hxxps://www[.]ve3rl[.]com

Resubmissions

20-01-2025 09:06

250120-k29jka1rds 6

20-01-2025 08:59

250120-kxsp9a1pgw 8

20-01-2025 08:50

250120-kr1hxa1nay 3

Analysis

max time kernel
399s
max time network
410s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.ve3rl.com

Score

8^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 16 IoCs

pid	Process
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4716	check_for_64bit_visual_studio_2022_runtimes.exe
1868	VC_redist.x64.exe
2968	VC_redist.x64.exe
740	VC_redist.x64.exe
5516	obs64.exe
5492	obs-qsv-test.exe
896	get-graphics-offsets64.exe
5904	get-graphics-offsets32.exe
3832	MEMZ.exe
3860	obs-ffmpeg-mux.exe
2056	MEMZ.exe
1404	MEMZ.exe
6020	MEMZ.exe
3160	MEMZ.exe
5836	MEMZ.exe

Loads dropped DLL 64 IoCs

pid	Process
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
2968	VC_redist.x64.exe
2860	VC_redist.x64.exe
5580	regsvr32.exe
5544	regsvr32.exe
2500	regsvr32.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{5af95fd8-a22e-458f-acee-c61bd787178e} = "\"C:\\ProgramData\\Package Cache\\{5af95fd8-a22e-458f-acee-c61bd787178e}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
145	raw.githubusercontent.com
185	raw.githubusercontent.com

Drops file in System32 directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File created	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File created	C:\Windows\system32\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfc140enu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140esn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc140rus.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp140.dll	msiexec.exe
File created	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File created	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc140u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_1.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp140.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140cht.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\obs-studio\data\obs-plugins\frontend-tools\locale\cs-CZ.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\et-EE.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-dshow\locale\vi-VN.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Light\dots.svg	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Rachni\right_arrow_disabled.png	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\locales\et.pak	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\kmr-TR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\aja\locale\fr-FR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\aja\locale\cs-CZ.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\az-AZ.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\locale\ro-RO.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\frontend-tools\scripts\clock-source\second.png	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\aja-output-ui\locale\fa-IR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-ffmpeg\locale\de-DE.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\luma_wipes\linear-topright.png	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-transitions\locale\kmr-TR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\rtmp-services\locale\hr-HR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-studio\themes\Light\checkbox_unchecked_focus.svg	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-nvenc\locale\th-TH.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Acri\sizegrip.png	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\decklink-captions.dll	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\aja\locale\pt-PT.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\fi-FI.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-webrtc\locale\hr-HR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\image-source\locale\fa-IR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\win-wasapi\locale\mn-MN.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\color_key_filter.effect	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\text-freetype2\locale\uk-UA.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-studio\themes\Dark\plus.svg	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Acri\checkbox_unchecked.png	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\bin\64bit\srt.dll	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\obs-ffmpeg.dll	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\eu-ES.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\az-AZ.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-vst\locale\ms-MY.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\et-EE.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-browser\locale\zh-TW.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\th-TH.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\ru-RU.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-dshow\locale\nl-NL.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\locales\ro.pak	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-text\locale\sl-SI.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-websocket\locale\zh-TW.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\uk-UA.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\aja\locale\el-GR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\obs-plugins\64bit\win-capture.pdb	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-filters\locale\ca-ES.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-dshow\locale\ar-SA.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-dshow\locale\sr-CS.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\bin\64bit\avcodec-61.dll	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\fa-IR.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-outputs\locale\mn-MN.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-qsv11\locale\kaa.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Light\alert.svg	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\rtmp-services\services.json	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\text-freetype2\locale\mn-MN.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\win-capture\locale\tt-RU.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Dark\streaming-inactive.svg	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-studio\themes\Dark\sources\microphone.svg	OBS-Studio-31.0.1-Windows-Installer.exe
File opened for modification	C:\Program Files\obs-studio\data\obs-plugins\obs-webrtc\locale\cs-CZ.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\decklink\locale\af-ZA.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\obs-webrtc\locale\es-ES.ini	OBS-Studio-31.0.1-Windows-Installer.exe
File created	C:\Program Files\obs-studio\data\obs-plugins\vlc-video\locale\ro-RO.ini	OBS-Studio-31.0.1-Windows-Installer.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5a2d1f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34BF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5ED3A19631E69274.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3105.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF373900CD1685018C.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEAC0183D8B17FD49.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF5F71F33A1B8F2AF1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a2d1f.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF47DD65DE18F2412A.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3685.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DFABB3C05DFD41F4B0.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a2d0c.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EB2.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a2d1e.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF628E8BFC97354BCD.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0D59C5AD8B153311.TMP	msiexec.exe
File created	C:\Windows\Installer\e5a2d34.msi	msiexec.exe
File created	C:\Windows\Installer\e5a2d0c.msi	msiexec.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\OBS-Studio-31.0.1-Windows-Installer.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	get-graphics-offsets32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OBS-Studio-31.0.1-Windows-Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3755855d3e98e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d3755850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d375585000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d375585000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d37558500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	obs64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	obs64.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	obs64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 9 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8A567BD6FA501A947AD1F646E53EEC14	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\ = "{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Version = "237536274"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEADDITIONALVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\F84DEC95EFBEC084A883CF70C9B2CEF0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\09A86F63C932FD435BC8463B1035EC53	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\Dependents\{5af95fd8-a22e-458f-acee-c61bd787178e}	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Provider	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FilterData = 02000000000020000100000000000000307069330800000000000000010000000000000000000000307479330000000038000000480000007669647300001000800000aa00389b714e56313200001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\VC_Runtime_Additional	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FriendlyName = "OBS Virtual Camera"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\CLSID = "{A3FCE0F5-3493-419F-958A-ABA1250EC20B}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{B8B3BB4A-A10D-4F51-91B7-A64FFAC31EA7}v14.40.33810\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\INSTALLER\DEPENDENCIES\MICROSOFT.VS.VC_RUNTIMEMINIMUMVSU_AMD64,V14\DEPENDENTS\{57A73DF6-4BA9-4C1D-BBBB-517289FF6C13}	VC_redist.x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11D0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A4BB3B8BD01A15F4197B6AF4AF3CE17A\VC_Runtime_Minimum	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\ = "{5af95fd8-a22e-458f-acee-c61bd787178e}"	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{59CED48F-EBFE-480C-8A38-FC079C2BEC0F}v14.40.33810\\packages\\vcRuntimeAdditional_amd64\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\FriendlyName = "OBS Virtual Camera"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.40,bundle\DisplayName = "Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.40.33810"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\ = "OBS Virtual Camera"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A4BB3B8BD01A15F4197B6AF4AF3CE17A\Language = "1033"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\F84DEC95EFBEC084A883CF70C9B2CEF0\Servicing_Key	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.40.33810"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\F84DEC95EFBEC084A883CF70C9B2CEF0\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\ = "OBS Virtual Camera"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{860BB310-5D01-11d0-BD3B-00A0C911CE86}\Instance\{A3FCE0F5-3493-419F-958A-ABA1250EC20B}\CLSID = "{A3FCE0F5-3493-419F-958A-ABA1250EC20B}"	regsvr32.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 630898.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\OBS-Studio-31.0.1-Windows-Installer.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 512782.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 349479.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5516	obs64.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2084	msedge.exe
2084	msedge.exe
2512	msedge.exe
2512	msedge.exe
864	msedge.exe
864	msedge.exe
4756	identity_helper.exe
4756	identity_helper.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
1076	msedge.exe
4520	msedge.exe
4520	msedge.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4852	msiexec.exe
4852	msiexec.exe
4852	msiexec.exe
4852	msiexec.exe
4852	msiexec.exe
4852	msiexec.exe
4852	msiexec.exe
4852	msiexec.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4708	OBS-Studio-31.0.1-Windows-Installer.exe
4460	msedge.exe
4460	msedge.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe
2056	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5516	obs64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	1192	vssvc.exe
Token: SeRestorePrivilege	1192	vssvc.exe
Token: SeAuditPrivilege	1192	vssvc.exe
Token: SeShutdownPrivilege	740	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	740	VC_redist.x64.exe
Token: SeSecurityPrivilege	4852	msiexec.exe
Token: SeCreateTokenPrivilege	740	VC_redist.x64.exe
Token: SeAssignPrimaryTokenPrivilege	740	VC_redist.x64.exe
Token: SeLockMemoryPrivilege	740	VC_redist.x64.exe
Token: SeIncreaseQuotaPrivilege	740	VC_redist.x64.exe
Token: SeMachineAccountPrivilege	740	VC_redist.x64.exe
Token: SeTcbPrivilege	740	VC_redist.x64.exe
Token: SeSecurityPrivilege	740	VC_redist.x64.exe
Token: SeTakeOwnershipPrivilege	740	VC_redist.x64.exe
Token: SeLoadDriverPrivilege	740	VC_redist.x64.exe
Token: SeSystemProfilePrivilege	740	VC_redist.x64.exe
Token: SeSystemtimePrivilege	740	VC_redist.x64.exe
Token: SeProfSingleProcessPrivilege	740	VC_redist.x64.exe
Token: SeIncBasePriorityPrivilege	740	VC_redist.x64.exe
Token: SeCreatePagefilePrivilege	740	VC_redist.x64.exe
Token: SeCreatePermanentPrivilege	740	VC_redist.x64.exe
Token: SeBackupPrivilege	740	VC_redist.x64.exe
Token: SeRestorePrivilege	740	VC_redist.x64.exe
Token: SeShutdownPrivilege	740	VC_redist.x64.exe
Token: SeDebugPrivilege	740	VC_redist.x64.exe
Token: SeAuditPrivilege	740	VC_redist.x64.exe
Token: SeSystemEnvironmentPrivilege	740	VC_redist.x64.exe
Token: SeChangeNotifyPrivilege	740	VC_redist.x64.exe
Token: SeRemoteShutdownPrivilege	740	VC_redist.x64.exe
Token: SeUndockPrivilege	740	VC_redist.x64.exe
Token: SeSyncAgentPrivilege	740	VC_redist.x64.exe
Token: SeEnableDelegationPrivilege	740	VC_redist.x64.exe
Token: SeManageVolumePrivilege	740	VC_redist.x64.exe
Token: SeImpersonatePrivilege	740	VC_redist.x64.exe
Token: SeCreateGlobalPrivilege	740	VC_redist.x64.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe
Token: SeTakeOwnershipPrivilege	4852	msiexec.exe
Token: SeRestorePrivilege	4852	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
2512	msedge.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe
5516	obs64.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4708	OBS-Studio-31.0.1-Windows-Installer.exe
1868	VC_redist.x64.exe
2968	VC_redist.x64.exe
740	VC_redist.x64.exe
3824	VC_redist.x64.exe
2860	VC_redist.x64.exe
1728	VC_redist.x64.exe
896	get-graphics-offsets64.exe
5904	get-graphics-offsets32.exe
5516	obs64.exe
5516	obs64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 3100	2512	msedge.exe	79
PID 2512 wrote to memory of 3100	2512	msedge.exe	79
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 3152	2512	msedge.exe	80
PID 2512 wrote to memory of 2084	2512	msedge.exe	81
PID 2512 wrote to memory of 2084	2512	msedge.exe	81
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82
PID 2512 wrote to memory of 5044	2512	msedge.exe	82

