Resubmissions
03-12-2024 03:53
241203-efqlnsynbv 703-12-2024 03:48
241203-eczp6svjcl 703-12-2024 03:46
241203-ebrm6sylfs 703-12-2024 03:43
241203-d97avaykhw 703-12-2024 03:39
241203-d7wrbstqbq 7Analysis
-
max time kernel
432s -
max time network
433s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 03:53
Static task
static1
URLScan task
urlscan1
General
Malware Config
Signatures
-
Executes dropped EXE 14 IoCs
pid Process 968 Class 360-444-450 Sound Pack Extra Stock.exe 2740 Class 360-444-450 Sound Pack Extra Stock.exe 2832 7za.exe 2188 7za.exe 4580 7za.exe 1488 7za.exe 2360 7za.exe 2236 7za.exe 3520 7za.exe 4400 7za.exe 4808 7za.exe 1644 Class 360-444-450 Sound Pack.exe 3532 Class 360-444-450 Sound Pack.exe 3672 7za.exe -
Loads dropped DLL 2 IoCs
pid Process 3732 MsiExec.exe 1164 MsiExec.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\Z: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: MSIEXEC.EXE File opened (read-only) \??\B: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\V: MSIEXEC.EXE File opened (read-only) \??\R: MSIEXEC.EXE File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\L: MSIEXEC.EXE File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\K: MSIEXEC.EXE File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: MSIEXEC.EXE File opened (read-only) \??\G: MSIEXEC.EXE -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 6 drive.google.com 9 drive.google.com -
Drops file in Windows directory 14 IoCs
description ioc Process File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\e5af550.msi msiexec.exe File opened for modification C:\Windows\Installer\e5af54e.msi msiexec.exe File created C:\Windows\Installer\SourceHash{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2} msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF743.tmp msiexec.exe File opened for modification C:\Windows\Installer\{6CE7FA83-63AC-4C55-A397-7FC88B3DC2F2}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\e5af550.msi msiexec.exe File created C:\Windows\Installer\e5af54e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF6D5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID4E2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID58F.tmp msiexec.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
resource yara_rule behavioral1/files/0x000200000001e733-188.dat pdf_with_link_action -
System Location Discovery: System Language Discovery 1 TTPs 18 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Class 360-444-450 Sound Pack Extra Stock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Class 360-444-450 Sound Pack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Class 360-444-450 Sound Pack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Class 360-444-450 Sound Pack Extra Stock.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7za.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings msedge.exe -
NTFS ADS 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 598511.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Local\Temp\{E6EF024A-BC04-454F-8CFD-038B2D0FAE87}\Class 360-444-450 Sound Pack Extra Stock.exe\:SmartScreen:$DATA Class 360-444-450 Sound Pack Extra Stock.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 827666.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Local\Temp\{73420408-A7F5-49E4-ADE4-78983A8E4FAC}\Class 360-444-450 Sound Pack.exe\:SmartScreen:$DATA Class 360-444-450 Sound Pack.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 4748 msedge.exe 4748 msedge.exe 3092 msedge.exe 3092 msedge.exe 3532 identity_helper.exe 3532 identity_helper.exe 2384 msedge.exe 2384 msedge.exe 5028 msedge.exe 5028 msedge.exe 4544 msedge.exe 4544 msedge.exe 4520 msedge.exe 4520 msedge.exe 4520 msedge.exe 4520 msedge.exe 1536 msedge.exe 1536 msedge.exe 4500 msiexec.exe 4500 msiexec.exe 316 msedge.exe 316 msedge.exe 4500 msiexec.exe 4500 msiexec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs
