ee89cbf261a78c6fd63b331c63758dfcc83c4898b36d179cf6c

SHA512
fe638bc4605c976b8b8a7f94cd4b4acc42234366c66ac2890f343719980479f59116a51949e81cd76e8287cfba86bc6b7b52c0e46e097b7888a64baf9d118466

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\tbb.dll

Filesize
155KB

MD5
f655e5b5473e98c6b2bae0069505ca8a

SHA1
71b1b899fb40ea42e0929ec1305da99cfb530b01

SHA256
cc62cc39661429945cda80f93a4a62c7c67300f9b5f81253de53abd4c5b53504

SHA512
21b7342d8a559f95d033a46dbf6212d2f4e66111767e176729c076f88d4210c52044c3feb59a60d6a34402b15ca42bb4e20ba5afe285bd18f05857d96214b736

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender.shared\tbbmalloc.dll

Filesize
54KB

MD5
a70e312a856bd55ca9b77895ad0633b6

SHA1
f0cef1e6cc37dfd2f01cf480db6035e1d41bcd98

SHA256
476f84225029847ff7e318f3107dbb755a38826d3db69fc7ef92851ea3934210

SHA512
8f9883700258620fff1867a71af3bb9bf097842c47f78fe8f9b6835e78b8e701bdcf4e83eb772b7669c232131a05b06ff30918b7d02087e6dbf1008e347a6575

Download Submit
C:\Program Files\Blender Foundation\Blender 4.2\blender_cpu_check.dll

Filesize
20KB

MD5
ff668541e6089cf77c0ca387a426dba9

SHA1
0c01fe2e239047389bb0ef39cf8df1f7b79153e5

SHA256
3c21d422b496a9f49f9b6321bfa15bb649a1ed2de7dc97a917f303743fb9d161

SHA512
f312000224245544ad4e7193d5db49641bc885956d769a8f9b6fa425a1653fc5d88dbc79aefdcaf3681d4ef7cd7aa140bf6de4059d348c3de6e49071b9280906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\4E2BAFF688C7994811CD78232818FD29

Filesize
3KB

MD5
e0dd62d961e81e6c18ccce375225c08a

SHA1
29035890d55212c887652beae241e0a3d31e98dc

SHA256
48d76d66a1f86e1698bac1982c8e3fe472f4e453e7c3e2ba921630b09101d052

SHA512
7b41fe450b16dae670f0b04979a34107e789e5009b3b3812b6d90df59a653a303685ad31eaa44f1cc561311c3ba54e4e07653529482fb9b4ab9c254423dfd1d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\949D2E01833511C6366A8B529939FE66_A640373CFD567F7FA24BE1FC82025C7E

Filesize
313B

MD5
1b44d44f41e35d7b26ab67f06a1941a2

SHA1
e60bd3534a122f8c77fa76914c976424f812ebe3

SHA256
0ec1a2fd7b72d1842bc3450f1977f61ce69b9346949300c07452927563b97f42

SHA512
369cc92d796ddcfdfe81ca73a4f3f368f61d4e3e2827a15f5b24508b1c5b41f7bb7200ffe694a8cb88165f678044cafbdab77d145a7527734785e1b1263bfb08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\4E2BAFF688C7994811CD78232818FD29

Filesize
306B

MD5
7909d89171520e830d25a53e47b32f87

SHA1
52b414001facaf39cb4f3b5cfb07f250e0b24fcb

SHA256
aabe05840fac5731570221537b548330061fa5a349b9a06f997c3ff4dc31f18b

SHA512
e6eac0a0470be4752a958e0eb328920d9b93768c48d2090867a442ae05881ebc8920a46f479e6c161a70d6df697eae4107185ff14894e87f6637cb8bd6380850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\949D2E01833511C6366A8B529939FE66_A640373CFD567F7FA24BE1FC82025C7E