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.ve3rl.com
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc597d3cb8,0x7ffc597d3cc8,0x7ffc597d3cd8
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4636 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5132 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Users\Admin\Downloads\OBS-Studio-31.0.1-Windows-Installer.exe
  "C:\Users\Admin\Downloads\OBS-Studio-31.0.1-Windows-Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4708
- - C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\check_for_64bit_visual_studio_2022_runtimes.exe
    C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\check_for_64bit_visual_studio_2022_runtimes.exe
    3⤵
    - Executes dropped EXE
    PID:4716
- - C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\VC_redist.x64.exe
    "C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\VC_redist.x64.exe" /quiet /norestart
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1868
  - - C:\Windows\Temp\{AD2BBF8F-2359-41DD-97C6-F05207ACBF0B}\.cr\VC_redist.x64.exe
      "C:\Windows\Temp\{AD2BBF8F-2359-41DD-97C6-F05207ACBF0B}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\VC_redist.x64.exe" -burn.filehandle.attached=592 -burn.filehandle.self=600 /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2968
    - - C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\.be\VC_redist.x64.exe
        
        "C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{7237CA60-8EAA-434A-BB7A-85A724C24CF6} {B7DBBA98-4939-494A-B228-F96F8E0E49CF} 2968
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:740
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=952 -burn.embedded BurnPipe.{C0A1250B-25D5-4431-9D6E-A0672187C6A7} {C5AAC63F-0228-4C18-B87D-B9D7E3E57CC0} 740
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3824
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=584 -burn.filehandle.self=592 -uninstall -quiet -burn.related.upgrade -burn.ancestors={5af95fd8-a22e-458f-acee-c61bd787178e} -burn.filehandle.self=952 -burn.embedded BurnPipe.{C0A1250B-25D5-4431-9D6E-A0672187C6A7} {C5AAC63F-0228-4C18-B87D-B9D7E3E57CC0} 740
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{C20C7316-9362-4DE8-9104-0338F283B18D} {B2C92A7F-9604-49DB-A17D-1ABF6AFB4B96} 2860
        8⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1728
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5580
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5544
  - - C:\Windows\system32\regsvr32.exe
      /s "C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
      4⤵
      Loads dropped DLL
      Modifies registry class
      PID:2500
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\OBS Studio\OBS Studio (64bit).lnk"
    3⤵
    PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7060 /prefetch:8
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7568 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7544 /prefetch:1
  2⤵
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7756 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6572 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:5544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7816 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2900 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2104 /prefetch:8
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7444 /prefetch:8
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7820 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3832
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2056
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1404
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:6020
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3160
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5836
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe" /main
    3⤵
    PID:3132
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:5588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,9246676879077649220,3855427391641805692,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:2996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1904

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2248

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:5592
- C:\Program Files\obs-studio\bin\64bit\obs64.exe
  "C:\Program Files\obs-studio\bin\64bit\obs64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5516
- - C:\Program Files\obs-studio\bin\64bit\obs-qsv-test.exe
    "C:/Program Files/obs-studio/bin/64bit/obs-qsv-test.exe" 4fc7 50fc
    3⤵
    - Executes dropped EXE
    PID:5492
- - C:\Program Files\obs-studio\data\obs-plugins\win-capture\get-graphics-offsets64.exe
    "../../data/obs-plugins/win-capture/get-graphics-offsets64.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:896
- - C:\Program Files\obs-studio\data\obs-plugins\win-capture\get-graphics-offsets32.exe
    "../../data/obs-plugins/win-capture/get-graphics-offsets32.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5904
- - C:\Program Files\obs-studio\bin\64bit\obs-ffmpeg-mux.exe
    "C:/Program Files/obs-studio/bin/64bit/obs-ffmpeg-mux.exe" "C:/Users/Admin/Videos/2025-01-20 09-05-51.mkv" 1 1 h264 2500 1280 720 1 1 1 1 1 0 30 1 0 aac simple_aac 160 48000 1024 2 "" ""
    3⤵
    - Executes dropped EXE
    PID:3860

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CaptureService
1⤵
PID:6028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CaptureService
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a2d11.rbs

Filesize
19KB

MD5
5d25029d2b95014a629e5586e435c1a2

SHA1
c490ba8e1db04e7a95644deb01ae343362e72d9a

SHA256
246bed9682987cc281755bc542cf961189c2110c27f3a2695251b0309eca72db

SHA512
e4ee4e105f6521b1cada52393a972208f4f5d6fbac5ce5a5be16bec2f0ec219d55838001be249245af31baaca113bcfdfe85400fa4e14dda952fa2ddc7e36f5c

Download Submit
C:\Config.Msi\e5a2d1d.rbs

Filesize
19KB

MD5
7c0e6d7a6bc221890ec24d0c0e8b3641

SHA1
a3791cb3da91a739f6412df317a6b8285b452992

SHA256
a341715f68a6fccb81f5aad8a0da0cb859da9e611af636d50802277afda649a7

SHA512
db44d98d0378f97e7946291e16e33f072ad1929eed49331218b189d91579e21294de66486e53f4f6b7c39e7f6a72303c8705fb046176cb7bb1503ee2049b613d

Download Submit
C:\Config.Msi\e5a2d24.rbs

Filesize
21KB

MD5
ba9e0ebe83a7734f6919b1d113a11773

SHA1
f055e73d686a2fa72258dfa0f3dbf862449b49f2

SHA256
f4179eea0e8fb03f5146fd7c71c6fd27bbcc7efe9dc8d817b31018aeedae13c6

SHA512
a9eda444b284da9a123048f804e541745ec6fef1dc56223c12a084bb84c207844690c216107636251f7ade17ea074ed1e3b6f617237922fbd3936e6a09f48571

Download Submit
C:\Config.Msi\e5a2d33.rbs

Filesize
21KB

MD5
32be232d81a866c1647fda1458836f9a

SHA1
0d152222bd06801aa47a270db452a4f66c520224

SHA256
0a6a6c0fa54e445fbad0833f5d24da98aa15e56ea043413fb62e5a584b3d1247

SHA512
67a0cdcc5e1080605ae2f3962e2844ee0dce8a6b4debd5715861806a3865d27d7cdad80e68b84665053078b5170778a40a1fd891b88b58d1351c2309186d223e

Download Submit
C:\Program Files\obs-studio\bin\64bit\obs64.exe

Filesize
4.9MB

MD5
0a377ef20f2ddb1d18b4be57897b7e35

SHA1
3131882a6b830fb00207802ca8b354c46e381a07

SHA256
9ac899d7fb803991e5a5803b1cbba3a1979ad42437923016bd5a2760c4eccd8c

SHA512
c223b3aeba1e1ae66b64c6272dea7d8c684b5159dee8250cfd997d993ac49549646b759f286fb186e62c5767a9cccf6aad40e0c502bb6b1810ba6ffd00ffa0cc

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\nv-filters\locale\en-GB.ini

Filesize
1B

MD5
01abfc750a0c942167651c40d088531d

SHA1
d08f88df745fa7950b104e4a707a31cfce7b5841

SHA256
334359b90efed75da5f0ada1d5e6b256f4a6bd0aee7eb39c0f90182a021ffc8b

SHA512
d369286ac86b60fa920f6464d26becacd9f4c8bd885b783407cdcaa74fafd45a8b56b364b63f6256c3ceef26278a1c7799d4243a8149b5ede5ce1d890b5c7236