pid Process 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3324 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3324 MSIEXEC.EXE Token: SeSecurityPrivilege 4500 msiexec.exe Token: SeCreateTokenPrivilege 3324 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 3324 MSIEXEC.EXE Token: SeLockMemoryPrivilege 3324 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 3324 MSIEXEC.EXE Token: SeMachineAccountPrivilege 3324 MSIEXEC.EXE Token: SeTcbPrivilege 3324 MSIEXEC.EXE Token: SeSecurityPrivilege 3324 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 3324 MSIEXEC.EXE Token: SeLoadDriverPrivilege 3324 MSIEXEC.EXE Token: SeSystemProfilePrivilege 3324 MSIEXEC.EXE Token: SeSystemtimePrivilege 3324 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 3324 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 3324 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 3324 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 3324 MSIEXEC.EXE Token: SeBackupPrivilege 3324 MSIEXEC.EXE Token: SeRestorePrivilege 3324 MSIEXEC.EXE Token: SeShutdownPrivilege 3324 MSIEXEC.EXE Token: SeDebugPrivilege 3324 MSIEXEC.EXE Token: SeAuditPrivilege 3324 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 3324 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 3324 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 3324 MSIEXEC.EXE Token: SeUndockPrivilege 3324 MSIEXEC.EXE Token: SeSyncAgentPrivilege 3324 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 3324 MSIEXEC.EXE Token: SeManageVolumePrivilege 3324 MSIEXEC.EXE Token: SeImpersonatePrivilege 3324 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 3324 MSIEXEC.EXE Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 2832 7za.exe Token: 35 2832 7za.exe Token: SeSecurityPrivilege 2832 7za.exe Token: SeSecurityPrivilege 2832 7za.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeShutdownPrivilege 2572 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2572 MSIEXEC.EXE Token: SeCreateTokenPrivilege 2572 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 2572 MSIEXEC.EXE Token: SeLockMemoryPrivilege 2572 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 2572 MSIEXEC.EXE Token: SeMachineAccountPrivilege 2572 MSIEXEC.EXE Token: SeTcbPrivilege 2572 MSIEXEC.EXE Token: SeSecurityPrivilege 2572 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 2572 MSIEXEC.EXE Token: SeLoadDriverPrivilege 2572 MSIEXEC.EXE Token: SeSystemProfilePrivilege 2572 MSIEXEC.EXE Token: SeSystemtimePrivilege 2572 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 2572 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 2572 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 2572 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 2572 MSIEXEC.EXE Token: SeBackupPrivilege 2572 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3324 MSIEXEC.EXE -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe 3092 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3092 wrote to memory of 1868 3092 msedge.exe 83 PID 3092 wrote to memory of 1868 3092 msedge.exe 83 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 224 3092 msedge.exe 84 PID 3092 wrote to memory of 4748 3092 msedge.exe 85 PID 3092 wrote to memory of 4748 3092 msedge.exe 85 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86 PID 3092 wrote to memory of 3580 3092 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/drive/folders/1Zry70bwVx84a_nS9aYPJ6Otgueom0_KA?usp=drive_link1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbb89746f8,0x7ffbb8974708,0x7ffbb89747182⤵PID:1868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2056 /prefetch:22⤵PID:224
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4748
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵PID:3580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵PID:3172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:12⤵PID:1344