Filesize
494B

MD5
476bdd3defafc2f058b038f292afc633

SHA1
5dfad8cc2a43a9d55339622881fc752be15886d5

SHA256
f45bfb5ab074c40d795f1389127f35abc294f2040f6f8c5cba81d04c86aa3db1

SHA512
6e70db3187cd1c043e2a9920b95ed9f7907bf20ed0eec9cf345db9ea9031982bdcfd3b210d1003caadb75357e82c2f0c8e3f1e738230c5544b6aa8456f6bc2c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
3c72d3ea0b739ebdaeae7b523b47e574

SHA1
ed29782b81753b3ecefe7dbd8244e23d28d71fdd

SHA256
eee18dc7234a021a01b6d004a31b7b7e5b6de301e132b41227cdc80cb942aee2

SHA512
d01f137c688d127f4674e0a32fe3350cea7e3c4c54d98232e42bf37528aabc74b1a61f743e3d4e1375b3373bf25791348a0de8d33d7a338681ba5cf83df0bd52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f7b99220ab11cfde05ddb0170cdd233f

SHA1
57656187897441c8fa44ec370d47b64d80a452d7

SHA256
58d433d931ffb9dda54b7845fd8601dc17fa51f118fd265e0008e995c5c7487f

SHA512
11d9dacb6c6ca234a16a36453aeb28e1cfcef8f75484fac3aabfc406446b7cf2a7fb568700463318d750132a2436e807b3243b42ff9945926368ec0e870acd75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
62c57ad308c81b761aacb12e065184a2

SHA1
e829308772efee50e67561826aad9cb862c47f61

SHA256
417636aa94614cdd451d0a67599afea52a17badceb1158d90f29f9fe98b1c3bc

SHA512
172af4bb3cb3fd7aef1cdcca122888b9e644771c3602addbe7371067f5a50a3e17202dc1601da01b9b5bed3d5bce75d0a6b34dffb61cc68c2608735afa50f796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
9c2401ab6a5c0872a8b154e201834c2a

SHA1
eabddb041473e6926aa14be287293c25f9a018c2

SHA256
67acf9037f61b51d23a0069663e4799b41da4e3b17b04c789965c37a85ae3c1b

SHA512
0f902d0da85f0deee3599385ddf1f8ab4e4e53e5e5a322a7fd32f5738ebd739bf928a41b9ebf5ef8a829d100d6be5df1e0a9206c968fffd2516887f1d6fdaae5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c6ca73586f4982ce6d360502e203508c

SHA1
a335c6631de5df6bcb3153cceb37629ab69e7a71

SHA256
f6995899cda5824e98f9d998e450928042e43f342e9aca4a2a8ad57ad5ce38a6

SHA512
5c368d995fcbea769def8b78d5de8b984cc5c27a4d00b9b2c45bb5ee4a0cbde296427b112269ce02765f92e45cf5b99de22d96af823f91ca91fcc3f5200f259a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9102362485df80764b34d9ccb077b558

SHA1
e329a0e4b74e6f3b5a2207926055391de2dc99cc

SHA256
db5a774b2f4d3ccfd2ebb6575136af14dd7116fbfd87ddfa398835268959f355

SHA512
0e11b01c160a9241828f6036b91f62392490ab09eaccfe0295abd75e87610bfcedf7c6b2c555baa13e8007740e35f2b6bfc8c587ecc1ce78fa3ca639b191afb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
369aa33db419233a19f139185f8d3539

SHA1
c2fa6b53e7d72fbe7a861fa7d1a169c7a33dc8cd

SHA256
8c7742a0e0f1364673c8ad4907f74b9f4516a0b8267a1baa2fa0667a320f950a

SHA512
8d8795a5014ce1759505a2ddaec8b439c5df4ee409ace989bf25cf7fd06202732d517d67548341f5b525900fe1dac9a8ead895643f1f8b1257942b1a7d620b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
469bc053c255b06cc99e0d9f89050780