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-ffmpeg\locale\oc-FR.ini

Filesize
18B

MD5
0ebd4c9db48f04f789e6254a92af4b97

SHA1
45f98976d001a97e4b18489cb73cca2aadcb1cf3

SHA256
54550f5495ca78de8ab1b4d32ddec042077823cb5654808e9f9f003857125450

SHA512
9b3ca441b80f23ff89094175bca2a2647d76e38277830420e933935a631a82ee010743410b632078750f4272cdc6b3362a56649ce9694a2c712367e0ab7f0e21

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-filters\color.effect

Filesize
3KB

MD5
4acb6776b331a70950ed97371ecc5e63

SHA1
356bd8a1a32f99ed9ed443451a1373e3f2a5243a

SHA256
868404f54ec1c0b4771dee7a139a40baf2f9e5fffa43baf3fc8e60fcd03023a3

SHA512
a5e483a85192db013aef81c2dda70a8ab8691140bad3b3b624a5ec8ae0e5ac215b4b02606712da825719086556ef11df5f41150138a70bc856adb23352dba126

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-filters\rtx_greenscreen.effect

Filesize
3KB

MD5
ec7719f3d7953c63ea1a0b4115bc812b

SHA1
0466fbbf2e7df3077bf247c4f15a698085e064d2

SHA256
4504ba84ad99e964d99bbf6f422295a764c37a9d220bdbe53d410f990d8fc503

SHA512
bb9ca44cffb5bdcb438c01d50e84c6344a6750d74c1df983106985543c77aa9f529d0b1c7fda3b83e44e36c69b03280b6ab8f73a33c6f681a8da7ba0e5ee15eb

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\obs-x264\locale\nn-NO.ini

Filesize
18B

MD5
8d11d8d5f894ac1ee8c551e9133c2e55

SHA1
10ddd90b51e5829b453c8990a7a7113757ce1ea3

SHA256
2a350d4fafb4a2c11614f7cb1bd9e59b305f1bf7446498ef11bfc6e8f25c12d7

SHA512
9e511850b7dabebad73e30508016dbcfdcc5f486bd06f12246f6a3ea0ae470f8a2e7ad20b924875961ec4c0ee10024e50dd4357189708d75b7ab190b58eb698c

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\win-capture\schema\package-schema.json

Filesize
1KB

MD5
cfc8555dce7c954555346ec0ef15fae8

SHA1
da1983d90d8bbbd3eb778ebb92d45427f1b35f41

SHA256
524437addbda00d3a64413b639847211054905a959786a4a5609fcbbb1f101f5

SHA512
4add0e8632568a665d640f63ec9eb992a3f50a21675883d48d26e784caf8b25c4bf6de706c2ab705fdad325adb02cd681779eed632976dfb042caa88a16d390d

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll

Filesize
178KB

MD5
5f955ac750ede9702420b248d557a5a5

SHA1
605424be7f2c48524e9650eb04bc17147f8e50ab

SHA256
35a0267ba615abff6daf1eccf06b40dd38fe524c404b1348eb7ae4263cc718fb

SHA512
b5794e43b89bcc6fb8c8565d92484a9bdff2639efe476a653886a190e62e44d565867e47e084af5f51ff91f45d2e5acb1f87eb58bec217fd70ac834820fcd2cd

Download Submit
C:\Program Files\obs-studio\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll

Filesize
221KB

MD5
cf419fff0a249d972563acc19c58be46

SHA1
300e04d779c1a82296c0081fb3ca9fd9f7f6e82b

SHA256
7f138fbe200e34fce0c2287e9db7d091d7769cfc1e02b4845693bf825bb32b0c

SHA512
133673cd25a42900d0ba4cceaff551dfc8fd888f30e9a9cc1d82d642c23c7a7320b63b983438db6e0a3bab836be3a7469a9807ba6bdd9d86e87b42e2d4c826e1

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Dark\media\media_pause.svg

Filesize
526B

MD5
f26adafdd9d123f489f874c9a1b4bcbf

SHA1
228f6132d7e7abcf77fcd49409f07e68b25d4adb

SHA256
3a8ebca48196921a623b652c07344507f14fbc265a125ead876e89b28ad946fc

SHA512
3ea1adbc6d327e09418a0476971bbb4868effb171045cc0743d21dbed3535eea275518bf9aef9eecf33e9653b19ddb751d3826d53907690672583243e64c13bf

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Dark\sources\media.svg

Filesize
558B

MD5
7de24f4b717974d92d44505a76bfbf14

SHA1
7695bf5a0dcf4847644ebceff8564f0e5c214dd8

SHA256
0c3127f56d6c3bfab49108c5d7f2e405f7e3c80f8ea9f5c407fa0902f02d919f

SHA512
75023a1588843a5a91c12787cea903b42da052a06106050885160dcf90386cdf8693fc0323d60802c767b524c7d4e83083815cb2a786aa6c082e88bf12c45640

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Light\media\media_pause.svg

Filesize
526B

MD5
b2e1d7d541b7fab7513d295f0ffdbc6b

SHA1
50fedc18267466537fc9c1d9b362143cb3621b01

SHA256
d71fe1d398ab1a31a0906c1054d67b022954ff3df6a750bb6c5e66375ed9a642

SHA512
575e068c38119ee7f873dc2243a15ca390a409ee5b9d2108ce5ea5ed5fda2974e3316f9d53e5a6a155c1def25f15f1bf575218347be71bde8b5a9310c9799ba3

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Light\mute.svg

Filesize
1KB

MD5
a98eb26acbfc095a09a54d004bb39d7f

SHA1
2254bb0d579be6555c85d5d61818b95c6306a597

SHA256
ab6ea7c4f98008a19662c171a03fffd0cba96a7abca34896c67de841e81727e1

SHA512
fb11beabd774e87911ad38975d190f829e48dd963074c41f610842738d9938865dd809846a4e75ee9e717be67e393d612019beedfcce42bfdda67bf19a975c50

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Light\sources\media.svg

Filesize
558B

MD5
782275b15439d90e21c0595b28e1f251

SHA1
a40a166994402a2fe2e782864c3612dbf2619179

SHA256
16440c1cf957bf20c8cb01d2a490ff46d4f2812376275d35051b659b62ac888d

SHA512
704da362efe3ee13771d589d1c3a94a8a85836d5c26d35aa76d02f502f683417e162df4067fb7fc26762c858d708b921a5fcf6c80f6505ef90dfa68c102af738

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Rachni\checkbox_checked_focus.png

Filesize
147B

MD5
0ca13c84736f193c4ddc36408b63eb79

SHA1
daf222b1b08d7f2645fdc2e25e63be2aa50e9b79

SHA256
9b7da86b40e8fe9da37ba2a4337c9bce14b07153a9722dd3de7772c1c5933ded

SHA512
1f95694e920b1be5a7d9a4c4f7eabccde8326965d8b1e3211085c67e84229f76300aed6ae29e2d79e817857cfe7608919233057fad6fda3bf515c59f3604099c

Download Submit
C:\Program Files\obs-studio\data\obs-studio\themes\Rachni\sizegrip.png

Filesize
107B

MD5
3cc9de00b77ffe788eb826b8608cad0c

SHA1
d7ea0e97469cd971b8e00ee564a540f24a9f1752

SHA256
31582f8295152ee22f44910556be5c2280934214a0ea3db73897a4c93cef34e3

SHA512
ed0f66eb14fd12f5a6e52825d209cf74e48be44933e2702f790ad0024b31d2f4c998d87e04f14fc80fb56bc6b2a257907a2a143334e79ae0cbc07e264ebb0c96

Download Submit
C:\Program Files\obs-studio\obs-plugins\64bit\nv-filters.pdb

Filesize
164KB

MD5
06c7e1d77d95a1f61acf55ec92485c94

SHA1
428c1ed4084ec7351d7a0ea13dfcc88aff2e8207

SHA256
c9dd1e30a27d42795c8c0c06e6a6e298ac0b8932922a4b29c04f7594728ebec7

SHA512
3b88ff8be2ecb84795ed00be34356bd3194974a2ba0e1b7c05192fa5021b4b87dc76f820fc7d7024e256b488895a79ed50fddf36999b5cfd50eec124b4014275

Download Submit
C:\ProgramData\obs-studio-hook\graphics-hook32.dll

Filesize
232KB

MD5
9ad7613871b9ea354e594279d0dd5cd7

SHA1
cdcd39b360749ee5ff53f6b81622551feae5bf5f

SHA256
2862c90e59e0544320f033d52c178b3adf2275932058bc9d342ca73b00a457aa

SHA512
395d459714687b0266c4787b4013f63acffdfaf2325342f0d9d458e1645e2c43e2c47c1fb1bff21442e38cec085a375c4ee159fe96a16391cc4f6b26746b7c5c

Download Submit
C:\ProgramData\obs-studio-hook\graphics-hook64.dll

Filesize
285KB

MD5
4e6f219ce2453fcafa9c4a6ca2243580

SHA1
0490957e0d988bb2341e3115e8ba5cbc4cf3a74d

SHA256
eb0a18117bb67bffa99ce77b817e4509dc0453e482022def9fb01a62408e45fb

SHA512
1e88f25106f51bccadbd1b727ce5e17ca5e1de185d125743e951361466ee956717a43ec3576de6dae27c2b34b6781fadec4a2e9f7f3cee30bf8c6bab1fa44992