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:12⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵PID:4336
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4268
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:12⤵PID:5004
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵PID:2808
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵PID:452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4904 /prefetch:82⤵PID:4256
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:12⤵PID:1620
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2384
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:12⤵PID:4464
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:12⤵PID:1476
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4980 /prefetch:62⤵PID:116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:12⤵PID:2176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6332 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1292 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4520
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵PID:3636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6252 /prefetch:82⤵PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:12⤵PID:3132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6368 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
C:\Users\Admin\Downloads\Class 360-444-450 Sound Pack Extra Stock.exe"C:\Users\Admin\Downloads\Class 360-444-450 Sound Pack Extra Stock.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:968 -
C:\Users\Admin\AppData\Local\Temp\{E6EF024A-BC04-454F-8CFD-038B2D0FAE87}\Class 360-444-450 Sound Pack Extra Stock.exe"C:\Users\Admin\AppData\Local\Temp\{E6EF024A-BC04-454F-8CFD-038B2D0FAE87}\Class 360-444-450 Sound Pack Extra Stock.exe" /q"C:\Users\Admin\Downloads\Class 360-444-450 Sound Pack Extra Stock.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{E6EF024A-BC04-454F-8CFD-038B2D0FAE87}" /IS_temp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{C465C159-CE71-4486-8F37-509B0E9129EC}\data.msi" SETUPEXEDIR="C:\Users\Admin\Downloads" SETUPEXENAME="Class 360-444-450 Sound Pack Extra Stock.exe"4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3324
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe4⤵PID:4128
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:12⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6360 /prefetch:82⤵PID:1252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6892798334545495951,3712539729217160517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:316
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2076
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3948
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F41D5E402214717EDFC27D43CFF695A82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3732
-
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\data.7z" -o"C:\users\admin\desktop\1\" -aoa2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\users\admin\desktop\1\Assets\InstallMe.bat2⤵PID:1552
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\DMCO\DMCO_A.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\Ex-FGE\Engine\DMCO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\DMCO\DMCO_B.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\Ex-FGE\Engine\DMCO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580
-
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\TSO\TSO.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\Ex-FGE\Engine\TSO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1488
-
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\PTSO\PTSO.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\Ex-FGE\Engine\PTSO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360
-
