hxxps://drive[.]google[.]com/file/d/1qLbZo9fsaG9taavG4e9H7GaL_t36nXCU/view?usp=sharing

Analysis

max time kernel
127s
max time network
259s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
23-12-2024 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1qLbZo9fsaG9taavG4e9H7GaL_t36nXCU/view?usp=sharing

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
4292	vcredist_x86.exe
2684	vcredist_x86.exe
3724	vcredist_x64.exe
4608	vcredist_x64.exe
4088	DXSetup.exe
6056	infinst.exe
5700	infinst.exe
6684	infinst.exe
6360	infinst.exe
624	infinst.exe
6924	infinst.exe
5220	infinst.exe
5776	infinst.exe

Loads dropped DLL 17 IoCs

pid	Process
4440	UE4PrereqSetup_x64.exe
2684	vcredist_x86.exe
4608	vcredist_x64.exe
1496	MsiExec.exe
2760	rundll32.exe
2760	rundll32.exe
2760	rundll32.exe
4088	DXSetup.exe
4088	DXSetup.exe
4088	DXSetup.exe
4088	DXSetup.exe
4088	DXSetup.exe
6680	regsvr32.exe
5188	BomberVRMultiplayer.exe
5188	BomberVRMultiplayer.exe
5188	BomberVRMultiplayer.exe
5188	BomberVRMultiplayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0d995f46-317b-4b5f-bf3e-9f98bae9d339} = "\"C:\\ProgramData\\Package Cache\\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\\UE4PrereqSetup_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\UE4_Prerequisites_(x64)_20241223153226.log\" /burn.runonce"	UE4PrereqSetup_x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
5	drive.google.com
10	drive.google.com
11	drive.google.com
13	drive.google.com

Drops file in System32 directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SET8013.tmp	infinst.exe
File opened for modification	C:\Windows\system32\d3dx11_43.dll	infinst.exe
File opened for modification	C:\Windows\system32\D3DCompiler_43.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SET7FC5.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\XAudio2_7.dll	infinst.exe
File opened for modification	C:\Windows\system32\SET82C3.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SET821D.tmp	DXSetup.exe
File created	C:\Windows\system32\SET8255.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SET828B.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET7FC5.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET8033.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET8092.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET8110.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\d3dx10_43.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET828C.tmp	DXSetup.exe
File created	C:\Windows\system32\SET8013.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET8071.tmp	infinst.exe
File created	C:\Windows\system32\SET818A.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SET828C.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\XAPOFX1_5.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\X3DAudio1_7.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\d3dcsx_43.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\SET81E8.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET8255.tmp	infinst.exe
File opened for modification	C:\Windows\system32\vcomp110.dll	msiexec.exe
File created	C:\Windows\system32\SET8071.tmp	infinst.exe
File created	C:\Windows\system32\SET814C.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SET816F.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET81AE.tmp	DXSetup.exe
File created	C:\Windows\system32\SET81E8.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET814C.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_43.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\xinput1_3.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\SET80CF.tmp	infinst.exe
File opened for modification	C:\Windows\system32\xinput1_3.dll	infinst.exe
File created	C:\Windows\SysWOW64\SET8033.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\d3dx10_43.dll	infinst.exe
File opened for modification	C:\Windows\system32\SET818A.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\XAPOFX1_5.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\D3DX9_43.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\D3DX9_43.dll	infinst.exe
File created	C:\Windows\SysWOW64\SET816F.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET81AE.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET8092.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET8110.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\SET82D3.tmp	infinst.exe
File opened for modification	C:\Windows\system32\vcomp100.dll	msiexec.exe
File created	C:\Windows\system32\SET80CF.tmp	infinst.exe
File opened for modification	C:\Windows\system32\d3dcsx_43.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\XAudio2_7.dll	DXSetup.exe
File created	C:\Windows\system32\SET82C3.tmp	infinst.exe
File opened for modification	C:\Windows\system32\X3DAudio1_7.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\d3dx11_43.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET821D.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET828B.tmp	DXSetup.exe
File created	C:\Windows\system32\SET82D3.tmp	infinst.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_d3dcsx_43_x86.cab	rundll32.exe
File created	C:\Windows\Installer\e5979f9.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\DSETUP.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\DXSETUP.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_D3DCompiler_43_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7B8F.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_d3dx10_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\SystemTemp\~DFBC2E2578DFD3FBEB.TMP	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\APR2007_xinput_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_XAudio_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	DXSetup.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_d3dx10_43_x86.cab	rundll32.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_d3dx11_43_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_d3dx9_43_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\APR2007_xinput_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\dsetup32.dll	rundll32.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Setup.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\CustomAction.dll	rundll32.exe
File opened for modification	C:\Windows\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\dxupdate.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Feb2010_X3DAudio_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp-\Jun2010_d3dx11_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7CC8.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\SystemTemp\~DF549F445BFA92D8DA.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File created	C:\Windows\Installer\e5979fd.msi	msiexec.exe
File created	C:\Windows\Installer\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Setup.ico	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UE4PrereqSetup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UE4PrereqSetup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000089ac4f3df1c89d300000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000089ac4f3d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090089ac4f3d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d89ac4f3d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000089ac4f3d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6"	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DXSetup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DXSetup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Dependents\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Dependents	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\DisplayName = "UE4 Prerequisites (x64)"	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\DisplayName = "UE4 Prerequisites (x64)"	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06160A3C31624122A971135BA0D60E46	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Dependents	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\ = "{0d995f46-317b-4b5f-bf3e-9f98bae9d339}"	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06160A3C31624122A971135BA0D60E46\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\PackageName = "UE4PrereqSetup_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\PackageCode = "58B2C1A7070C8C44ABD5ABFD86427F57"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}v1.0.14.0\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Version = "1.0.14.0"	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D195B7D190100A40A3B35104CE5D515\VCRedist	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\ProductName = "UE4 Prerequisites (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\ = "XAudio2"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Version = "1.0.14.0"	UE4PrereqSetup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Version = "16777230"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\ProductIcon = "C:\\Windows\\Installer\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\\Setup.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\ = "XAudio2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}v1.0.14.0\\"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\AngelOfDeathDemo0.1.4.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4828	msiexec.exe
4828	msiexec.exe
5188	BomberVRMultiplayer.exe
5188	BomberVRMultiplayer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4504	firefox.exe
Token: SeDebugPrivilege	4504	firefox.exe
Token: SeDebugPrivilege	4504	firefox.exe
Token: SeBackupPrivilege	2440	vssvc.exe
Token: SeRestorePrivilege	2440	vssvc.exe
Token: SeAuditPrivilege	2440	vssvc.exe
Token: SeShutdownPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeIncreaseQuotaPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeSecurityPrivilege	4828	msiexec.exe
Token: SeCreateTokenPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeAssignPrimaryTokenPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeLockMemoryPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeIncreaseQuotaPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeMachineAccountPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeTcbPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeSecurityPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeTakeOwnershipPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeLoadDriverPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeSystemProfilePrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeSystemtimePrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeProfSingleProcessPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeIncBasePriorityPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeCreatePagefilePrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeCreatePermanentPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeBackupPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeRestorePrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeShutdownPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeDebugPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeAuditPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeSystemEnvironmentPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeChangeNotifyPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeRemoteShutdownPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeUndockPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeSyncAgentPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeEnableDelegationPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeManageVolumePrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeImpersonatePrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeCreateGlobalPrivilege	2396	UE4PrereqSetup_x64.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe
Token: SeRestorePrivilege	4828	msiexec.exe
Token: SeTakeOwnershipPrivilege	4828	msiexec.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4440	UE4PrereqSetup_x64.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
4504	firefox.exe
5188	BomberVRMultiplayer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 3844 wrote to memory of 4504	3844	firefox.exe	77
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 924	4504	firefox.exe	78
PID 4504 wrote to memory of 3392	4504	firefox.exe	79
PID 4504 wrote to memory of 3392	4504	firefox.exe	79
PID 4504 wrote to memory of 3392	4504	firefox.exe	79
PID 4504 wrote to memory of 3392	4504	firefox.exe	79
PID 4504 wrote to memory of 3392	4504	firefox.exe	79
PID 4504 wrote to memory of 3392	4504	firefox.exe	79
PID 4504 wrote to memory of 3392	4504	firefox.exe	79
PID 4504 wrote to memory of 3392	4504	firefox.exe	79