Download Submit
C:\ProgramData\obs-studio-hook\obs-vulkan32.json

Filesize
514B

MD5
59a9aa7a899f33d7f8dfe58424c091e2

SHA1
0b1b8e669ec05f547b2c116606626480b7502d93

SHA256
c16e0707ae66ad71e8a0720aeb6e6997a1017f19762333452aef692115a9ab41

SHA512
77b4d92ce9d6a73336fd7beca77825682dbe5b94c921e87f3d6546765f65aec585b285dbc12c092c313b7055fdc55b1e5bc0b254ee253ea17dcc63027f5a8f56

Download Submit
C:\ProgramData\obs-studio-hook\obs-vulkan64.json

Filesize
514B

MD5
4a0ee9e5f72aec20551148f649ed58c5

SHA1
f5e897db4a7c311b2afbe6054fe28ba459712481

SHA256
7b6b0813fb58b276847a8583eb5c3f94aee7d7ad0ae3a1ef6133d5d8771f20f4

SHA512
8c7977ba8781ab0ad9d0ddeabb230d9466da6c9c47f33cbcee6380079734e832a1000e4a55218ea0d5acaee500fd458a3be76c6d4cb2831767cdc07c3930aad5

Download Submit
C:\ProgramData\obs-studio\shader-cache\1ab7aa1b854459a7.v2

Filesize
840B

MD5
0b2301660cbb980468bf1b8b4eda87c7

SHA1
ef3c7bf64ca477dad586d5ca3aa16318b27f4e72

SHA256
d913ce5b4ace04b97bb8f05bf49d777a5c231ce0737dd5a63bcd3215d8c63bd9

SHA512
b392bf58b9da599c8896f233c4a01e61e23546daef235d279b771a8849ea718a13b457b768b7196e3800ab82d24b946e066d334299142551bf3565d96673cf80

Download Submit
C:\ProgramData\obs-studio\shader-cache\4545d6ee7b176b7d.v2

Filesize
964B

MD5
925008d85689f03f9c2c19b2a58864ef

SHA1
9707491fe67342b0428924976a5d4d4cca787fef

SHA256
b03ed79f9d040f865ac250b25a7a99ccebf244c5bb9d2bae4287f025bae8edc1

SHA512
097e0733c12a57d148ffbdc844f9444026fd13359a52d8fe73d172e8ac8479d4e23dc1a00be3b04f2880e2f094a7a322fcafc3ba00603ee7f89c586a75cf84fe

Download Submit
C:\ProgramData\obs-studio\shader-cache\62281a72182c4ba6.v2

Filesize
908B

MD5
a09b098bf807333abd23734e543dc2e5

SHA1
972a560bbdcad956b41b96d5a5d98b74b3744aeb

SHA256
5e7044f39d34e7f45770264f93647c2701bed73c904f8f233dc5ea94870b4403

SHA512
bfced55e2eeeff8f5393a84b23ca0bec0391411a1b649be153cc1563c1e736e3e124b502fb6df18c5bab5ccb9f6dbd6369cbb5251dd03acfce8078ee96d8eb05

Download Submit
C:\ProgramData\obs-studio\shader-cache\6a755cdc9e6092ae.v2

Filesize
840B

MD5
a301b07b443e54d2763c6cdaf88ffcef

SHA1
f2da06b9dd608eb5786ad2fbbb42aa77f351c39e

SHA256
fccbe79d93005236718ff168a3ba2267d228b4f93cbc848a95eda3b8482b6697

SHA512
db51188f09eb3b13baeb726f80f06dbe36d1ae8c960aa75a7f88eedf42e67e286f3e7f33034fbe9a16c7cd339058dc4782e58467b0c033e94073bd326dcbebf9

Download Submit
C:\ProgramData\obs-studio\shader-cache\7a6e3fecabdd460d.v2

Filesize
888B

MD5
b1695633020889910efc1cd4fb9b02a0

SHA1
09eb2ec232b08bb092fe2cfcee795ee57275f93f

SHA256
3b625049381ef7d97538364c28efbbde8e5eb28f010f077afa36ef5a74778333

SHA512
2b4be7f4c6c8182a119d440204505e1022d017d9199933a9162a35ad5b2092efee29be847caddaf7e73d310a320f69481381a4527a59a9847ded132fc42946bc

Download Submit
C:\ProgramData\obs-studio\shader-cache\7f0084f9c4106e16.v2

Filesize
1KB

MD5
15d39c0e4271b5ccd51d06dd38ea848c

SHA1
beb07872ec6f978633df7a92ad12e239a41f0587

SHA256
ea9109f443a204812899fc727c2e3e779a9114136db0afd729deec2e817a2db0

SHA512
16ab1fb86f5ac7dd412c1e3f87668a8ced4881a578739077ef74f68869e3be4d802fad72232aed270be0be25712de494473b2f883a94acccd1dfa7342a83bf7a

Download Submit
C:\ProgramData\obs-studio\shader-cache\8d390f4ad08d5c53.v2

Filesize
936B

MD5
edac8cc11ee6b2f4eedf0767d9bd1a25

SHA1
816ae2f8507a2dd7f87da5645e5a28f144811539

SHA256
442e3643bab4f98c14485a18e239d2580f18989831f9cadd19129e3df30789e2

SHA512
666d64b4caa7229b888bbffc58db1995c791c8a6b1518fca195f466b6e5f6062f5928f897ed5ff14b02518df6fc078dd45662bbddb5d5805a6cf34d58e4026f5

Download Submit
C:\ProgramData\obs-studio\shader-cache\9ea4a251d7aa3c18.v2

Filesize
624B

MD5
e8f1aac1454a9411ecfd28bdf322b910

SHA1
12ca860dff45487c176212e2e4db4ced5112991e

SHA256
6c40664272501dab61c1507f87b612d40819510781d05971735443cef8ebc95f

SHA512
677dfc0140b6a75fbe9ae6e2c59dc0f305c8d5d7e34f858caad917893614c95c7eed8ddfb280d2f913117e3b02dc6613e369550ba38f97102fd6c4b197930254

Download Submit
C:\ProgramData\obs-studio\shader-cache\cd9cfd09db70c3cd.v2

Filesize
960B

MD5
a36fa067d5417109e7c2a79fa47109e8

SHA1
2cd916c1a5c0a21b021ebc424ab316be4cbcb499

SHA256
c0d87fc26b604a942bb03b1349794cb397ababfb1a14eb09fd8ea1de5144aed2

SHA512
d826b76826b10f675fd40fc36ebf3aaa8b5b69c41090282b491a7ffa77b853db80a3473f6032bd1afe406e5272d671585a93d0bca29d7cf9029ab50a140cd1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
47KB

MD5
9f96d459817e54de2e5c9733a9bbb010

SHA1
afbadc759b65670865c10b31b34ca3c3e000cd31

SHA256
51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609

SHA512
aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
26KB

MD5
8ce06435dd74849daee31c8ab278ce07

SHA1
a8e754c3a39e0f1056044cbdb743a144bdf25564

SHA256
303074dab603456b6ed26e7e6e667d52c89ab16e6db5e6a9339205ce1f6c1709

SHA512
49e99bffcdf02cfe8cef0e8ef4b121c75d365ab0bbc67c3a3af4cf199cc46e27ab2a9fdf32590697b15b0a58ee2b7a433fe962455cf91f9a404e891e73a26f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
242KB

MD5
ff34d91165410c4e9563ade56e6d1127

SHA1
b991817b72d2ffd931a5c1980bf749bc08b8cfdc

SHA256
006cacafac28eaec751f07c0ea67042abecb542bb6535af4e38730bb967a3dea

SHA512
50159437f6f5bc4a045aed64f0f75ee544e59e97fcfa0181b409b1f7fa0e378b5c7828a849b499abe3d569aea42f7435ee3b9e931e26c0866def87ac29975818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
22KB

MD5
778ca3ed38e51e5d4967cd21efbdd007

SHA1
06e62821512a5b73931e237e35501f7722f0dbf4

SHA256
b7e1bfadb8d9c061f17a7234df012df7842ab1aa8fb6f9579fa3f0a3b4a75bc0

SHA512
5f6f02099ca8079305fb7e7f43ae4344d522271fe30379c0854d6a81b7d8adf408a50a4b799b5f52e6ed162ba6ce7fe97e24a2b9719df780e75683d3aa103d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000020

Filesize
1.5MB

MD5
a7a205cdd32dfb094e1eaddad4c0a713

SHA1
b2eab864bc1e5b9cfe27204cf977fa7279f1d2dc

SHA256
3564340f28d5e4aebd1bc8d5a39077425279ed28aa248aec8c95c6196291f54d

SHA512
fc6cebc6674bb3c0bbcf4c875a045e325e757dab28550766610d656edcd67a1447207e15e5a7faa2e724c8564eaec36c2dcfd1268e6d241f36d9656955c20d38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
49KB