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\DMCO\DMCO_A.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\FGE\Engine\DMCO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236
-
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\DMCO\DMCO_B.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\FGE\Engine\DMCO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3520
-
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\TSO\TSO.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\FGE\Engine\TSO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4400
-
-
C:\users\admin\desktop\1\Assets\7za.exe7za.exe e "C:\Users\Admin\Desktop\1\Assets\RSC\GEML\GEMLAssets.ap" RailVehicles\Electric\Class360\Default\Engine\PTSO\PTSO.GeoPcDx -o"C:\Users\Admin\Desktop\1\Assets\RSC\GEML\RailVehicles\Electric\Class360\FGE\Engine\PTSO" -y3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4808
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E9987EF2A3D606C047D0C3989C383CEB2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1164
-
-
C:\Users\Admin\AppData\Local\Temp\7za.exe"C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\\data.7z" -o"C:\users\admin\desktop\2\" -aoa2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3988
-
C:\Users\Admin\Downloads\Class 360-444-450 Sound Pack.exe"C:\Users\Admin\Downloads\Class 360-444-450 Sound Pack.exe"1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1644 -
C:\Users\Admin\AppData\Local\Temp\{73420408-A7F5-49E4-ADE4-78983A8E4FAC}\Class 360-444-450 Sound Pack.exe"C:\Users\Admin\AppData\Local\Temp\{73420408-A7F5-49E4-ADE4-78983A8E4FAC}\Class 360-444-450 Sound Pack.exe" /q"C:\Users\Admin\Downloads\Class 360-444-450 Sound Pack.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{73420408-A7F5-49E4-ADE4-78983A8E4FAC}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3532 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Downloaded Installations\{D15D4FF8-7270-4AC8-BEC4-305DE9462E90}\data.msi" SETUPEXEDIR="C:\Users\Admin\Downloads" SETUPEXENAME="Class 360-444-450 Sound Pack.exe"3⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2572
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe3⤵PID:624
-
-
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\*\" -spe -an -ai#7zMap4429:264:7zEvent70401⤵PID:2876
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5fe1de22f3744b0fb72447f0c66afbe18
SHA14760d1b088ac7943ae96f605795b66eeabd04090
SHA2566b134fc12804e8435fabebc9cc3d3b3e3aa3eafa6a9207b09339bd39aa207a6a
SHA5129bd54eb365debaa6b334fcf8e15a66b0525355c2580167cababa57940437bf95e8fb32164bc43ba2fe7a7566c7783cff19470facce176db31ecf498c8136eb91
-
Filesize
1KB
MD53fd30553e414e1e32e98caeaa1c160f5
SHA1549f7d9f8fba205208845e1c9a6925d8ee074f15
SHA256fb2b8b201ddb8f1e5c1813c10702b929d268ff8a150cc16c45b2da50453fdef7
SHA512b0e445405a8c5db2dfb2939a53b669e4af623bdf4fdf298909b80d918043120623ee3c6390d2de2daa332ed8f6bd401fe78447bccc6674ef4a7b79d18cc5f5dc
-
Filesize
52KB
MD5bcaa2cc2f87b8f677eb017fb2679a12a
SHA16144d5b090704ee2670dbc15df9c806847ba8062
SHA2561bd6f58596b991ba9de5c6c8a030d4e9e087630ff2f92671ce06770a0e4a8953
SHA512cd7a5058f4170ad61bbddd7c78bcd33c405ea68185c9c4bd87cd9523d23fc8b6a57a9191bc42f6e67077618fde9e89b53e5017461c6323b8dcd70171de8c7bf7
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{C465C159-CE71-4486-8F37-509B0E9129EC}\data.msi
Filesize33.0MB
MD5e863eb279256f03049279a32fbd5603a
SHA1445917aac29fd3e59e1b397a1db10082d0f286fe
SHA2568bc64b4e0598d6c6c78035d5c875b0a1cdb621e56434afc2335c095aed05e6ea
SHA51265f39d6dfe8f7d7e85ef6d867ec0c29f6ad4fdd2f16546ae6342373fe9d256b9d084feaf733a8b69d8302f0280e57e75e20c1715de6852276932c92fa4599e8c
-
C:\Users\Admin\AppData\Local\Downloaded Installations\{D15D4FF8-7270-4AC8-BEC4-305DE9462E90}\data.msi
Filesize30.9MB
MD57a77b8199a543117d8f4fdf17b00c4b3
SHA1dc77934ea9b539f17176744a1b22807cafead28b