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/file/d/1qLbZo9fsaG9taavG4e9H7GaL_t36nXCU/view?usp=sharing"
1⤵
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/file/d/1qLbZo9fsaG9taavG4e9H7GaL_t36nXCU/view?usp=sharing
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1932 -parentBuildID 20240401114208 -prefsHandle 1860 -prefMapHandle 1852 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa9c1ce3-a1c3-49a6-87e4-0ccfedadbf9c} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" gpu
    3⤵
    PID:924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2344 -prefMapHandle 2340 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {52184734-6dc2-4fad-99fc-520d88f9b563} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" socket
    3⤵
    PID:3392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3176 -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 2932 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8367bc78-dbaf-4d6a-8baf-97372a534aa5} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab
    3⤵
    PID:4892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3976 -childID 2 -isForBrowser -prefsHandle 3968 -prefMapHandle 3964 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef5e3d10-bd4f-48d3-ae22-3175a8effe32} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab
    3⤵
    PID:1856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4904 -prefMapHandle 4896 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a3ad124-4388-4ad5-8d0e-eb38ed9d48a3} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" utility
    3⤵
    - Checks processor information in registry
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 3 -isForBrowser -prefsHandle 5712 -prefMapHandle 5708 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7286b51-0a18-4f73-aac3-1c673588ac9c} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab
    3⤵
    PID:3188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5912 -childID 4 -isForBrowser -prefsHandle 5828 -prefMapHandle 5740 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95267cc6-bd42-4b9e-b71e-4a8c545e43d1} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab
    3⤵
    PID:772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6040 -childID 5 -isForBrowser -prefsHandle 6052 -prefMapHandle 6056 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a2f7931e-e544-415f-8b4e-e843a5048059} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab
    3⤵
    PID:1440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6212 -childID 6 -isForBrowser -prefsHandle 6220 -prefMapHandle 6224 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1152 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1d54fd3-f04c-41c9-88f7-7e5424ffab32} 4504 "\\.\pipe\gecko-crash-server-pipe.4504" tab
    3⤵
    PID:4644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2620

C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\AngelOfDeathDemo.exe
"C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\AngelOfDeathDemo.exe"
1⤵
PID:4008
- C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe
  "C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- - C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe
    "C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe" -burn.unelevated BurnPipe.{6E6F8EB1-5EDC-4D58-98DB-44D6FC9CE04F} {CA1A9AF2-1A95-4761-9034-B584BB32826B} 2396
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:4440
- - C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe
    "C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe" /quiet /norestart -burn.embedded BurnPipe.{0D8E253C-8183-48AD-BD83-7B1574585520} {76EE8283-6FBD-463E-A337-F6A51287768E} 2396
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4292
  - - C:\Windows\Temp\{0A7075AB-0A58-4D81-98CD-5895A2496E4F}\.cr\vcredist_x86.exe
      "C:\Windows\Temp\{0A7075AB-0A58-4D81-98CD-5895A2496E4F}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe" -burn.filehandle.attached=592 -burn.filehandle.self=752 /quiet /norestart -burn.embedded BurnPipe.{0D8E253C-8183-48AD-BD83-7B1574585520} {76EE8283-6FBD-463E-A337-F6A51287768E} 2396
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2684
- - C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe
    "C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe" /quiet /norestart -burn.embedded BurnPipe.{CFFBF545-052E-4C94-A55D-B737A3F9803E} {CAF3900D-3768-467D-8588-6E04F7BE742B} 2396
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3724
  - - C:\Windows\Temp\{E6769F66-D5F0-4E62-9224-CB364EE57C32}\.cr\vcredist_x64.exe
      "C:\Windows\Temp\{E6769F66-D5F0-4E62-9224-CB364EE57C32}\.cr\vcredist_x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe" -burn.filehandle.attached=592 -burn.filehandle.self=600 /quiet /norestart -burn.embedded BurnPipe.{CFFBF545-052E-4C94-A55D-B737A3F9803E} {CAF3900D-3768-467D-8588-6E04F7BE742B} 2396
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4608
- C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\BomberVRMultiplayer\Binaries\Win64\BomberVRMultiplayer.exe
  "C:\Users\Admin\Desktop\AngelOfDeathDemo0.1.4\BomberVRMultiplayer\Binaries\Win64\BomberVRMultiplayer.exe" BomberVRMultiplayer
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5188

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2440

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4744

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F1EFE98916BC898E1529B4563067CBD7 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1496
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI7CC8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240745703 2 CustomAction!CustomAction.CustomActions.InstallDirectX
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:2760
  - - C:\Windows\Installer\MSI7CC8.tmp-\DXSetup.exe
      "C:\Windows\Installer\MSI7CC8.tmp-\DXSetup.exe" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Modifies registry class
      PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe xinput1_3_x64.inf, Install_Driver
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:6056
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe X3DAudio1_7_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5700
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe D3DX9_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:6684
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe d3dx10_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:6360
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe d3dx11_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:624
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe d3dcsx_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:6924
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe D3DCompiler_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5220
    - - C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe XAudio2_7_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:5776
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:6680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004C4 0x00000000000004AC
1⤵
PID:6100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5979fc.rbs

Filesize
22KB

MD5
ecbf6dd9017aa0a2aa2efd249587fd93

SHA1
c236b46d34ddcec0dc2ecabba43af9f22888e3a2

SHA256
4963a0f2825b6b13feb6d5623f919a000618056681c3d99ec6f3511296020b9a

SHA512
2ac7fff294fa146cad930afe8ba5e26b81ace6502cda15e4ced9415eae99cf98abdc01d169eeb26ec4cf0105e6f7abd0e21bf786b4e72df5d66d0d12f5d94e14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
5cb16e48b582bf86a4b396fcbc235981

SHA1
3e7cbf189fbbff1efb9b04c398ceb902e816f15b

SHA256
ba479af493eeefdf7de4c86890f5d87886bc0bc92522d39dd09eb21f85cf23f9

SHA512
55210eb21fd974bb189063d4e377c37b2cf1c2e0d7ec056dee48f8619cfe04a7a8c1ba329abcfa7edb4785fac08375df4c8261e98dc3a8294f0f4fc29cf61eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BEF5BD13CF5F13F6FF3D15BBADC93CE5

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
7ff2164871d242f5de13e1a6e06b98d8