MD5
65da8d6932ad74d3b51694b5a28dd0bb

SHA1
aa6e37cdacda153f499c299299a4dacf50c93765

SHA256
309ec80a404d5ba8c9816e0932bff343c8e205fe36819908682289ed7c7ae482

SHA512
bfce7ba0e18dde7d6f833709e565f704701d7a51b14d7c11b06cdce0b057290a334219c9aa4f7ea098c097eb779a2ceca397a9ad1ede0784348f78c81fd55015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7518e85d7454fd79eb89f52f84a32cb5

SHA1
07208d22545496ab465143c7070abbcf668f4390

SHA256
27539865c1d7d982ad3db9c76937ddb90aa4fa36211090798edbad1caf5314cb

SHA512
26d3b227698ef46e9805343a05b61a1aed344ce097c19bff22f7fb4411ca4ba09c805bad2a19284bfc5141923f3451d332e54c1bcc394a82f1639bc826a2bb1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
60c98e354a30606ad34cef4e347f7c08

SHA1
a705eeb5fe966e323b875060b4ff39b88fbc1aa0

SHA256
117b42c26907b5910c3c08ffdbca622d15eb74b64d87a3b8a9df1fbbb60c1fc2

SHA512
72436960ca87c61617606e6e0c64c9ddf9976216d1fdf566fb76fd9b366cd6d4ee9f298a5bb264f7c01b9cf9423e18bd8ee7aaba78753539e186c8be70106817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
403a055a2a6f8ae26d0c157d1cb02aee

SHA1
5959cb5effb4bdac4ef9063cda616a9207ee112f

SHA256
c0f65e45c88afb04addfe2844881ae8d5664f820d55c6eff02300b1107b05e5b

SHA512
a4a402591b7dac6cc45acd432d5580b241db0b197193005620784d8c39b1e48875a0d85ee61af9292a192dbb78d27e0e7c643edef75330c99596b57ba1a61c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f198dc7dff597bea2546a55cf9320b9b

SHA1
d3381a908307c8b7d6d25e05aa7264630f3afa2b

SHA256
c2bc7c9272c231c0fc3aa8964195350c8fd21d9f36a8e97c12271e0fea95c284

SHA512
a57f7a3c56db46955043ad0e5897e57035cd062db3f64d913d58d769bdd82f065cf3bba831b1ea597f8ccd76e67de152453cc9bd8fdf6642cacf6b3fadc36a57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c7553955f984445847668a5b3b286505

SHA1
b15ba0ed08c353c7cf3aaa861bbcf142ae76ce6a

SHA256
1750f7ec90122096d609142899f5e4073af1adefbb5cfbd15ca9c93a3391576f

SHA512
47721ceb9b5002df731d37b3a103540d2b0a0da4ab1561d71ab5de9e1f7f7be7a1e3ce632e71b179087edf9b65b8a0ef934a6d0dc5935202a9cb41deda2d8fd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b119d4a42adb09bba26f81d767ca82de

SHA1
72af22aa65361e33a5c0bb115192bbe9c3a10a40

SHA256
0662ca966a39268a3d51274b60adfc3abfa603db7278421fd2ae80be6671de14

SHA512
2694b70b9a85805232cd1d752b13d4f4eba9b9f35818cbd8eef87ee82e7e9b65f3af01c556c12babe032516651d6b3a44e0757f26b87b792c45bb62591fc0e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f32cdf5e3f955558bb9990b56b6b9a11

SHA1
2b57ca100a496771a07a6c34a10ad3c77e30a9df

SHA256
1e2fad84f85fef12faacc2a3d7bca7da96990c5c466e82705d995a5f6a587ab3

SHA512
46c9cff27fdc6562c5fa4cb7dc04a97b6e1e3d8114c49916989863f193de99b5a31ab9cd3464829208d416b63d5e74324a7eb4128c0085218a274edb6c558228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
b6ec42346e7d27848ba3617f67821333

SHA1
292ef7adcc0f6cc5d3c1e12b2b61a870f0a1521b

SHA256
368a022832557db142083548181fa837636e23a8599e7797bbf35b3d40a315e3

SHA512
9d6448f66dcac7182ba70b38a2853b69781ff355e624c3178b67a640778233c60615c854e47fae4489ac4cb5553ced6eda04806590a63e1a67e6690c9996e9a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
653436c710883a1efdc02ae85350ac0f

SHA1
0d5c9484790dc8411e47f5f5e480438280a19eb2

SHA256
a0d569258dc3f47992e0ba4d6dc6e99c6ddc6c917558a2c5449109cea3ca10d2

SHA512
b2c7b5ed8cc351c385c0a846663b31d06f7dffa8ef85b7065b122d3bd8f873b1348069437fecc839700c72cb19d607737a31ced93efba4b49af4e1daf35d61f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
3955be4cac4a34eea4a6f8f6098d65dd

SHA1
372f10b1e95aec31fedd886f3c3cd72abf26705e

SHA256
3fc55528a175e8dab6f9cb2aa3f46cb8009402c0fe2ea4ff29c6d8e2983d5636

SHA512
e83b2df1b5b97f5d3a7a73765facb7e10cb0fbcd91acf48231a64b8f6ee11a2f96511beed478c9a0085232db9bd74c6fab97a380f4f62f99ec817d4eb20e0c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
a7d44f9fcdd7e3b290bc066d61861140

SHA1
512741999170600e70a8a761b689d7d6c4a78467

SHA256
b12a1ce7c5e2a2d3af1de0b9998dba73dc03a0303de3d2dd33da265012afa951

SHA512
195c3a0dcaede5e480399e7ffab79f93db122b1070a53ba223ec320681ac57a19ea7fcb663b81d0df8635cf7f16dbd89b9a385fd6f9b5d9e34b404d3a5f80a7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
7b768cd9cef33d7b193e1f06500e53d8

SHA1
e3da062e6c4c6179c53d2cc8ffac516e347b83b3

SHA256
6e78199d2169f024c5ddcf8405ce9f7daef39effc6d589a1ece788a21bbb55ed

SHA512
e210ff2fcb8d0fa28a590c98bf681ee0a444ae5f4e1074333a0c25da4879efee8c04a9f6ed3fd7de47a7b55806a3a24667e3148497ac8f2027b6d2998b0a24af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
de4cc02f3a77b5243818e64609f864a6

SHA1
f348dcb5c031f6796b625caa3b5b9f9cbee18342

SHA256
4f84bd842e49de04979a68b1c32f82986f0df00b27f22b38b6a735e7c268b840

SHA512
0350cc7355b22b43a08f74e7a4dc20f03221109b6c85825ce09f018d82af0be4c89d1c3574b637f82eb5edaa80d78fafbeeece623638e897dab96c6ae63920c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
d99370113175f61fd5d1b915fe0463cc

SHA1
ba5b534641a85802eb946f7701f75e3b3a45e355

SHA256
b8f9555a085f75011d97f209814917a2731b37c416a5fc82dfb1d2488fc148a2

SHA512
d0c7402430bc5898d7b6a81041527848feae861f30423bc286447e0bd8cfcb80783d84f3d55324695b00caf7fe7a7c82c48f5d4f94abb643a3e010291270d625

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3db8750abf5507a59486f2c5417c7be0

SHA1
4f9b7b61e598e65e209ff0fdd27eb8f6299ca48f

SHA256
66b86e3e7b60b642ef2be0fce80d5be74f39b57c7fa38717e13505a13f56d65c

SHA512
6802907d8a33d1d260ad40c6852d4759f3b40f1304312e84efcbc9ea8262a58242d521dd4d21dc0c94bfb7bac7fac5c4327ea6e8bb7d21d60dcfbb4db6f1f91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
972f4a2c3e434deab637ebbebf549b7b

SHA1
cf45f7296919b2be3e5c1c989b915f55ead34e6f

SHA256
e4df33636e5e2b1b2f2be77b859d16c56a0e4a708302db5a6c22639ed58065c7

SHA512
654173b0e923ddc51654c04644f283e91921c777044ca009e1bc266a363415cd7e4e48259a0dce1839e84ed225e7ebcf170ab6a2fac5bd8be8d0ed7897161fde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
e44bd456412d7d91cf4f054f675a68e2

SHA1
6109045f35d82b926c4eb3445dd48a11f38f3589

SHA256
33a4941abd65e09ade94bbad731c68c895808a4753a8a4213ab89aa482615d9f

SHA512
eab4146b2fdad5671b4fcadfdd1b1335638b404dba24dcc305376d5bbf0d69fabff1de297dcd4ad830269cb1b508401ad25ad38fe7a869ecb950010b970e548e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a0dc5f1768d1c42a6e57eaa49c0c2c8b

SHA1
0dc346a2ae7271de1b9adcbc9f38710c5bd3132c

SHA256
c52a9baf137e400dc926aeb7c5cf9554b97236aec2b2343f00a96caa58e911bf

SHA512
7365d56445651d5e5de8f1b557c0a25c2eac74c9839fc2854c734e2af7e77c4867337890f6ff07874b73c26180d5cca86bb30db1ba6b3614ffda862777d3aa6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7484f36c535592898a23531b3550b0d8

SHA1
51c54a557ce6c7c44e80b66e0892d56861fe5466

SHA256
fc6e7c827e73105c901225bdac42c579ac12bf2ca7c5b501ce56b1d0b401465c

SHA512
2146ec636fa8861f5c8bc5fd7adcdb64efb0d98c18c57ef8bb2ccc2557103e814ddd43ce404445fc346853d859c675967425ea47440173fe0e730da6c04aa0ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb8d065a8e91f7866075b5af0c1f3a41