SHA2562352bfc984861169728e7a95c77233184613b29c6fc77a7bf32c3363cafba470
SHA5124b086339de3659360ec2faeaf3181e67937f2d4e394f647c4d778d7932c0669ea784cf80973b70db4c30d543d4170831a2e9a3e0dcdb1c722422342786654112
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
51KB
MD5f61f0d4d0f968d5bba39a84c76277e1a
SHA1aa3693ea140eca418b4b2a30f6a68f6f43b4beb2
SHA25657147f08949ababe7deef611435ae418475a693e3823769a25c2a39b6ead9ccc
SHA5126c3bd90f709bcf9151c9ed9ffea55c4f6883e7fda2a4e26bf018c83fe1cfbe4f4aa0db080d6d024070d53b2257472c399c8ac44eefd38b9445640efa85d5c487
-
Filesize
25KB
MD5ab77c85aab42e61d0557bfe285bcafc0
SHA1ac4241859bef658513fee5ae997b08543b8029e8
SHA25632a74d447d992c99982a6c6979935c3eeffc358bcbcf7b1843ccb8021523f398
SHA51241aaeb6c514f1ec1e97e213739ee2f4cd731cfa17fc1bd2c0c2d6197eaa487ed4b57c8d359ddaabc8764db4e12d3000eb2e23f884aa5dad0962ee9e0ae1d02b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD581fbcd3fabb9439d1b41c4ae6a7cef3f
SHA1c33a29a34bfe135feee1c7ab7c97961bda2cf4e4
SHA2567251a1e770b785fe551593025b59ecdb1d28607f530e94fc16b2ef2c29d31b86
SHA512fd9c4fb5a60d83c784f02cca237e20fa3ba408d3fae769bea7991e2a28432d1e14eb0bc11bd0b3f8a38c53c0589b3dbca5c60ad29e36132d5793d3d8ea174493
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize1KB
MD5eb8f9bc2d4367ec07298ccf411d1a631
SHA11515dd0e467a94d11c3fc9418ad7e6c9d441e909
SHA2562225b9d2db25ab7add04b66b2890ac2dddb9fb0794043285dd662d1ad871ad63
SHA512bdf303d827ae72f61c0db4f40bce6c96df7c57f945d2fb149ac235132eb650dfadfa9df00537285f15dfbf9e62753912d88da513d54c9452a569fe1ad93996bd
-
Filesize
4KB
MD549e99b4e786ba20fd3bd20a03dea01f8
SHA1404c20c3fcade1fc9d852f150d23cc51c97e5d20
SHA2563568258577f02a0034e720782645c1b4e2372de0bc48d44b36682b227198f7bc
SHA5124ccdf56fa1d3b64d95bf77b507243037b638ca995241a152e42ee92a3d46d6256674309af08261ec6a597fbe3baf9b3ba187430757a70fa4fb2ccb6b5824e2e1
-
Filesize
4KB
MD5b3679d53ffe370150740b232e89a32ad
SHA1648ccd8a4237184f5b6e86a6c77710f15f902bf7
SHA2563a11786ef1eedfbc9b89b33abc9b244fc996df33a207f11158674ab13a1aa1ea
SHA51290f9e56f9d3aefa40db05587309666dcf2802748fd707e1affb3126351c22ef991f784728630fde6c2b7e8723a5e7899dfd7ef6976d07ef02e0b74c91bccc30e
-
Filesize
4KB
MD55379fa4df9bc5f234d1d992c3135f7da
SHA165115e0eb0b63d92dd3583ef7cd1513a6a8d7dcd
SHA2564ae801279bbed2f29f97db6ea68283631319d851a59ade5861e35a8beaf734a8
SHA512127a21b0755ff618b46624ea24f7e6f2aa3a96aada49e22bce0b05c0db8de4083be9775df18b05217148a05786a8351b246e5e9e8922adf46f655230efec05a8
-
Filesize
6KB
MD5151c8f52327595e895d36263d469cb6f
SHA1524a6ee5ef07f610a107b409d49cb10a8bcddd9a
SHA256d1aa895a809e89abd3861d86de96f76de753acc3d7d4daca923f3d566407f19c
SHA512591edc4b7c81f9cfc19c053da58fc5d3502106a01ed82a41a8e6723fd5462f61a39d9a26808540b0beb391ade0877a375d581641b85d014834cc3e26e6346966
-
Filesize
6KB
MD5f8df5390b49778f0c3a9c9420b3d9190
SHA10d484a6237bd719b3b1526f146a8c5fbe6f4be99
SHA256b5d67b2fcb82d2b9150c85b8e65ffcd4c2239fe0db45f5cd447956105039c10e
SHA512280f96c7cb90961e12f72f2a57687ce3cbd22ce538f1370e3df95cd490890c82d807ded9df390be060bae205b43a7b3e768954d3bbe038fc9a182e0edaf4b253
-
Filesize
5KB
MD5cc5ce2838e466a49d7ef7be7862e75d5
SHA163ff0cfdf3339d6272104676e0e51bdefdd1d23e
SHA2569b226adc89001cbe19f8e4d48db051b64d1c9e1a8a89d5650e71dbcfbd5ade57
SHA512f5d7c420e76381d4a11744ac0a051f9649f9fcab0d0a1388439b90a3c45ef016db312fdba06027d7a0161736b6232b2a9aea7c514d952f0ed34a0f5835574c65
-
Filesize
7KB
MD5142c123e4c1014ac35ca919d162d9277
SHA176f267029fae953f48abbef9c79a8ae64b4150df
SHA25623ae5cf4ae3f2236df4980d195e8a246c20cddd6aa36bbb8495ec4dd717f7b8a
SHA512145a95c097a29aba78ecff536354eb600b6826bea2cad0f9bc13dbcf1adaf712f42c855cabe7bfe1a978e250f750242d027a9a4ece315233960cfca2f5436209
-
Filesize
6KB
MD5b40be6786b1a89f4190dbcc6f88b59d6
SHA133b873222554acfb8d0dadae9e2e47a3d860786b
SHA25656f002f409db511f7716b460abf3c5159348f3bdc115ee78633d25cdf8e8b476
SHA512e3775fec8f62ef7e5994c64d909cc9e4fac96ff66fa543d7bb620b7c8e909b1101499cedc9d237d34c5f2a0dfbd2a18ac0dee1751d6a70b8c4baf5dc9a116820