SHA1
064a9970c625ece3f863e776a70b8dc81a27e08a

SHA256
a37f0b74d7afe4c515de3e1ae7296da493f200771c56093172c06b1083bc4046

SHA512
eda62ac3f34474d18a9ddfc3d44c543f1638dcf4049b4e6b14cd72ffb97274d26890635e915c196e6ee513aef29841cf3e95ac8a7a643af6023ceb3065e109c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a621367ac1552ab885c013e7ecb04866

SHA1
ae0a5c407ac7fb3c0887fd1923aa9aacc2502f9d

SHA256
7326a734810c22adb67fff3ba8eda607dc759027dbe73bec39b751d646496f6c

SHA512
1d73a2529de26f877ad2e665cd70401d2ce67c963e0bb0f83b5b89d49a4246d83aba65f3d36074c5225076d09a56bddb5fceb29eff8f1b1b43f9f9e9339a49d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3c24a108f3161875969b75e10c997775

SHA1
46c9b6b04ede303de02453d4749828e0d6ca79d6

SHA256
71f19af58a4ffae0eb094a5cd2654030ef81f93c8ab5fe839fbb92979632d939

SHA512
c5c8d98ec95061aac9293bdd59c0bc91fdef67d63df620e16ff29f846fa13b03639858702e9f9ec5f7e9f8736626316d2613a4dd33a1e1602c6a10ab4a3ef38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
00ea3b064c3020ca47c095c5bab569e6

SHA1
0d90e631d15291b21ae484463fd7627f9d6d364a

SHA256
b9417b5952292f04bcfeba20d6985887e190f83a95d9ce291e4ed2c1073bb98a

SHA512
aba68969d328b6623661b5587a61773b1510bc62883e1925463f2e14f5fc01bf19fc73fe8f043dc00b1c71bca7cdc5f8d7583cc2bdbcb434b00f538bd2cc7cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec3a5d4e04c6dd70d6c65a4b7300adbc

SHA1
fd205496f8ba4bb915aa2688cc68d90ed67e1808

SHA256
8e995183720b3c63c046902c87b03feef8c6650d0711749929af399b6bae206e

SHA512
0eecd3aafebf58104e6138b39bd3592e9a2a1acad0a150022946df1016e4af9b9f837447c6e97017b73df3d37ff2de6dd9394300745bcea8b7958d91d54f1235

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58411b.TMP

Filesize
874B

MD5
d40234c55c5fa0368245099d7752bde8

SHA1
629fad3a5dcf68abaf7b86f758a3e728cccf2061

SHA256
3b1119cfb2b050e28f70418bad2d113ddfeaad7479ff203cba31795ac9d41bb4

SHA512
0e34235252db24af0ca4ccaec4a76d03516c7b9827612ba019048acf6dd79356244a8b9956fef1d747c03a3137e17d760485f498874e037f70205cb772cfee31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6667e89bb82c91673e6d6b3aecdcb9d0

SHA1
eb6905d1a8aa451c98e7cdd1f2014d80c9e95929

SHA256
8b231fac11977b1c6ae9374ba83a044f8a9b54723e630be6e4d16fc898b8a1f8

SHA512
575779f4611b288316a1317968323df96848448f85a1361e88acdc2a34ac7c7667715942049644a76c19957ed6857f71bcb6f27fca94adf3d9af825cfc16456f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8038cabfc005441c4a189b91369a0053

SHA1
ad465ce6441bd8cc4962e8ee2437030599f5ae3e

SHA256
a5481fce5694ac8d8eab15adefd1f481c86ded98a0e2b031babac252f1fdf1d0

SHA512
5405683c514251ee9315688a2c9d4c5e71c1ef79c7ef765a653d1d1ae61e7795348b58e7aae853964b4ca4026344c4b95dfdbe530d29ca4d04a0cb0eb46a29ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4f66b53683c1cd8732967a1bac13f552