SHA1
6c14206fa60be07ce8512a97772795ae0ba02bbc

SHA256
cc061ea8613da96d0d8e5d65fc398386494a28ba1908e48c9114757d3f94abae

SHA512
fe4e1f070939342a5e99cd76876b5576093c71f8cb4965b6097147b6af6be30ca9591df2cc11607ce73e5810ae7ca2e65fada1f00a664a869a79b7d18d2ad190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e071ca73ff07c057c905785951100ebe

SHA1
d0e88c5298a38230b60f08ab8bbad1124a6e717d

SHA256
561f9b101b37b8e44fbc3c9dcd57391cb098b838253f6f5f0c012a0269b4355a

SHA512
163e3067a759dec5c20958ad2af9a1aec5b1471deb080b0a0cf235355f1b2f43d42892329e4ee53d763ea68d1783229be2c81ee5f6602c7d32d43dcd35338af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8860fa4bc61972c0b2bee5f73fc27971

SHA1
898e997c3d41ea1cccacc4dd0f38009c401dc1ff

SHA256
d4e81e39b72b2edcdca7d8a817058f0b9939986b0f6ee71ab183e1a14cf43ed2

SHA512
8c0b69c4549f96da57a57768aa79c8d9ae3bc85476973e1553a382f87f5103e9083c245bd4746b0c661d8e756e9c9d264902803c71e4ec21e52b2773b557c4c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\20dbd968-2891-4c3d-9b57-0cbe999fc4a3\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3bf117c6-995f-4c2a-ad89-0b184a4259d2\index-dir\the-real-index

Filesize
624B

MD5
8dea28332116e3efbfcf3b0148b765be

SHA1
84b9e5d64322bea48d49098074b9de7babd738e4

SHA256
c08d0745df52bca627047f624d20c24d5899c002cacb32f8321bed2a55186133

SHA512
30b88f63c4e3b5c46fc79018742f8a04cf0fc3bc4fb46fc8690d78944997319957de985b8f4302f3ce88566c999a58f566350a3f48d94f18ddb997714d6f1ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\3bf117c6-995f-4c2a-ad89-0b184a4259d2\index-dir\the-real-index~RFe5b1559.TMP

Filesize
48B

MD5
52fe448fb3016f4153f2ea92f5327871

SHA1
230143e331040dde4882991000cab5dea1e79d86

SHA256
c05439666931e258ef7acef83a0025d94c203dc493d73f19482a8deb2ef04fc1

SHA512
f1aaa658553131efc2025106973568993f737e509a7152cd5bd454c7c743b60cdab964caea1d5b05e0c60e5a33ad3158413bae000ca7d27639c7e87e904b9ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\da20ddbb-6052-4b6c-b74a-c176d75bfa88\index-dir\the-real-index

Filesize
2KB

MD5
65add03461e093824b924cbb575fdfe6

SHA1
d294c7b610c3213a01b731118ebb0eced5af2178

SHA256
1dd2cb0f924725d99eada3b0301d77ea1700b50858bd6361917229413f699524

SHA512
3577ced470a89130599a3aff03f130686f9e7f8c77df55a9a65613be8b2dc13b8ea6de39306c71a562b8e20a92e414b8f8967a74c3f14b0100779e5c18a8da8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\da20ddbb-6052-4b6c-b74a-c176d75bfa88\index-dir\the-real-index

Filesize
2KB

MD5
9e100b4f3d0a2f37971d9b47ceb3cc6c

SHA1
a4ecfcc9f6d639a57d1cec5092b6feed1e0f6b2f

SHA256
db57cdf45d3a73d16ceb9f3a32d9268123d28819e84cd92ecbbf7684a0e1be34

SHA512
21c230918a356d194812949ecf0f70535f24a47b958884f6ecfb10e5d5f7296d2de768b426c2ccba67bf15cd34faa14c937ad24d0b2ed66d349e49f138081f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\da20ddbb-6052-4b6c-b74a-c176d75bfa88\index-dir\the-real-index~RFe5a5545.TMP

Filesize
48B

MD5
7b6d7d0e8939fd2d54451cf5377c3256

SHA1
426f06d9a1d941c4267c126cfa4a00dc761c1fc3

SHA256
a08ae4216639a9ed06fea6bc1dc8ceeb6793e0415bcc86d32240e76a40bcd336

SHA512
b5e31f97fbb4c0da01790ffa396b8fa6f9c7272d8cd1cb38d59dfd640b269ef7fce219ca15934723a0991fae4cbaa3a7291ca93801ebc43e24e188b2f21519ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
700188287152fb34ddfca9dcfac93e44

SHA1
d06acb83683b8666ce560cf2e2298564e0d4131d

SHA256
851806d1a1c094401a65f14240f157a495d1d25e783769df27ceffe0c2e3ff7c

SHA512
80f24b1c42f21040b9da35c74fb7197715aeff787a5f273e25ac8bd1865726c8005ea858e35915d28d73cd42e70d1f1d01f5f57b6b6a2cb3d6f302e3acd7b46c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
d052c45abc94b117d4ce90694cf52f7e

SHA1
2ece107fa3070ffbec980f75059f47e1dde9f049

SHA256
765f7991d510553f4128f7e45dc48248cd79acbb3ddbaa0d0d5e6ec7be8795a2

SHA512
d94f3aacebc3c15d2e8142c2f83eff0c41a9103f40241b32e60d91e387784ad4f1b78aa5f9c6af9a39bf0081ff15e578e48d950a9b0b5361277ea47b53b966ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
94b5066cfad1ba64a39096e94dc27f14

SHA1
2725aca550d81ea819c3bf690ca0a50ee2327c7e

SHA256
23d51983615e49a3a780d7af141bd147363afabf7c3c05c30a0470760a76d69e

SHA512
d0d16c33894fda5a771b3d455f7d09cfc702b56babf5e2b0bd01a6432308e64abb0225aeabd4ae21d11608a5251cd0ee763629c381374f0621185eba8c16d509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
cae77c0a0ac3d7691368f13cf1c742d4

SHA1
7faa2e9d41feb83b150cd0fc3b56a488e630c1fc

SHA256
f40f6e0d27e07fe3ef245f91765bad48e7c7c9da9e92eb57ebb2a8a9993d1282

SHA512
126d76709b9e4c664285cbd345b06993628120573228555ed7349ff0e1dbe15b387325b26bc3b6bdcd069d9a49e5de175c03fe8d2044d3cbf9893159a1566ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
240ea544ef91bacc20d6a0151d45bace

SHA1
0568c1abc1f456b57db1256543f4cd8c01df8653

SHA256
e3134b276d2ed561ad856e551a5e50d9b9d43db2fb604668a877b00279f8afb8

SHA512
ce15285cc6438857e7792b5517f28093ebfa025041e04f366110c2206360d0e93c364f13cd8f7e2166caa87f3266df3c3dca3038d982ce923d6472d86ecdfd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
1bed1913563fcaf5cb343175843b50b8

SHA1
19e4ccd7371b5ea32ddf2f6e139a15a630c2bbc3

SHA256
abff64fd768465f7c7494bf03ad6cd029801bd068060f3647c0e25e93323606b

SHA512
efab2a4258b2dcb212d1458da3db4f055e73a5928a883e901ece46727c820c353095bbbdfa66c17627894557e1976101200d757a6504d8773a1b42cf87296cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
28784016f0656f8aaadeeea8bb182c12

SHA1
6175317d9b9bdfb7a9e97a1ee2b451a60d09ef12

SHA256
9c03740256a97e8931a91e5e9ef93e0462f10e8b816f9db67745b02eda3e379d

SHA512
efa2fcff7cab5b144c8d42681465d3039860ff96eb16f78b26bc6b0b0bf00549b56e7f5c7fa43fe0483b630279e438e25af71d312cc8de54e93a1d23fa2c4431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
3e775c85c4f835e92d7e4e606984fb0d

SHA1
20f702c7a740d4ef8e7e41b369daabdb8e9e9017

SHA256
efa84afd967d4294963b99e704ae01661e5a8ea1c16c5c82154be9d6704e84c4

SHA512
1513575264b51129a58f3cd87d4dfaea6c89d1bf14ce7d8bfdda92f71361169e39cb99f9a3b3ce05c681b6414d599b7370ed8b20771d85ca3673fd735378e7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
4713c112299b23699f35df84e8234bcd

SHA1
f72d397bbd9f08d57a16b334aebccbfec70198e0

SHA256
182d21def63e76466e66a2fa3eaf18dd051ee6d0768ac29be8bcde78ed357c5a

SHA512
bb6fe62f535d04005d3ee54450d009103b766084b1cf4f8cb3e89dc9e2ec4c8b7c44e1bc6f427d47ab7d50cd97a2a0feb10b03e04993f893e74e94b355442c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5aa26b.TMP

Filesize
48B

MD5
c342651167b6da7f2b77f0acd69322f0

SHA1
c1b77aba0ee4e9987c59ca8a295c85c8bac3f0c8

SHA256
c4b2392f4bc2640fa905bdd069bbb4ddf625233a019e7a956256421f9e20ee07

SHA512
1e2eb482b3e2eda25a2f8306b44ddd7accf2773983c44337ba90704fbdf75d2cf6711fee8a6f4638a784b9b6e39ee5732d4657f1021472f12d7a8c217a634eda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bb5b9c85b1eda0924e0cd831b46cc5ae