-
Filesize
6KB
MD54f0274f99e56050fe51ecf7db056160e
SHA1252c3eb6cc04ad55179ba3218cbf8391660feacb
SHA256c3af8a9e1f67bb615fb05b509ad5fa84b605a9917505c090a8ad2ee746fa1a6b
SHA512a0052d470a612256cbce89cd04b86d7b6ea42aa05ad101b4de5fd4de20072a91d19465516589034d1e311e7bc6b2a1b1ae1db0d23b67fead69db86c50a57389a
-
Filesize
6KB
MD59de7a942dabb6b6c34ca50dd5c167c74
SHA1b86d95ab90bd3a84a73bd0cd63c98bbbc0869d4b
SHA2567e2737f97d0fd874ca6c9b9087e56efe1ff62db3b1665028ddec2423318a68de
SHA5121de262e054f68a06f8a068a2f1b061c51f5fb2941cf364f9bd0eae8d9bcc742989b9babeee5feaee5244516bfcd914fc9e4dc3eb8e3e220ba5a4c9ef7f860e54
-
Filesize
1KB
MD5a369a62ace097b57a5aaf669486ec09d
SHA184f9943228a5bc893a898c221ed2736dc2821e48
SHA25648af18989e24d95f5263c7594e1ec6d810747ae07633c696cc3000b35a311dd2
SHA512660fb46769266126218e0adf6cf55f2a2a507d9fd64b3c225ec0d586504f6e03a7e65599258bf18c52b3c9a774cd46496b04952f6bd135f2669469243aa8ed15
-
Filesize
1KB
MD5e404b3f0c158f179e9dbdccc58381949
SHA1ea3f83672eadf105f126cf6e494273bdd3b47bf3
SHA256c13f82be0ee1249b2fcb489661f302474d97dbb5510280333d5fc1bd102b8575
SHA51276a55e80f7fe23edd5d7a636059ec88f1081dfe9c61e9e75503d67229136d1e421d4966dfcb704bf223cbbc53fbef7bef18d57303555d0ce27a86fd0daed3d2e
-
Filesize
1KB
MD5b368dc340fdb321150973f588d29d67c
SHA1e4b9175e8ff964ab9a8f579a2e22b7e607e7b495
SHA2562553f24cc5c09a7c1064fbfc608aab8024b2ef6d256e2e2fd7de75f51d994e67
SHA5120125272678ad4ca86c96e15e14ef164008a26739d09fab23b8fbacf1051d3b265cac7527149b02aec2421529dfaff50c3fe691609e20a422228a7bff9efb368f
-
Filesize
1KB
MD593a1ff0e71264e5c6cf7b3ce44575579
SHA11c7c2085d837e41ef1938c286b196fa4f31c8193
SHA2567dc2cc2e3dae49f7f1903bc853f4e5bfaef8d64e0c87ec8d52467e5ecb0f613d
SHA5122c700233a362e494229510e21b95f863df7dbbf8dee422464d07ed6bb72395fc8c399757d42f43a37a0fa9d3381569e148942ec9ed97a836b89d1bc515dd6050
-
Filesize
1KB
MD54e69715fc05a0a6431187e94a945e251
SHA1d19a9a2d7e4cc326bcff706a6381183eb5da95a6
SHA256a7cd67f95cfe0742c3e34a7e87635edbf6c402d81ee461fbc34127f9ce3f7b43
SHA5128de3eef48b24e5de2c32aa283e8e032c4f7dfb73ea317c1e3f1c70b5c8a0d2541a1d568aa408fd49b9e12e681ac028bf2352ba8990c16dbf49eb79642178d385
-
Filesize
1KB
MD5d49614e6efa4a524390ccfb2e09e2b11
SHA1cd246831e8e409e2d0b318870a144d63c8a5b699
SHA25644d551edb27c30e01019e1b58d534bb5e93cd9a2d06e50f54958df1f53b78fd9
SHA51211fd276246685356392f75d4157f08d55bdad89bea520a6c4cef751e1c4b12349c04e333e90a8ca92a1cafd488778bf0c118d3b9571e3ef7cd4eb5bc42ceb9bb
-
Filesize
1KB
MD5b6b75931db7bf9d0eaa582947dcf7088
SHA18290744fb4b3a9cece180fef9a41fd8ddd2d3ecf
SHA2561899408aaebb7c99896cda99d855791a56deab685902458eb6d3dc84b0d33674
SHA512d663f2ad995a062957ae439dc2a88ec93007ee71229992097fb9f6c82187864759e5846e31472fc702365a710887c4aba1d44a19f2409c5a55c31c681398ae77
-
Filesize
1KB
MD5043e6ad567557c26d52c0aae1a768164
SHA105e505db74e03292f3020e49d6f0abe54b8f75be
SHA256a8066a023025016c67e7b1df487feda0b6459490ae1cfacdd3fabe7fd94161f5
SHA51299159596ee7fa05546c5da50b1f7a915a4f464e00459ab81c9cca8804801b8a1517faf362fcb74e8a4f99aa8f9f73a8ce74637ddac285b0a0ad0bde3c66ca379
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD526057b474bbf3778b3fbcd2671a8ef43
SHA13d42bde28cb1b76fd65702aa9b75ca3c9385e1d0
SHA256d34a7a8ad3f2a4e6dfbbda1523af1a16e8ec9f9de3814ee03a1465df4dc4e88f
SHA51248200c2124d1f5242e7b8a52d5b86871dd540e3cd3e566f008db7a4fa8d00cdd5c256687c3c0267ad12531f5945a6dd142b8454e65050f9c52513497aecbda8e
-
Filesize
11KB
MD5504ed1ec6855cdc3eae35589d4f6037b
SHA1f2deb58b09b2491e915de1eeff81551f1843d866
SHA256bc29dd5fc5ff4c23274bd10f17a6a37a39f69a2ec4ab85ee71f9afe124f0d5d8
SHA51297b578633e4675eca9f2eb8cf2a43d4af95f9238fd712a81868a5f8bd6877af473952fb5336f0caa6386a424ac15d83d3114ca11a4584cecfa93a183217f576b
-
Filesize
11KB
MD5a8fdfe254ebbc03745d5052d8156e223
SHA127e86e30e23a0a1b4c7f556af1494eae9db9dc4b