SHA1
283d588d2fd29479b65a256ae646385b13dbf341

SHA256
262d3b966e23d426711927c0013ebe05c745fd3104f0f8bb7d464ff752e2a28d

SHA512
d2ca9266578fcbd42108dd25646f5e11e9ef0eb22309f8d713b64938fdfcd1516e5acc82434441ee303bced3b002a583501d60f64562be0c924cdb6ed764f9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
1265d27498ff2fb799fa539d3968e507

SHA1
5a225a923d5038ae47ae601ad8e09134c7dab026

SHA256
6e31a5748fe64389c202efabeeb7c02da90112619beaf4dc54426b17d8f8afa1

SHA512
22fd54ec1e7e2e007236e54d2a139372231282340e3156d0bfae87756ab711505c29e02452bb2012e2a3a301303ce18531613d58940e536c7f9f69558e8cbffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
e64502c3fc89f4721724b09c4d5760b9

SHA1
155386581bc3fc32f9b0510b5e2a208967b3211e

SHA256
5c665bb9f4a46332dc7f758ffa56d58d1036aae7a1a5398ffb29c012c79c0d4d

SHA512
d22bf389efafddfcd80580a3948c199109373cc4ce86f2d9afeb4b120c572fbaf3bc8d331c13d7ef0a94c6c94fba67a3c6e967329a303bccbe4d7193a977b29f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BEF5BD13CF5F13F6FF3D15BBADC93CE5

Filesize
402B

MD5
d40e8a65c4a1ba2e76c9adc52b5dc2bb

SHA1
6eeaeb08ac6d3405c349d9ac76556addd237d161

SHA256
3e3323e7f22a9a4642225f7ca8393804a50d90c06490e57d7e33d9df97175289

SHA512
4f09be162f7666b17926e3bab4242eef32847151a95b40c239285e2633329752875a828c5a0d48371578802e39ec36ab005858cf71c1db268d3b878bc4eb1ca5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
9af5e64ca0a62e37717082893c86f695

SHA1
2a65632a83535845bec3cb0ca9f69de4ad34af96

SHA256
1f803329b2cf1f45a41708e9d62ed9a00655fadb61e08b2f2139959ab77bd37d

SHA512
dbc2520326b92f189a637f873415d142f06d83b8603e49dd8b5e1b83fa5770ebec57dedad24822ef0c912f8c7df2c3e51c34165b70c817c4010448b244547c72

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
4769536cedd609495674d0ad916520f3

SHA1
04f206e0b03f892807b2b900e46dc5a5eb5430ef

SHA256
8e8628812b743c5007b542297987e7b02dfddf76af8ee9b120e0f0dab8b6db86

SHA512
40ce753d4e105edef30ead3a5d557d66f947514cfb190335c814514486d0dcd05519e072ada16e5699635ece7a349320f5f4d9a7a0a412645d14654f6436e6fb

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\D3DCompiler_43.dll

Filesize
2.0MB

MD5
1c9b45e87528b8bb8cfa884ea0099a85

SHA1
98be17e1d324790a5b206e1ea1cc4e64fbe21240

SHA256
2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c

SHA512
b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\FEB2010_X3DAudio_x64.inf

Filesize
815B

MD5
49460e9297b0faab5a5d73e7aa2caa67

SHA1
a7e211f3d4ae808f67a798924c4d3314183df873

SHA256
68351f03f4ef83e4b8c359e3e130441081690a1866b838a1b35d64674ef3abbf

SHA512
92c4c0751e9123e1eb09da312bc44041d13262e26cefb807dcd1b354c5bd12c0d7197f1d3d457ddef89714b77ffe45db9c717332963c6daa507ae02a6d5fc941

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\FEB2010_X3DAudio_x86.inf

Filesize
1KB

MD5
e84adf38d499ae39090ad60fd76d76e3

SHA1
6af4d58bc04aac2723e8b97649f1b35fb1aca84c

SHA256
d4da3e530982812d1e2a31570b80af541fac1b13c72997d2aad7ea3bfeaf4a4a

SHA512
6714992e7aee7bd0798fbec68f92c97ee502127580e21e1b6693ed6737312b44dbc9fd9ef579fe552590e9e5a4904df94e4116334265a34699a04aa76ab87c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_D3DCompiler_43_x64.inf

Filesize
830B

MD5
6494a3b568760c8248b42d2b6e4df657

SHA1
700f27ee4c74e9b9914f80b067079e09ec7c6a7f

SHA256
3e779533a273e3395109c7efac13ba1c804c01b3ddb16938406fbdf90d851216

SHA512
2bf68b123d7823ad7182e132d9e55f8de7580229e8e1b3b40030da50bb9bdeaf67bb9727ce2171fa83b7f804c24d9728ffabb44cb5017b16b771bb19e62b1b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_D3DCompiler_43_x86.inf

Filesize
1KB

MD5
1a86443fc4e07e0945904da7efe2149d

SHA1
37a6627dbf3b43aca104eb55f9f37e14947838ce

SHA256
5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf

SHA512
c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_XAudio_x64.inf

Filesize
923B

MD5
dd987135dcbe7f21c973077787b1f4f8

SHA1
ed8c2426c46c4516e37b5f9aac30549916360f7e

SHA256
1a0f1b929724f8b71d5ce922f19b9d539d2d804c89af947d5927b049ef0fd3d8

SHA512
f0469c94219b4df99d7b9b693161a736fa8eec88a3f6c7f2cf92fab2ade048dfe61fcde3a4cf4f7a2aaf841d079a46b17259dea22cfb02831983f55bd7f61899

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_XAudio_x86.inf

Filesize
1KB

MD5
31d8732ac2f0a5c053b279adc025619f

SHA1
c8d6d2e88b13581b6638002e6f7f0c3a165fff3c

SHA256
d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da

SHA512
abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dcsx_43_x64.inf

Filesize
815B

MD5
e1f150f570b3fc5208f3020c815474c8

SHA1
7c75fc0cf3e3c4fd5045a94b624171d4e0d3b25c

SHA256
5289b5ad22146d7cc0c35cdb2c9662742693550de8f013d1ec40e944288d155a

SHA512
a53618ed6ebcd50ef074b320eb3ebd38af4770a82caa808e47cba6a81982ced46cf954a1c5a383f171006e727d8211b4fce54c9faf27b4c14a770a45a09037b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dcsx_43_x86.inf

Filesize
1KB

MD5
cf70b3dd13a8c636db00bd4332996d1a

SHA1
48dd8fc6fa3dae23cb6ca8113bc7ad837b4570d7

SHA256
d5200b332caf4fff25eb3d224527a3944878c5c3849512779a2afcfeae4c3ca1

SHA512
ae31a9e20743a2052deec5d696a555460a03d400720679ed103759241b25d55e2fbc247170da3c0c0891f32b131ab6a6845de56c2d3387ad233aa11db970b313

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dx10_43_x64.inf

Filesize
815B

MD5
13c1907a2cd55e31b7d8fb03f48027ec

SHA1
ca37872b9372543f1dbe09b8aa4e0e211a8e2303

SHA256
a65f370a741d62c2be0ca588758d089dd976092cb910bb6b1b7d008741e18377

SHA512
545aaf268d141e2aae6800e095a1ae4eafe6bfe492d95dfe03789ccb245cc3ef3f50f43b10a41a3b0efdc7f8c63621b437323e133ba881f90a3b940095b80208

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dx10_43_x86.inf

Filesize
1KB

MD5
53a24faee760e18821ef0960c767ab04

SHA1
4548db4234dbacbfb726784b907d08d953496ff9

SHA256
4d4263cbb11858c727824c4a071f992909675719be3076b4a47852bf6affd862

SHA512
8371471624f54db0aca3ea051235937fc28575c0f533b89f7d2204c776814d4cd09ee1a37b41163239885e878fb193133ad397fe3c18232ad3469626af2d2ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dx11_43_x64.inf