SHA1
1c6e9b86316e6c2e5242c19dbc6d9907db3d0af7

SHA256
74a874ac5f9eb330a4a37ebb8965cf06fa65e69b069b66fde141bdaa183267ac

SHA512
db5ad331c3916b3f0be3b67af2612ac975909c042ca17e09183dafc00444a4f53146caa69e421607f0c058aa474593f016f4230770e7acfa219a3787bfe967dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
347f1a1ef0eb85d634e1aa1cf550c842

SHA1
71d964acf2e5c80dc0d5c251e64a4ca22fb40d5a

SHA256
87374da8dc26b67df6d9f241e384c80338ff61fa3e41be768690ecc204958bca

SHA512
82c24e8061be48be4130da4372bc2b0efcbc7d29b7d1965d467a9f4c4b8ad6c48a6d73d3a89400e23ae1d7f8741702b7a2e17c1500633f9c7b01ac1e4c645193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
11076eca99def06b5dcc044ed72412bd

SHA1
c7c9ec19592682c17d58e25dc7e9f3d32c5126da

SHA256
236c3028717aab739286d49b54d91ea4e8fe30b8e762e9a6396c5daea932a9f1

SHA512
0832b0f9ffb91febc9b5b42c0e9f624c27b0a3bdf5f9feb3c6f37f4fedcf7bc0e9ca58405d212bdd6aa66c389111ed77ba2f63a24d95644ff9953e97e7eb5b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb5d5bf4c3eb96eb7e6fc9b5e488bb58

SHA1
05ba4e63777bd60975f9cf583706e960782e1d1d

SHA256
0c7044613ec83be684e20e77822401477053eef6ba1b043e9109c9d9ebeff429

SHA512
64eb7fa7ad06f72a492200d29a2890ff9a56e988dbdce4f75a21f79cc98e6764ed2e50f2ab8c8f8527370681d037a2bf75cc08ab58a8ab633a74988b2f22eb38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fc41efdb21bfc38747e1f9bd1901c3dd

SHA1
a9f8795bf2c5a062096307706f7be07c159bb1db

SHA256
ad949d13df699b51f1a4335bfb5baad19086d52c25f089a30df950cf06942857

SHA512
0266808aebc981b80b31a1ece3b77ebb9e9ccbaa7c747bd6bc46cc5a798674ef5c778f9a7406c164c9af84478f92e0dea36b08fd30616789ad5cbb3da9320f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e103519411eda29b86f62e4bbd990a9e

SHA1
9b36229f2256b2d0173dee9fd68ab8c24598babc

SHA256
3294f508776f5ab751469a4d36482a4c78e23cdd64541f0a1dfc4d7d163fe1e1

SHA512
764da47f4fdbe5a5bd83088e31bc5a3f4b063ec9bf01024706549683f5302eb0d74177d0088736457942c13fb9a235afcd952192067de9319b5c37246eee7c51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6767c5ad0f61beac320a7845244b6b98

SHA1
f41839c151b99958ab98ba030da3a29b86d45dfd

SHA256
41334bb2317ddd5a5cfa53e5c4c8ae31d1346c0f9bd98e37b4a9fc8e1e5b0efe

SHA512
9c7b39d20256d0199fa8aa11b12f4b0eec939340fc1bfbb01dbf621130fbd615c1a57a3b95e0314ad1a359cdb6b4017344a1d1fe4c5b2b69bcfb5aee5fd5aff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
21e4fc8a5f454beb62477c6da37eb6f3

SHA1
e78fc8b3de814d18261df14a4ccea72e90c894ec

SHA256
a407a43078592bf07368dc3e92c39a148fa23ab0d952eaf68f7f56c91e5a5970

SHA512
c59324a2f5f2909da8ba416e0d7626bbb7fe016924edd931da4b607d3c07e4542af1da416a4d9077cb4dbe5d09953cbdf18213ba55d892ff6ac167ca602a1e51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
83634cb829dd57d65cc1095e101e5471

SHA1
4bb8e7517b06a39e5da10d8325d0e9197a4a9a0b

SHA256
1a242d8abd7dcc108f5452eb2ab6dd0caf7c676e90f0544010b05ba629ac9236

SHA512
23d8803f9d18af4c33f12e6aae61cedef608f4035ee2b03bae2971ea603304f293be71e242e583978e834802ff2a3f5b452466d2ef9f5c3065885e22b49c8797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c832.TMP

Filesize
538B

MD5
5cc97dca6bd7b87a8067bfdeab4d49d9

SHA1
c64d0cbdb7169c3d86464bb6807735863e71ee90

SHA256
46e2d223368ca77af6e29e15899eab14823bff6372724a8a503e782f03801821

SHA512
47be394ef36e23964a39151c3ec859e1f0812cc176e98d40ff0d3431d098ee0ed0b3d650ce58de2a812db18fc03cf3491e420ec9973bdc41d40e10dc6f534c5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cbabcc5057cd9685d1a981af66ce384d

SHA1
21d5d09890a551d02a3a2fc3b3e8c2625e4d770d

SHA256
c3fe0b21973f5934b958118134c513c8d0900ebd1baad8abf6794443a85053fb

SHA512
a5e8b3df9a9fc657cc387c0bf867d7daace28ef76fe55478202cb6ae8487f99f4c2590e50ea2ee407d97dd9a67dff4db204126b8a0d79c8741495d319f689644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f7bc871ebfd0ced1e89a22c80c22d4a

SHA1
ce673efc9e47f9d83df9aa9fec08a658e9273d41

SHA256
a38f38c073452edc97a8a922fc3047d7f69ea4f64b40426ca73efe959890a407

SHA512
4b8e2303d0ac0788a3e770e4e023bc0fccf5dbc4e04db863b0601564a482a12b2fde62b84ad42d82452d554e4717296b31d768b8cbdcd0664f0181029b440c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b13d478b22cf557909fb2c0ea7e9c7a8

SHA1
4512796c098ff694277fdb8835911768a2f79730

SHA256
ce392f14207fc4de03e72cfca62148dc1772f74b898b6855736dad586bfe115f

SHA512
dc16ae88d55bbc4d060e5d666e60e82a134f614869966066cdedbd5af6e491f02a6ba62c78df636cf06c919d012a4363b02b3dc9394ecf1619441a69e9a5deaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20250120090215_000_vcRuntimeMinimum_x64.log

Filesize
2KB

MD5
c28d076aa26513d929035467f64548b4

SHA1
c152bc847b55e2e4327a98159bd0ad446a4c9f5a

SHA256
c1e1d37f6eeba267efffc2039f8bf7909b12651a8fe51ed94d97bb96c655e974

SHA512
881247228e9695cd45444f5d358433a72068d6d5780b4bbc93d4257f2d0b7437214c0171c792f6822dc0bc5e050aa4e7990b3b670f739cd5467bd0c62c637d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20250120090215_001_vcRuntimeAdditional_x64.log

Filesize
2KB

MD5
073eb36c978fd5a64eef8e0709e2388f

SHA1
21a18d86dec2164ce2a203bd4cabd4bb766beadc

SHA256
19afdace87cc840fe409183a18958b94f2b84367b4bdcb43ebac3b00e88a830f

SHA512
8f60119fa93079b15ccd90803219532021d5c84d46e0baf0e4a7df59ae00fa8b206e0b75a1a1a3826a759f113e0630b82486c6cf595575fd8890be2fc4574546

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\InstallOptions.dll

Filesize
15KB

MD5
d1eefb07abc2577dfb92eb2e95a975e4

SHA1
0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

SHA256
89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

SHA512
eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\OBSInstallerUtils.dll

Filesize
426KB

MD5
e1f825260e7224ef0526514754f7d0e8

SHA1
553d67289b039ffea5d8b59f509b9265dca2ba19

SHA256
1d84aa191fbbd842d5eeed302195579de1256a9acb980308bf31a631ac01e530

SHA512
b9453eb4ae6edbfd86e438ed0825725ab91100b8403a933bb0e359703be462f6d3d37f8bfb32eeae375a46512c619370f9802925ae0d8898f540f933b05b281f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\VC_redist.x64.exe

Filesize
24.2MB

MD5
1d545507009cc4ec7409c1bc6e93b17b

SHA1
84c61fadf8cd38016fb7632969b3ace9e54b763a

SHA256
3642e3f95d50cc193e4b5a0b0ffbf7fe2c08801517758b4c8aeb7105a091208a

SHA512
5935b69f5138ac3fbc33813c74da853269ba079f910936aefa95e230c6092b92f6225bffb594e5dd35ff29bf260e4b35f91adede90fdf5f062030d8666fd0104

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\check_for_64bit_visual_studio_2022_runtimes.exe

Filesize
10KB

MD5
9baff51bb8539498c81d0c2ed0034d9d

SHA1
e85ff796a54221f723ad36412329d8c650b7717f

SHA256
b324a6025986306656fc2a03d0a3e9ed5917dfa7cf14fbfca888d65b39822074

SHA512
cc4008bb5586840c1f031f09ce04904b22ae5ec43c3331586593fefffa22725c076835627253d6aa0468fd24124068603b82eb45490cf96e20a6c4f1d5472576