SHA256dfa55e8160f3b8d14a5afcf907ca759ac54bbed8f8655fb624fbcd7cd8bfa7c3
SHA51265ad400b2b1a3b1a1e72ccdd800b7f077410aa386ce240dbefee26d1e80d4bb9c48590b5885b6598521dd4cec92fd1cc27c92003d2ceb4017d5d8e5dab15e873
-
Filesize
11KB
MD583bb0f6e0eef90993aafa9dd3f47070f
SHA15d43ff076e4ac964944e4f8e6999a1736d0a4495
SHA25633c809fe8589380a170b4db622aefb1286c77cc86d6678de1fb5d37badaa0f7d
SHA5127711912b94e9f6ae8db0fa53e3ef9aaf3953344ceab36ba86989dbdffd871e806aa6a98c28ff7d27f1b60104c503b12f21e6021a99164ed15386305e9e098896
-
Filesize
11KB
MD504dda6baa4bba1175c6ef27b4e2bed80
SHA1593ece1a02fa459e58f4d6cb9cd412dd693a58b3
SHA25683365481ae6f46a19956c41df8732c429d4b46e2f30de135bf39e462e99bd223
SHA512cc86c11305d814fda15eb62ed6e7fb16c66293d699be21c17c541054408578f20c62ba3bba7a32e3fb609a3fee4bd0b51bdf5b938dfa4fc418793c9d2944b9ff
-
Filesize
721KB
MD52395868a72bfe1fd5e888b679faab621
SHA17ab01a1e3b0ae8a0e59ff586a6777b78dbe67750
SHA2568e679f87ba503f3dfad96266ca79de7bfe3092dc6a58c0fe0438f7d4b19f0bbd
SHA512369b487da9dae83cdaf98ee45c056fc847a5f50585979638d9d8e8ba8511a31267307d885fd40399bf4c22461f82c60f6298bd7e31402e12bfebd0621b131222
-
Filesize
31.5MB
MD5a291743837d2025da0413b41f4f0b3e1
SHA197531ce5032d56e6a26a1e1692a0bec6b8a5618f
SHA25630e7bdeb5896e547d48131f670d80b7f55bac0fda62dc3447da75926ce3fbfaa
SHA5123b542f2de67a9d2cc9dd635a8bbf9bb6478ba2938d0a813e4ba366d8ca34b277d3e597351d161a5698519a393a9e7d23c15039d31fb0431f47f2490f3a5a0420
-
Filesize
29.4MB
MD577a0466011a9222ea3172357a41b240b
SHA1f7ea0e06009c072b105106e58d9fbf9463a64fbc
SHA2560c720152c9a86d5ea863697bea459b33a023d99c4324c1e7bfc861ad04ecbd07
SHA51208d5310de298c1ebf3f13443bb10b69303ac31b49e4df15519262730b17069ff20d385da6879d61e5e67cc94d70cd784de4a2bf12c95bc2fc42f2bce21b5ade6
-
Filesize
5KB
MD5757a6fa579f5d93863a7df8fa539ec74
SHA16bf9d7ca2e059702bd24693d54f9b540379c1ffb
SHA2564174ae105f29140220a7f28f5124bd8fc37c1f9db01787c5650be5980723b331
SHA51293f1099b3ace849e0a9c4797d559ad99ea87e9d33849486b16272fa91329f0bc842b48b346677a3079c2d490ebd5c86308609d477daad5c7f9e8ada51fe2db4b
-
Filesize
684B
MD5202bdeb8acb1953fe54d3054fe2e778c
SHA13a9cb06b21b2c2704c0665fb8e7519467b3480dc
SHA2564dcb4f390a60dda88398d685acfe6486a14a41a27b6deebdd187197f93e5d4af
SHA51233684a3e6b90cf7224d495df318b5da749c0d8c4cde1a5d185c92b0f61c6122ca1da8792a13e8804eac4d1ecb62eaa12b2a0c80a18845ec5831bb60cd2d1024c
-
Filesize
208B
MD56debe74417a2ac110e7ff6f5fdfd2b00
SHA17a51c7afc17c28ed8e75da0c81601d3616f66d2a
SHA256d25136bdeee02780e124ffa550794ef7dd2a289f9ca303797e2763e30949de3a
SHA512da155f4d26a61372ced4d8d21b5437222f51b1e2d41d2d267eabda4fe50cab5a37128fe9b10dc11be274fc77f8fb47e6e49ca8a6c3bdb3f2c221ecc522d3a729
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
5KB
MD5bd6325da9430bacc254be1002602a267
SHA12208a9e1cfc5e7dc429732960843f215cb5cea4d
SHA2568b2e214ffc43b40220c015345787030783def99c60beaa960da511de88c4be2b
SHA5125e53c58e508a0d0942f111a00e2448a010d50d1cb8b55ce286404365e20a945f6500d5a6058bccda79ff8986129377963707096fa26d5f5d2f744eea78bfc501
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
732B
MD5ec1f0f2c206ed40d4f89f105aefd7adc
SHA1d588fff22d2f32e374809323c9f4523631ff4388
SHA2565cc919f3695ea4d5dedd73ba12117f70788b0e3cc924a292c8e2e0c4f92e1bd8
SHA5129afdb82339b1f7a3bb5e7cd0a2162294e6457cd7d5cf7a48ee49a371afcfa910f39348131d1b52287d49282622b26223d62f5ec0f99b249b1d15bafd33ff0b3f
-
Filesize
574KB
MD542badc1d2f03a8b1e4875740d3d49336
SHA1cee178da1fb05f99af7a3547093122893bd1eb46
SHA256c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA5126bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c
-
C:\Users\Admin\Desktop\1\Assets\keithmross\WCMLNorth\RailVehicles\Passsenger\MK3a-One\Mk3aFO\doors_l.ban
Filesize1KB
MD5e7bb4f32ecb2a72b27ee5e0883dcf8f6
SHA1b09b11084becbff11921f3340a078e6e0f122420
SHA256633df19982437e75f6d32f7071fbb726438f7d807021e78885d7f115d44d9cbe
SHA51258fffc6969ec6f501ed672ad8cb2dc12fe0d5cfb96bcf5964b5e54da304ca74b0196d8b483004bb31460136e5ad3cdd64aaf0f4d6a2e1a99a078a8afdefda27e