Filesize
815B

MD5
590fe1ea1837b4bfb80dc8cb09e7815f

SHA1
792b5b0521c34c6b723a379dd6b3acf82f8afb1f

SHA256
2c4cf75b76203cba6378693668c8c00b564871c8bfd7fbda01e1e841477b2a3b

SHA512
80bee8f1ad5bfaba6b3ac5a39302a1427dbaa5919d76c89b279dc753170ec443924eadf454746ce331a6682ee729ab79bd390a5d3b55db8d08fd6f4869101f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dx11_43_x86.inf

Filesize
1KB

MD5
fb5d27c88b52dcbdbc226f66f0537573

SHA1
2cbf1012fbdcbbd17643f7466f986ecd3ce2688a

SHA256
3925c924eb4ec4f5a643b2d14d2eda603341fbbd22118cdd8ae04aaa96f443c0

SHA512
8aa2200f91eca91d7ee3221bc7c8f2a9c8d913a5d633aa00835d5fb243d9cb8afa60fe34a4c3daa0731a21914bc52266d05d6b80bfc30b2a255d7acdf0d18eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dx9_43_x64.inf

Filesize
812B

MD5
ce097963fc345e9baa1c3b42f4bfa449

SHA1
e7624afc3a7718b02533b44edfe4f90d1afda62a

SHA256
272650a2d9b1cfea17021f4bf941b21f2206791e279070d4e906ce0ce56ac16f

SHA512
f3c4f00eebd9d465bc2415d59c417bca0f5a07c8e13880b28704f770763609a653d4b06f53d98325b66c2c7094895190900c47980f81463215e919f00966ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\JUN2010_d3dx9_43_x86.inf

Filesize
1KB

MD5
a11deb327119b65bacce49735edc4605

SHA1
0be2d7fa6254b138aa53d9146cda8fedbba93764

SHA256
6b33d32da02f664092d44b05237990f825b4062c105a063badcf978648b5e95b

SHA512
b0134a3d6f2d576e5fafb601014ab66fef91d661013acc8a7a9129940369a1d9ed5c0f228bb1666a4e891f09b4b18e83f0cb2080047aa84fa45ab663e5739a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\X3DAudio1_7.dll

Filesize
21KB

MD5
c811e70c8804cfff719038250a43b464

SHA1
ec48da45888ccea388da1425d5322f5ee9285282

SHA256
288c701bdedf1d45c63dd0b7d424a752f8819f90feb5088c582f76bc98970ba3

SHA512
09f2f4d412485ef69aceacc90637c90fad25874f534433811c5ed88225285559db1d981a3ab7bc3a20336e96fb43b4801b4b48a3668c64c21436ee3ea3c32f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\X3DAudio1_7.dll

Filesize
24KB

MD5
b4ff2a39685c1a6d43f0e56eb350af3a

SHA1
466f80be26352f8331900a6da5b0a18dc7b39c0e

SHA256
9460709339701ad471a5cabe6365355f4d586dc4fcb86507c1331839dc555446

SHA512
cef31793e1b1714826aa95d256ebbec457e8cf9003767db46909bf879af86f954f475ac84e1ee8cccf1dcfe4a52624e3d7e8bfaff5f567e97cab19207db7f913

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\X3DAudio1_7_x64.inf

Filesize
689B

MD5
d2f7a179d3b79547d18a4157f71666ef

SHA1
9b83f1dd7fabf1982cf0f317061d24a52c6fd2f9

SHA256
1da8585eb518801a26ce5a535620ad7bb4177dfccc8e468c8a003db064849d04

SHA512
5976d6ac22745a61b726426c65768594282af5b560575f718b588609c8f4fe02b0c1426297b775df241f4110f2bb1f37e2df30e94489a3d957319bc738262cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\XAPOFX1_5.dll

Filesize
72KB

MD5
8a4cebf34370d689e198e6673c1f2c40

SHA1
b7e3d60f62d8655a68e2faf26c0c04394c214f20

SHA256
becfdcd6b16523573cb52df87aa7d993f1b345ba903d0618c3b36535c3800197

SHA512
d612e2d8a164408ab2d6b962f1b6d3531aed8a0b1aba73291fa5155a6022d078b353512fb3f6fff97ee369918b1802a6103b31316b03db4fa3010b1bf31f35fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\XAudio2_7.dll

Filesize
514KB

MD5
81dfddfb401d663ba7e6ad1c80364216

SHA1
c32d682767df128cd8e819cb5571ed89ab734961

SHA256
d1690b602cb317f7f1e1e13e3fc5819ad8b5b38a92d812078afb1b408ccc4b69

SHA512
7267db764f23ad67e9f171cf07ff919c70681f3bf365331ae29d979164392c6bc6723441b04b98ab99c7724274b270557e75b814fb12c421188fb164b8ca837c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\apr2007_xinput_x64.inf

Filesize
860B

MD5
94563a3b9affb41d2bfd41a94b81e08d

SHA1
17cad981ef428e132aa1d571e0c77091e750e0dd

SHA256
0d6e1c0e961d878b319ac30d3439056883448dcf26774003b73920f3377ecac8

SHA512
53cac179d7e11c74772e7b9bd7dd94ffbc810cfc25e28326e4d0844f3f59fd10d9089b44a88358ac6dbd09fb8b456a0937778f78ecc442645764f693ccd620b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\apr2007_xinput_x86.inf

Filesize
1KB

MD5
e188f534500688cec2e894d3533997b4

SHA1
f073f8515b94cb23b703ab5cdb3a5cfcc10b3333

SHA256
1c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5

SHA512
332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\d3dcsx_43.dll

Filesize
1.8MB

MD5
83eba442f07aab8d6375d2eec945c46c

SHA1
c29c20da6bb30be7d9dda40241ca48f069123bd9

SHA256
b46a44b6fce8f141c9e02798645db2ee0da5c69ea71195e29f83a91a355fa2ca

SHA512
288906c8aa8eb4d62440fe84deaa25e7f362dc3644dafc1227e45a71f6d915acf885314531db4757a9bf2e6cb12eaf43b54e9ff0f6a7e3239cabb697b07c25ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\d3dx10_43.dll

Filesize
459KB

MD5
20c835843fcec4dedfcd7bffa3b91641

SHA1
5dd1d5b42a0b58d708d112694394a9a23691c283

SHA256
56fcd13650fd1f075743154e8c48465dd68a236ab8960667d75373139d2631bf

SHA512
561eb2bb3a7e562bab0de6372e824f65b310d96d840cdaa3c391969018af6afba225665d07139fc938dcff03f4f8dae7f19de61c9a0eae7c658a32800dc9d123

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\d3dx11_43.dll

Filesize
242KB

MD5
8e0bb968ff41d80e5f2c747c04db79ae

SHA1
69b332d78020177a9b3f60cb672ec47578003c0d

SHA256
492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d

SHA512
7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\dxdllreg_x86.inf

Filesize
724B

MD5
8272579b6d88f2ee435aeea19ec7603d

SHA1
6d141721b4b3a50612b4068670d9d10c1a08b4ac

SHA256
54e098294ef0ad3b14b9c77642838b5992fe4573099d8397a1ef566d9e36da40

SHA512
9f1311803db1607e079b037f49d8643daa43b59ce6eafb173b18d5a40239a5515091c92b244ffe9cfef2da20530fb15deb6cf5937633b434c3262e765d5a3b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\dxupdate.dll