SHA1
245eac0ef3c96c73d913cd4bf611d37ba9d4b787

SHA256
c7b075d61ca9bf52fa44a4bf9e12c55c11a1b527ea2d8ff516f7798b0eb79e1b

SHA512
5d3ebee53c5dfca62e4ad4c8272c9749542be484a19a6c403378166ff4018d0636d0a7be0a22e9388a6c936a8fbaf70f13c65c7bca5e6962bf0d534acefe0ccf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 301371.crdownload

Filesize
1KB

MD5
49145f670ecf357d0107b3030a8325ad

SHA1
d9addd2358a049a792f83767c3f8e20ff5531021

SHA256
f47ade9d2527c52f8ab9e360004fe9ae09b3272484f23cb80bf3d8b242f2192f

SHA512
4b3d3e000c94a10aff9d309966a9fab428ac5f366027f3e9770ee27c88b8fd2c77107b23216ca1c6b7b1b7f53924d33c99bdfbb593a822f04899e0de00398a59

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 709158.crdownload

Filesize
8.5MB

MD5
06c04dcb69b542bf98b5811f03137328

SHA1
5c76ce42a0b31dcae55e61936035c97d0b917205

SHA256
061a17f69fda29a0c48415c15128c31c7207abacff959b1a1bb1937ede79cc5a

SHA512
28b35ada0b0f0be6256ee50682e098c43d731aa82e25b2a7a9695c908ac6f84649d329e3fa6813b870b93a3ad43cbe3549df6c788c478b4bdb2f5198d10992e7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
6ead4b33a9c411f4d4c723a904731bc1

SHA1
729d50b222aab1fbceab5ba581e7de61db478143

SHA256
8fd058b66ff35acb8c666c592509e211494e6060a211f27adfc7f719736aacb1

SHA512
3d1e1a84c47a7549a2c7b7009764bc3c5d05a7acd5311f50727ceb693ac0ff55153275cf3c8d9470bfa192f965cd1ccc16d45a14b49d91fe09dfd9fee9c1cad8

Download Submit
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{87e5e62e-df05-43a0-a94c-36a22a2fb8c4}_OnDiskSnapshotProp

Filesize
6KB

MD5
0137dc26461e0a8107346c809bd10107

SHA1
0ae7f07a53df7e0fdf3da9fb3a3994e7dd2d0cd7

SHA256
2120d7dec4e731a5f283d9fa73340dd75d86406be2067d6721b942ae7d7bc87e

SHA512
429eece3b7b205cc7a938b33b861260b809a37418bb4a21fd54026b2dfb81d90c43f8e54254be8c890e23e2a0aa505d80a155a8d49e95a396b68de49a5ddbe26

Download Submit
memory/1652-5964-0x00007FF9A7C90000-0x00007FF9A7CA0000-memory.dmp

Filesize
64KB

Download
memory/1652-5965-0x00007FF9A7C90000-0x00007FF9A7CA0000-memory.dmp

Filesize
64KB

Download
memory/1652-5963-0x00007FF6C12D0000-0x00007FF6C631B000-memory.dmp

Filesize
80.3MB

Download
memory/1652-5966-0x00007FF9A7C90000-0x00007FF9A7CA0000-memory.dmp

Filesize
64KB

Download
memory/1652-5967-0x00007FF9A7C90000-0x00007FF9A7CA0000-memory.dmp

Filesize
64KB

Download
memory/1652-5968-0x00007FF9A7C90000-0x00007FF9A7CA0000-memory.dmp

Filesize
64KB

Download
memory/2896-6430-0x00007FF6C12D0000-0x00007FF6C631B000-memory.dmp

Filesize
80.3MB

Download
memory/2896-6431-0x00007FF6C12D0000-0x00007FF6C631B000-memory.dmp

Filesize
80.3MB

Download
memory/3280-6415-0x00007FF6C12D0000-0x00007FF6C631B000-memory.dmp

Filesize
80.3MB

Download