-
C:\Users\Admin\Desktop\1\Assets\keithmross\WCMLNorth\RailVehicles\Passsenger\MK3a-One\Mk3aFO\doors_r.ban
Filesize1KB
MD579f3434bcee3849f6b59dbf1104ead8d
SHA10acff563300420ce5a6a31241d0c545e6d4835fd
SHA256405b3ac333879ef93bfdc341335de53ad6749936a2ea14b7408b07590b553ede
SHA512f970c5d03a75b22e93d37f53f47d98a480225c6ced30c7c1df37e6ddc9e8031274b04f16a21b95f3f0f2119e40771f6d5a9ebb1a02941c0552c99358084afe21
-
C:\Users\Admin\Desktop\2\Assets\RSC\GEML\RailVehicles\Electric\Class360\Ex-FGE\Engine\PTSO\Textures\front_a.TgPcDx
Filesize5.3MB
MD50fa4dd989288413484f37676938978b5
SHA1c57045119106cd82275178ef169d27dd722c5211
SHA256e409eb8704824e4b4a5d702aec1d4b5fb99158e571ead73f413c769cde73c55e
SHA512319e76f45791cc8eebab72071b61ef2e813a0dbaed46371124aa4af125383f5e8a7287098a32ec397ba8657dd931e184b17384bdce7bf6089963c742733cc246
-
C:\Users\Admin\Desktop\2\Assets\RSC\GEML\RailVehicles\Electric\Class360\FGE\Engine\TSO\Textures\rear_b.TgPcDx
Filesize5.3MB
MD571e33da5dd9889e79719d7a2d263a345
SHA17477bbe0391d6b2e85fc6dfb563911c761f58166
SHA256240014eb8301bef08a2fdfcac5ccdbbd36848a4bad0356c5086323a300f8c8bc
SHA5128fb2d6feea8c98ade50eb07f6fd12b9e46f38f4b6b2dd3d40fd68cb7dbfefce116050ec7d5e891dc8f6bd5b22ad0ad671c5e966bba0581b6a9b8aaf46ca83d0f
-
C:\Users\Admin\Desktop\2\Assets\RSC\GuildfordDistrict\Audio\RailVehicles\Electric\Class450\Cab\Class 450 Cab Occlusion.bin
Filesize256B
MD58c1a76d6d07a2b556ca63f4bd5191df4
SHA14d2a204db84aae3a743725555aa8ef5671d9914c
SHA25675144edc2d76aa784c976e412d03094297adec45c5842584e5de10901e03a3b6
SHA5128fa301bdabc99a730368969ddfa703e754148e22d757669e1ca4f866c65f95f3fd026771bdeff5a9b033c79a346e8ce36087cee6867ca4e79aa9781910718e10
-
Filesize
43KB
MD5fed9bb1037615f251c120ecfe4d47cf7
SHA10e3f8b56429f633dd27fe96b0d14de6e9d3f0bf8
SHA256237862f7638459596b39093dfda00a665cfdc822968dffdbdc7a6f4bc56e4f94
SHA51248ea85796b12b1a18e02c3c63f7b38c66894ad368e2bc6d30741a6994873eb63bbea0334c31cf6db0ac209f1e321966dee245e4a15845a7d82afb44ef3b61567
-
Filesize
33.4MB
MD55b3572d48b7d641c3eec1fcebfa138c4
SHA16aecadd81916107605e80230458eb73fb79af7f7
SHA256b8ba6f411ce331683778855f83934970063bd68425b8af3150f0dbb55c20b7fb
SHA5124c62fd37c8914eeee2ac0c6cdd40490efedf5fedb442364497a7b5a23711b9ecdb54ea4a45a19a006e7f6dc761028958e5f5cc6881b87814022dc87a4a887742
-
Filesize
43KB
MD5c809a34fabd7e5f141051a73c1a40aad
SHA105ab435f2cf2f37adfa768f990c9530fc5b89b7d
SHA25655e81d49ac3c52f06289823644109fa33a83f273fb7b24fd1365c0dec9d84bab
SHA512fd32c23e5f88ab53d6d97fa0c87df1d3654f7d14e622a0b1731fbc3f3241c8249fec35a12e857fc53e57c800154d0869a6d451ce6dff7928ca57df96d822847c
-
Filesize
31.3MB
MD51cfea93daa45cd8229eaf12a41601ac1
SHA144a78b9f101f86bf9dca13f72c8647060c163270
SHA256ec507de0015fd6db6265499790ccc2c6656dd8d058fa04b99543fbe4d86a6a08
SHA512c6c883533d0c0e731b823c6f09b281641eb6d19cb937d3b7437a6ec515455bb4f582baaa45732c2d07da57691bfbbad066f4dd859796ff1831c5af0fecf48356
-
Filesize
350KB
MD5c7850ae235628c2a3dec9ae1b45482e2
SHA1808fb714aa0d58dd07c4fecf2f8c6d666693585c
SHA256aa8978684b0ea81afd3efc9f12947068a35618fad5e33958e50118d2c74f2e24
SHA5124c77ae80f486915ddd4096de78f5e420e587e0919e56f635186875d10f4f00ce34aed472e0b6307cdf53ec8a3981106ec1ef3cec288e4b48d26f36275e5df694
-
Filesize
105KB
MD5547edaedf124ec8848d8625fe3045bd9
SHA1d6b69020ceaf0ad6eacab9b4f228f67c3023b423
SHA256182eae16a648e6de8c45ea5b433b0035e257ac7e51e43f9b1afe7968e01f8a27
SHA51274b34b9a7602513dfc6352917fd41678057a5bc0b8b3047cfd680582a76168d4dd9f160c6fa8ab7b37133bf8a81a8328cfddd50bbabf59b84defdbc8efbb6a4a
-
Filesize
2KB
MD543f665014f783a197df9354075ed9dea
SHA16dfea35034e384ed510c4ad86f6d406cf67b70f2
SHA25609fcfa93a5cb6e1fb8355502fd6a13de1977bd5a9f3178a97304712670ad6c14
SHA512fb313da83e9395ecc628d392a6664200aafa57f014af0edbbc7650497ee358b02506fbbe16683fc8495573b0f9030eeb2ed5ae5f276ce0c9a9ebc6ed52602816