Filesize
168KB

MD5
94202f25810812f72953938552255fb8

SHA1
c1e88f196935d8affc1783ccf8b8954d7f2bfb62

SHA256
6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564

SHA512
65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\dxupdate.inf

Filesize
12KB

MD5
e6a74342f328afa559d5b0544e113571

SHA1
a08b053dfd061391942d359c70f9dd406a968b7d

SHA256
93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

SHA512
1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe

Filesize
81KB

MD5
2fcac7b80a47c5b171810b4dc822bb6d

SHA1
c84ee3d5f0edaba7e9cf1a5f0e65cd3a67412f14

SHA256
5d25a17f509bd9e8b307f8d5657b487b0ce193ee7f50109e78771868e9e06ffb

SHA512
6d72b0dba1c1e6f99de5ab75c7ee15936ab519e1a33a1fc59b15e511596825a0db3809c190ad6c52ca0c77b407dfeb9d4dfe1b3efab43ac95bbab0b5358728e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\infinst.exe

Filesize
81KB

MD5
a7ba8b723b327985ded1152113970819

SHA1
50be557a29f3d2d7300b71ab0ed4831669edd848

SHA256
8c62fe8466d9a24a0f1924de37b05d672a826454804086cddc7ed87c020e67ff

SHA512
60702f08fb621bf256b1032e572a842a141cf4219b22f98b27cb1da058b19b44cc37fb8386019463a7469961ca71f48a3347aaf1c74c3636e38d2aea3bca9967

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\xinput1_3.dll

Filesize
79KB

MD5
77f595dee5ffacea72b135b1fce1312e

SHA1
d2a710b332de3ef7a576e0aed27b0ae66892b7e9

SHA256
8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7

SHA512
a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\xinput1_3.dll

Filesize
104KB

MD5
bfb3091b167550ec6e6454813d3db244

SHA1
87e86a7c783f607697a4880e7e063ab87bf63034

SHA256
756cad002e1553cfa1a91ebe8c1b9380ffabe0b4b1916c4a4db802396ddfbef8

SHA512
ce2ead2480a3942081af4df4baee32de18862b5f0288169b9e8135cc710eb128f9a2b8a36bda87212c53fd4317359349c94d38b5da082638230dcb5669efede9

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX7E00.tmp\xinput1_3_x64.inf

Filesize
669B

MD5
c9635b7617d68d95f9113282472218c9

SHA1
e3da3f2600a0f5cd0e28722ee313e04fc29dfc60

SHA256
0d411d9424128f19fed2daa95a2983b4b29197f022a754f59d0c7740ad654cca

SHA512
0481e008619d3b3a45d0a90825b576e4c03f27668b0792762cb9165b15955645667392f23eac5e5c4eb8a7fe6fa47cae4c319323b02225289af0cffaf1ca8c83

Download Submit
C:\Users\Admin\AppData\Local\Temp\UE4_Prerequisites_(x64)_20241223153226_2_PrereqSetup.log

Filesize
3KB

MD5
75d5c2b43bfd9585f4cee8f9cfc04672

SHA1
a5a49340ad58a00da90118d0f5a58abc9ad6eca1

SHA256
37a37ffbd65507ec59054d067db9442fcd0d8dc9ccfb294f1462c7dd129a3571

SHA512
0f84219871b208c74946f2657e378269843a6e9d0156053a86696cc443a78d9f4ff0da27aaa3838a3b995401f7393d28b47c9c936b66a3ca89f646d6529807d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\Banner.bmp

Filesize
123KB

MD5
461fa4877514f318a0d5cbc602daf7df

SHA1
5d2ed3abc96bb1fb419828e3de3fc75a6292536a

SHA256
638d5bfc987b45d28a308e8a4d68bd7c0a82d21e615e534fbfaa3cd0ad53889e

SHA512
c4def63dfde38cb2e35d75c7e61428cb9df2429af799e3e0b29c7bc1d9c60e8e32f18cc0e7b55e177d95bdb333a7a0d1f4369b02f5c574b6688047e01e9f98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\LogoSide.png

Filesize
43KB

MD5
63c9775d703ec8bdc9703f80d52ffc24

SHA1
1a5f3fa1fc4ee2a7e08506f8178d769cdcd7ec62

SHA256
8f03c6e8ce5f4898cc230e04d485e0e0744eb7ee180a3d8bb154f2fc9c7a93e5

SHA512
b2d9d18a3d6a1df401ede41e35af7167c6f253f54c290d1db64db212b5a2e9a2534e86e031e1e5499b2ce11bb952afc6bcd8f85aca351d49867c77dd4edba458

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\wixstdba.dll

Filesize
135KB

MD5
36b53c5299a3b39e5c9cdbbd28a09506

SHA1
9f4c767ef7ea887a88a698bcd66e4ba691e1c17a

SHA256
97f1901e7c928b9231e503cd3a1315f0d8449356b9f25e7eb4c2cebeee72012a

SHA512
af4c7cea8bebe0f125b59eed11fa0053178dd546784f68ad7a642eb128ed0d05dd6ccfe685b912381b61becf9c336dcbbc8c4ce56884a511f3f0a69826d8de83

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.be\UE4PrereqSetup_x64.exe

Filesize
786KB

MD5
ddf7b1641565da963c4b5fa54da0c6fb

SHA1
06e78b6490aa53b0aadd69689767b900559b1aad

SHA256
62182da08e543edb383be4cccba214e30f1dcd73395f461af3a142a69893f254

SHA512
194490ea8b440841924a2e453c4e660ec781d7959620118504b16ea7ad799107eab26eab765d8378509d6a6f67fed3e5673ad362789245f46a67a8c81b07076a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\PrereqSetup

Filesize
11.7MB

MD5
4cc0e85424b8c7ec50c29554637e5c14

SHA1
5ee1bdf3f72b16a1780cabb6288bb97db7eb4a12

SHA256
6e3f68b3f747899b658a5946b1bdc4cb5a8956c93e54cc1fd7dae454e4fa1d22

SHA512
49768efd40965167fa5e7c87b2c885f73eb4e9808b1fe923ad212d49c8b9c58efb8d2ac7ea9de4a2019b6d548aaac82290127beb1f711fb23cf32d038326ce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\VC140_X86

Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\vc140_X64

Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
56436d4b309fae40e91eb87f47afa5d8

SHA1
f77e1a35bf220eb0860d54090b288a3881718d63

SHA256
50d3fd8ff53a3422f3dde2eba1e8e96bd242244651151d568752aa796f50423f

SHA512
94126a5684891335d0d77e596b0e8daec68ac34e89d3ba19ae72c457b77bb1ee0cf5dd9710e5961ac6134dc0e6e42ec58f253878f63c5a0ede0fc1cc5943ac32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
13KB

MD5
17152603f41ae6eb5f82f711bebde8b8

SHA1
d8c7a9890c3b8e6f3a5816905860fc629588e5c3

SHA256
d06b679461182857a2093cd9cfe6c3f29c412ad61c07f4d425587428185dd7a1

SHA512
abbb003ac897747a54e94bf4f9ccb4a36157a6e1aeed3ff5ee8ae852eae4221d7069cf9376e6b716c7e560607ae29179b1d244b5a01c1c3e3068c15b8bfd90dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
6KB

MD5
592e512cb53935b57f769be131efc409

SHA1
6be74e14d9e55e8692444dc16f7ee7e929d40498

SHA256
dade4a45bedc8f38f0a2ffd45340ce9a1ec1637648f506afe4b8cb840ef8a3f6

SHA512
a319a8152e5039ef03ca9e28516bdbe72733d8fc47839536381a39d0cf2cfa6e73dd872f03cf17a0db1605f99ee95a8b1b82b17d50049ba290bb923a62ca579d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
10KB

MD5
51fbb70b4b9622472c1da4d3e2d8aaf8

SHA1
d8c8c4af0af2320ef8bdd08239b19410880a2de8

SHA256
40a09ddb8dd725398f89085e8674bd22ad8da97b1146dc1595378fbdbfe3499d

SHA512
37f1c2963e81de08b5ad7163260d14b95a622e990583f731d108d61dc0e76676ab6390aa3506e05330fedc325fc1f8d4ced08fd3441076eec83b1a68cdcce9ab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\AlternateServices.bin

Filesize
27KB

MD5
f7736435a3c2fc0b8e3bce3d5634d97e

SHA1
bed92599c09fab5f92ef568a573d5badc17a75a5

SHA256
1550611c94b7bd9699be229a667528a7e078453d082d884a8cac0ff79f5009b4

SHA512
4a21ccc8b4d754c00b14df5fbf9aa666218a964f90b3bb6ab4bee2a8967f7f1e7c7a587ca35cae03e058dbc499a19790dffc8a7e00696e8cc525327f89bd27ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
40KB

MD5
943970c170c8b6c9901a6018ba719567

SHA1
26d92e6db37b1345ae81154be7e641bfc7b43666

SHA256
828cb6cc5eaa8486bd2b91d766aa941a53bd3d06ccc7f5eb6b37490425327f0e

SHA512
baeda7a7557ff6221606903e533b1eddea4333d04e3e5a2a705b2f484f5c6286311c623fa5bd1c6a9b7b641875e8941520cefe808602aa343117d3149a3d4def

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
8a8673f08cd58b43ee06419de74852d4

SHA1
afaab556456e44210e2b8e4207c640433d3e1b79

SHA256
33af28b469824180433f67543162706e4530f3f767a2d7adb97e99aaf1477b53

SHA512
a2439884bd9782ccd66ae3d5b5d6eeed85b486d7dcf61741e38f1db1eb59a2494809ded6e5682cd0c117ee7e473ef970600242b3d51f2d149ed5bb0a11678cdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
19b1731e50beb75ffe891f1c17b67c3e

SHA1
ec2b1d41434b6c1ad4a7a30c378dfb09f88e48fb

SHA256
b499105ab80cc3f5af1e015703d00b72f297814b2104401bbc7b806319e4f874

SHA512
bef53680769a7ecdb50944250665279fb51804ebfd25d622854dbea6b4129185de6982717d779de8efd8b13812bbce1a7b9e395dd060d74d9333c7b794e1e2c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\5c2d068f-5fc1-404e-a58a-4590348a1a38

Filesize
671B

MD5
52f6262279966b91610f9b8382ca1a3e

SHA1
c1944073d72875d90129493d154aaf188f075a49

SHA256
4f98a3ab53079ff3cd813096c52b70a994d289b426d32a60e64ded1ca0ef7bec

SHA512
c10631234e19ab51271b708fe2664b168b2439d8d5e8f72b5b7619766d87fe4e0c6527003714189dc93140ced8997a64c4df2d81c9e66ff9c8e001d1d8234f6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\93137a86-9bd6-4727-880f-3ccb6fee465c

Filesize
982B

MD5
6ab8db0231cb63390cee394722ec0938

SHA1
f6c111565166b982fad6f0494b244847a4fa64ee

SHA256
33a61db279d3acdb6dc4b894d977681a2001f6980dd92b60a7a936731c829201

SHA512
0820ca44327d546c4738be29b8cf61f0476d3339711913568b60c91ad73ca86b6d543ea4ea7a79a3a33646c961ddf3fe604e510d61d1612d3ef105f2f6598e68

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\datareporting\glean\pending_pings\a1554fba-4a05-4923-86cd-23bc5e0e2565

Filesize
23KB

MD5
c6d5009ee23453138993d0fb6e11c056

SHA1
4bcb457d019bb683e297ffc6dae8c592f14c8967

SHA256
7ccc1cdd04f90ed50e0c54ab34cc598d945cd288edbb19562c3e770126cb6d0f

SHA512
841470b3ccb69e4c6174940ba871ec4e5972fde2757d6e15e7c53c14e95521c5df3695e085383ee6d3316009158035a33ba88bc2c558b5ed05a189eeab03c5a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs-1.js

Filesize
11KB

MD5
ba645d5d3e1cf2eaa1f691346fcd3ea9

SHA1
99861b7106304be4919b9fda39ae2b68a673d5b0

SHA256
da77e2385ba1bea2cf7be8bdba3d6b5a1746a9368ae28f5bcd7cb68c79be73a9

SHA512
5397028bf4395549d2ee124970d099b2bd01e0f78dfbe73915a06d0408869086e50eac7aa1d510b54c51a3dda45748185ec89412cdb6a120821be6fd5668c9c8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
d98408d7de10be9601be22d9334795fc

SHA1
b1ca589551a868d8e89be157148de593a3650d58

SHA256
33819e09912fb6b2d64fc9e5f6a973eb07ff3491844d044a7857b1be9f9c4ba9

SHA512
9712408dbed936133bfb8952a1376b6e76e6fea8e48dd7ca5276c5fdb8272e186b6a713c70692258c558ac1d1f02ff630047883cec3249959726bded1f631504

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
f44f801776366875b96abd44b279da19

SHA1
c98f412e41543cca760bb1bd5581469520e185b0

SHA256
8e2734190e7fdd4b48c19079a61a30805cbbe520dda9ed962aaf8f99c82a244f

SHA512
2551dee643366717c8f4df29414922fcb7b524fff04976ea85440f07de7d90decc3ed8d92f29d87f2e692b86d01d12d082f01b5cb4170f46e7532d7cccb7c150

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\prefs.js

Filesize
10KB

MD5
c1452bfdb2094d6befff223ac8d8e31c

SHA1
6a77c6ec54ca13858e41625e9be6538a9e24058d

SHA256
ee2c620f9012d37a1c0f0c0338652d529f375b4b428e8dc249e42104ef21f1c3

SHA512
e9250660daa02eb892de211778e8ee4f7b8101088c5ccec041bffa0ff6da7c2918f6230c2c3f75710fc33f5017f4cbac845ca0ce80b3267f786df963bf393b43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
cf2b847722e3f49dca886ae24b67f5f6

SHA1
7ea51ebe8d3a5dea4a783515d31b42f46f4a40ce

SHA256
3a6a69cc06051a50343ffea8b0188521cd647f7dfc2eacc599d28cf92b7f604f

SHA512
0a545bc09961990a585fbf5fb7335cc081a33d12929d6bd9fda6695c71c1eeb384db4c1c8c0df6e3f19b861d0d8b0782e37e5085409094cc47aed1ddaf924826

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
2ff4f1dbddc5fe9fe31d31eb3020794e

SHA1
20f004685bd7b5bcdf1e81d65d98871a9657dbce

SHA256
72c264ebc5981b368a67560106480f9df8701200dc82246b8c9ff479b9db173d

SHA512
0295139544b315ee632662f2fe3b20226a976e23e92f5d160ced4d98b1655a3e078c188ab27004b2feed6ac7f59f6064ed6cd4c4a6aabed06233315959336bb8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\w9rzhd5e.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
01820020ede4011418f184d0d290ff4d

SHA1
4bc4a0cf656dcc33ed89dd421205a926e7440060

SHA256
914b13a8c5f15a6df85e41d50af2e377d7fc09236ba690a63cee2cc156635da8

SHA512
3c1acd67790cd0f5449b3f0e2f2fd1f83c5b9cf5eaf82bfbcf341b3a22ac8c5c65f90088eb345b59164ac4e5ee6e5b90880efcdd2bf2c4d63f9a808798fcb09b

Download Submit
C:\Windows\Installer\MSI7CC8.tmp

Filesize
6.7MB

MD5
0fb911250b32a2ca32f5d8d572b1ec36

SHA1
a0edd2d6d521f6087558b87fb31b20b591fb2995

SHA256
c55442e1b85b59d458707d3473c05c00ec50dc6f1e4d8a5cf644664b1333bd19

SHA512
e35daaed5428a95a47ccf20f640d390e636f8bd7401b0afa65294da42550fca9504bfa72bc55e72f76fbae8c666e4b958e4c5ff1b166092cf8d789f08438c2a7

Download Submit
C:\Windows\Installer\MSI7CC8.tmp-\CustomAction.dll

Filesize
4KB

MD5
6a9a48dc9f4a240a947b957ff14e7070

SHA1
1568c161a338e8afd6db1d1fdea8d2de72df6334

SHA256
7b64f279feee5e8b350dac6c1e3bddaeb110a16b4839f7167667975abf987be1

SHA512
5bddb9dfcaf36fa4ce1faa20812500ed8995ab3f86ec0b44edab912a185688842f0e0d2ec01e6abf48d863da783fe4db193c3581347810a0bfae15083d3cc148

Download Submit
C:\Windows\Installer\MSI7CC8.tmp-\DSETUP.dll

Filesize
87KB

MD5
9e0711bed229b60a853bcc5d10deaafc

SHA1
2bea53988bd35c5df5c9edcef0bc234c37289477

SHA256
def6f245762be36cf18b435ba8b7ebc224b9c21d1a1db606a8e8fafdaa97bba0

SHA512
c0b31872e52c8f4270d991c70d1a1c9ef9a4bbee4807c54c05a449cd1607506ab16ff1e74b378651b36e3276322c86cd843565c8a1aa33a49c47322ef4df0185

Download Submit
C:\Windows\Installer\MSI7CC8.tmp-\DXSETUP.exe

Filesize
524KB

MD5
ddce338bb173b32024679d61fb4f2ba6

SHA1
50e51f7c8802559dd9787b0aebc85f192b7e2563

SHA256
046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de

SHA512
7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

Download Submit
C:\Windows\Installer\MSI7CC8.tmp-\dsetup32.dll

Filesize
1.7MB

MD5
0f58ccd58a29827b5d406874360e4c08

SHA1
ba804292580be6186774e7f92e6dfb104e46bf25

SHA256
642d9e7db6d4fc15129f011dce2ea087bf7f7fb015aececf82bf84ff6634a6fb

SHA512
3e3d4f2de5dc5addc86765a2f888487ea0c9ee0208fac60187ddaa9a2bfd73cfd7734836d32805fa43222470c8f6cb9a10e2a099aef72c67ad7c789096e57ce4

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Apr2007_xinput_x64.cab

Filesize
94KB

MD5
743b333c2db3d4cf190fb39c29f3c346

SHA1
26b3616d7321978bd45656391a75ee231196a4a2

SHA256
e7a09f8235cc587cc63f583e39fbc75008d9677c8bb4dcc11cb8d0178a5153ac

SHA512
77fbdb86c79d7228bca2982a3285a417a365af980488a5ac2d470b532fa59fcc15e0e8dbee6eb1a3a5256fc29e0e3391529cd2ac13e0f72987ee0da136000957

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Apr2007_xinput_x86.cab

Filesize
52KB

MD5
c234df417c9b12e2d31c7fd1e17e4786

SHA1
92f32e74944e5166db72d3bfe8e6401d9f7521dd

SHA256
2acea6c8b9f6f7f89ec51365a1e49fbd0d8c42c53418bd0783dbf3f74a744e6d

SHA512
6cbae19794533ad9401f92b10bd9549638ba20ce38375de4f9d0e20af20d78819e46856151cc6818325af9ac774b8128e18fbebd2da5da4efbd417fc2af51dab

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Feb2010_X3DAudio_x64.cab

Filesize
53KB

MD5
db47136a200e326174ce790359596eb6

SHA1
fabca8c0aa28164ef4fdb7ee4ae8942a275b1713

SHA256
832b6d48e169b4725ae482ea4d1c3360a09631a89b2fac3aba81a50805a50adc

SHA512
f3b04168ca14ad4586493ea985417cce43ee11f37aa1856e714f44e132a31dbb84934943b947cf0b2aa39344e183cba8b6f49431b4471bd0e623926def94cb8f

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Feb2010_X3DAudio_x86.cab

Filesize
20KB

MD5
88dfbb4c1876e80a1864265c61c7a7fd

SHA1
c6ee8cff225019a93308c896146d94b00fd5417e

SHA256
acba5c4d4ac90e1df1c8404be5ff780e24238153cb410af909cd4364d213f2a9

SHA512
35e564aeeb6e462221a36cfa680e7e932333b0b92b0115ce5306ff59784abb13b8f7527fdd686737170425f2719f2d3a6901dc9822af4d537d9b5377b6bf89e4

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_D3DCompiler_43_x64.cab

Filesize
922KB

MD5
0109c2931c4442c8192539f1991b6985

SHA1
1b3f6cf35dc745ea8748dae910f704b124e69f73

SHA256
213ad66ab9e469db1e6a49a646d082bfc3700db94172984e7e36801612af50c6

SHA512
c60bf98a0fffbcf3966d7d8abbd12f2a7e6e85b1624d67e9c5d5bb686d41b8ad12761e6cd13439d90248d194888897d055d2d5f3fa4fa2ddd7d21f5e7070b147

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_D3DCompiler_43_x86.cab

Filesize
909KB

MD5
f7f554aa613eccf065575b8c69717ef7

SHA1
8417886d47c19cf6892f4080ddd5aaa1a49db3e9

SHA256
417eebd5b19f45c67c94c2d2ba8b774c0fc6d958b896d7b1ac12cf5a0ea06e0e

SHA512
618f6dbb5bd9d44a8f10d119f5ef644f168fe3d8db986994e8cce31d1f11ff9ac872b389d1f218a82ff8b397bface587f97ca21e8f77433dbadb2ac475e9e6c1

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_XAudio_x64.cab

Filesize
270KB

MD5
edeb828a8e54a9f3851007d80bc8dd6e

SHA1
358e429ac3b125cc7fe4f9ea46cdca4583cbb1a9

SHA256
51500283f69e97f5beddb073ba2a9017de3d30379c0dcc4d11dd2236ce07b317

SHA512
8cf68e1a09c257f7fc29991331a128c159634ea86e36b6be8c2a0caf5ef1fda8e1c79639f099ba32650a9fcb26478f113227ee7ead84bfbd728665eb1a522537

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_XAudio_x86.cab

Filesize
271KB

MD5
9d2da3b1055120af7c2995896f5d51ed

SHA1
2df40d48c69d7cfb4e0c19f07a019f5f123303fa

SHA256
7b4332207563beba1103744b6db5399ad150e9e6838f9d5a71497e7eb3645ebf

SHA512
deb76247b3003fc59c0a95cc2a47d6dd56e2d75aec81c3ab6ca6c0c513fb054e8025c871e97b7d7f2c823df54a2fe8202f4c0caf677251070b8bce40d2db70f5

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dcsx_43_x64.cab

Filesize
735KB

MD5
850aafddfefea671a2e1bbf1b65f2a8e

SHA1
9679e7f294ca9de945b6f4f3d775d739dc2f8cd1

SHA256
cdbec7e3a5a0fef016eb294b036f93c75e45c6ead8d99397f859a32d23fe20cc

SHA512
d87d8d123700e02caa6562c9f22a90e86b2d8277b20089ab9d77a885094aef22bb69d60405b366ebf8cbf74f4b53a17095c3cc93b8bd3766cef7eb02bc47397b

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dcsx_43_x86.cab

Filesize
744KB

MD5
44dba9557f956787b66f285776c3dccb

SHA1
4560c64f8b6bbdeedd85398f2e18404c389e4d8b

SHA256
e2c5a2cbba7f211b6ca72ff8e5f69cba1f83be06357311b19e64f582fd3d14e4

SHA512
25fbc95346bac890fee8d2a0805015af1eda5e0bb17b12d4eef52ca446775d08898fe5c13239e983a0f8c8dd13f8f2a5247a70e8e785e2bae42ff5ab1cca4156

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dx10_43_x64.cab

Filesize
230KB

MD5
2d9586b276a561924ff2335fccaee914

SHA1
3b8114a8820a8df9df2321d6c4da8ea155ce736f

SHA256
efce48d425c07f1faad4a55d7061a01ed6245aac17f43163cf2a23cbc9a3054b

SHA512
d78ad87685eb71d2eb8c68e1e2c7fd5a90250f04059dd0016e4c8ca01bf53c02dea01998fe6de9ae3a3f76b2964d14a61e694546a2e6844bb304c315ae5b80e2

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dx10_43_x86.cab

Filesize
192KB

MD5
a89b98ab89e0d4ff9dae412d49e27c51

SHA1
18803d4bcc83ad39f25ff9f899baf136c89c10f1

SHA256
a8cf71ffb80b683616d0621be96d3795b0ffda3877ed2d80cd958bfa393ddcfc

SHA512
0b96a04663d2fbfb21901af832a5362785fb0270d1be0ef136549f07e2625653f8facd129889a5f3489fc8a1270abe474e4f1626ea630a3185a36812545b4dfd

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dx11_43_x64.cab

Filesize
134KB

MD5
96e7847a914afcb489194940b06a5c23

SHA1
9439907a1000b9dcb8989ffbd828e6294c277fba

SHA256
c1d0d56b83bfb09a5e1a89e1898bb74446a847b30a968f3664ec2d87368eb63e

SHA512
638485084884fab9d8952af17b24c4aef16dd026c75256026859bfe4f24d7f11fd2240cde8c5de0dab8968885a6d344da7335be257570e947bf5da8ac06f61ad

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dx11_43_x86.cab

Filesize
106KB

MD5
758c5a459978cb2c68a300a60da153be

SHA1
66d12509137f2b5e1a668df39e6ccce6402822c3

SHA256
a58cefe822e371d078eaf89319f832693352ba7d62079320074397f0f3425961

SHA512
f33d6fd3354310e6cc4b483eae955a9652e7f71ceef7c444bdef84251ffa6ec0b89886a2344d18e0a1ad5285123ad808904372289e1e1c8d14242483f0426588

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dx9_43_x64.cab

Filesize
915KB

MD5
063fa6f7061324eac1c4de0350c20e80

SHA1
daccf01b4b7493b88f04f9e50fe37c03846335ad

SHA256
9b98a1269af7f3a0007bfdc73206a47a6ee158d34ba8a87009396c18186bb06a

SHA512
3ad31100cbca4da52e46518e577dca94b595f9d47a3e9552cd764905ffc2876f9127b69a97bac44dbd754021e14ddec65480b7628a3768f03e53de8fbb08c547

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\Jun2010_d3dx9_43_x86.cab

Filesize
750KB

MD5
7749862c307e527366b6868326db8198

SHA1
bce9f21cdb1e101c7223c9e62eca61ec22d6bb81

SHA256
fcc6cf0966b4853d6fa3d32ab299cde5a9824feaecb0d4f34ea452fb9fd1c867

SHA512
b65a84535b749ade0f8ea1a8ab6239df8e82ad59cbdb07487fdbfcfcf57a565f493f56378e216859a081d23ddf7c671636f53ef821289d66452f09218080f02b

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\dxdllreg_x86.cab

Filesize
41KB

MD5
a025c67403dc2c2bcd709aa9435faeb1

SHA1
0433ee289e96a0d83a0c66ec35cf906a3e063884

SHA256
8ad77a4d9c76f65cd62337588f847cc1e0ca6ca9735937f3a781f7395e9566a1

SHA512
56bced81de59d413238b01396fafa6442ef6db0afaf237a699966df4753ed1a0b555450fa308f6965689a67f9fb5efb5d377d5f602a8d453ecceddca41072b45

Download Submit
C:\Windows\Installer\MSI7CC~1.TMP\dxupdate.cab

Filesize
91KB

MD5
8adf5a3c4bd187052bfa92b34220f4e7

SHA1
b52be74c4489159bd343d3c647f28da1fd13d9b9

SHA256
13393a91201e69e70a9f68d21428453fff3951535dec88f879270269cfe54d6f

SHA512
3e2f2fe4b5742a4cf6ee2f6b8c0ca734fd0b3c5431dff112c907231846dd3eebee7b9b8117f0256119614282cc7a4896474a199563078481d48a1204ca96f92d

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
85KB

MD5
ebafb6913f44717749f0568ee668b444

SHA1
945d7a4cd97459f384a0e46f8df4204b105aec12

SHA256
02448f2702283e67e99e6641efbe1e043e9e770c7f79de742e60d1207c7530d9

SHA512
5b24d7153f6234532dfe5695bbf5eaf260aecdb5c55449e3b5820598640539449188d096cfa6dec22a4243e5d466670b187ee7679ffe0269e8e07c4224c80654

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
24KB

MD5
ea30ea6a91374845b25e13d7d50c1641

SHA1
8d390371276ecaa9e7dfc0d18ee7aca8d65ee5ce

SHA256
354d582c6b71815f2176143fac666b9fb895a5468fa5c524481ffb36a09fea16

SHA512
a4d145a19b58a22fd40395b4e5df6a1ea473ab0c19e8e976eceed6e6227063bc3365e8a354d77f876b437c9a85d84d8936fa469b7cd756afff1f0e3d83003875

Download Submit
C:\Windows\Temp\{0A7075AB-0A58-4D81-98CD-5895A2496E4F}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
C:\Windows\Temp\{29596D0A-8E36-46FE-9D93-4ADE2BCF9E89}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{29596D0A-8E36-46FE-9D93-4ADE2BCF9E89}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{E6769F66-D5F0-4E62-9224-CB364EE57C32}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
memory/2760-935-0x0000027E8B1A0000-0x0000027E8B1A6000-memory.dmp

Filesize
24KB

Download
memory/2760-931-0x0000027E8B240000-0x0000027E8B270000-memory.dmp

Filesize
192KB

Download