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\ioSpecial.ini

Filesize
1KB

MD5
1ae49de352f475fddbfb8eb6bfd3e79b

SHA1
46f9433d2202087c772d305491cdf865ef7a7a08

SHA256
ad3f019c58f4a1409a0832737693a258debf1548b5a7b28839ef236859a40207

SHA512
13820fa8a84ac5c67ceb410534b99aae6260bcc7911ab6f089d21f663a3fbf8c38d22ec5c741e4e750da9ac301418dc32e66174b64f38298f8701c9ba28dfcea

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\ioSpecial.ini

Filesize
1KB

MD5
ca0c9798da6800f6a8dc3658c3ff1a64

SHA1
3d79536fbe7a1fed98738eb2f94f93d43097759a

SHA256
224f83902380430f1a0a0911bdfce22bfe49714d70a7a07b90e527a68cf05b06

SHA512
456cbe8865fbc3dfc2551600e18500c8e4e93f07a5f5b7fa06310d1af27a0b6d4ee8f537cfa549d1b5f01b4b576279153dbe4bb3a53831cd06c7978388f4672c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslA9D5.tmp\ioSpecial.ini

Filesize
1KB

MD5
f66d2e52ef17c8845924837ddd8166be

SHA1
b7d8abf31d6a86950ddfcb4ec41e96bed77e8ec0

SHA256
03cf62a6dcdb9e868be8eb3bcdd78fd9e2c9f7f3f00b901f6faf9126c71f2376

SHA512
243868ed8ce37c615f4931d4272391cbc41b491fc5cca71fbccc14233ed56efcc7a2446fae3f5e5950058e915070fbd68bf590bc09eef9741a1f8068433e6748

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ea0420607a05391d4c0d9d6d69205497

SHA1
47f5c0bea623a63f7e1e72f54d39d66dad8eda78

SHA256
4b0b79a2fe763058e8be02df121beaf1b556aca28e17cf862fc66638526a5448

SHA512
de3cd96ba7c0724e5751c0e6ac4491c98fc85da8a6893b958188c17f7e65f00c012c54d97b2ef24666d1ab8df5bc29a2e7bb49a510fa3c0d392939c6cedcabcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ef3416901426b36b6162debc5e00747d

SHA1
0469b79f11a521748e8ed6aaa71f2c4bdf9c97a0

SHA256
9f825043cdd0994cbe84ae619be3a02dff93c24548401a5f8b6ddf1284b795cf

SHA512
a323362b0f7d84d2b66b62b243af71b9ca33393eeff7c26c7d833980a38fc9fc8a8140dd5357f08aea82523818a63ab26b54cd9794e3f305ad32d9b6bc3bf8fc

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\basic\profiles\Untitled\basic.ini

Filesize
27B

MD5
d785072bd43717886593f737817fff15

SHA1
8c7ef0936b7f5a5cec10e9b5e1278400e276e6f7

SHA256
7989006d0b1b17f5e4f4e20960713600d80612c3799963454e463f689a3cf613

SHA512
8bcd4ed11b248d2934bb7fed91cd8645b77f89ac75f357277a9de04e1121ef4217e982783d61c32b1e8e04d2c14eb82fab78926dc46861db511a8741a62c0c20

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\basic\scenes\Untitled.json

Filesize
7KB

MD5
6dadf5ae912939e741cba8e4c86dde8a

SHA1
d05b1765a0c957ba354d86a4f043fe26a7c20a6f

SHA256
99e4a697612292b79c0b8f008ea79c335cf9ee0ade82d58513663c718fd2679a

SHA512
f8b8efda58490c3fd03713c44e002de0cf48c326eff80eec0db66df86194ff9194d863d3ca6da0bf8ded85dd4a9a424c5d7114c6dec97b1efc93ef4cf92e4f22

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\basic\scenes\Untitled.json.bak

Filesize
4KB

MD5
ed33cfd2138c3ad91f49012e080a9537

SHA1
9ff291345731a0972b194af3a118a5920a8f6e77

SHA256
bd8107a4ead735a3657132302c1af7877d8304de51d65eac6693bf32af6a88a6

SHA512
1fd1e76fe9aa7f12ed03d08a1d3489a5df3944167267ede298c549e1228d7a629aca16f204b4e8568c5d78698d060495fbe0a83d16f002bd5b7d2c481b0b857c

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\global.ini

Filesize
32B

MD5
c5b18abba904caf48ae474421b4b96b3

SHA1
8326d2f4c21ac4b9c9bce74f1d3a8941da08a7e4

SHA256
e29fd68cdd32057471cb8fe02f07263c329a98635b7f0b6b5296d859f7c01ff2

SHA512
a960d38a07d1109e7ae595d39447077d9bab701bc11d95ac578f28fda1bc750a80509d31396177c1969bb10c8b546e952fa513156b66b37b5493bd68d930ea78

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\rtmp-services\package.json

Filesize
251B

MD5
51f27e3449d33f9b6ac586932251db3b

SHA1
cb49efc6a97af79daab628d828041c0bf22b9a22

SHA256
fc0fd4a9fab6699b30ae1243176c8ef8129b566f77df14bb43b7df418b0f57f1

SHA512
91e6b6937fe2b7ab872fbc6752519b1617597bad52b26e0c383d7d9834df5b80e55f2b8a415435c2e735b8f1e4d518eab135461a332cc84226c9e699f2517d07

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\rtmp-services\services.json

Filesize
124KB

MD5
dc0d36a2fb3ad59469e88c317bcc61f7

SHA1
43e6e71e1b614be62e2ebabe3a46af54bd72e1c4

SHA256
10ff5a87d4b5f693a816cd2f5929bef1a771c6715f4d17a4a363c2d228c07468

SHA512
10536b27aee419277474de928baa9ca13f7d99f74cfac0721ec5dd02d3d3dc5279103ea8da9b3d2b7b111173748d2dc39bbb2ff7275e43d289dc516c1927e050

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\win-capture\compatibility.json

Filesize
24KB

MD5
c22e6c6419c29fd06e235155a60a15a0

SHA1
c5b4f0d7b6f5e5acc5dc829c164a0a5ebe14f65d

SHA256
743b75afbca1c0a06e7622c7ae742676601c693cf373ba9cfcf00a9b55a3c2f8

SHA512
11aca98bc41913cfdae76674ef70f949b702d2dc3ea876f0c8c90830f0be5df5e4ed6b447a5093e217a40320a675da5050aa7ecbfa361d40a646629c4512a9da

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\plugin_config\win-capture\package.json

Filesize
250B

MD5
a79133c1d6a7cd15120e69825f116429

SHA1
360c7914cffff04422508b82130168e9aff47a35

SHA256
b95789b88346b2747624baaf26b6077d26d3df4c45ef307637c9177769ac9295

SHA512
f21c572a1b42d35b8e018a59f4d674c89919c35b6f26a71accbb3f9f08a11062f788ec4308fbf8595b21916a403303fb3bfb5395fd0eab5c4b0c96014458ecb5

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\user.ini

Filesize
939B

MD5
69627f1823eccc764bb91879718baa28

SHA1
561474f66695a93371b78ed6c53cc405900e09c8

SHA256
cb5491e7d79dccab403b459d2c50fdbd56732c333d0988e8ce65b5986fcc1090

SHA512
b1c59c71ad9634f84eb394c8fdf92007d878ad34eb2655070637bc02a2943261ffd416d6acf222fb0fa673df2f908977c819e50551e41cdfef8c73dfe485c7f2

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\user.ini

Filesize
897B

MD5
1211d0f5bbbba0bc99867cecac2a27a6

SHA1
0172cc3f6d12c160e8f6e644c91bb67427001cf4

SHA256
d74dbeb423126f15cca2ed420913ebc43c605359b694759f00cccd6e4e793819

SHA512
2274e93c72499eb6032df4672e7e1d111190b47191a02f296da11d6fd0573cfb3ee713c9b77710edaac372dd5934eb7e3ff168836a4072dd952ac0c119893510

Download Submit
C:\Users\Admin\AppData\Roaming\obs-studio\user.ini

Filesize
95B

MD5
5e1a6ec63e7f3c47ee8e518eb9363bda

SHA1
7ee6c56636dc5bb77c624542dfed81cf61e1301c

SHA256
90eb7d1ad2ba1c3f742eb01a0930d3e98a5fafcdbfebe4a30a429872721ef04e

SHA512
178aa925045f84eae42846cca4d7f8a8f339a044eda2e15d2ac07c2dcbf4911a38e5df7e4e1ad288b696285daf00c630ffa79216aca9421318c0af8a220f0dac

Download Submit
C:\Users\Admin\Downloads\11c3bea4-49f8-456d-be0f-e1fe52f78b9d.tmp

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\Downloads\OBS-Studio-31.0.1-Windows-Installer.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\cab2C04DDC374BD96EB5C8EB8208F2C7C92

Filesize
5.4MB

MD5
d5a3fd8ad806f66d33d652d5913a95b3

SHA1
7b1bb6cdbe700acc2434dc52c40cdd96a6462a17

SHA256
cc001c20f85e16015e0d23eb0c3a9bc3c3cdcc1adda53f88ac77dd29705ba01a

SHA512
594d710133f44049546c62c3c89614415ad776c24f3ada0a8d1724e6daf27f941eba43a05a096d90cdf51ad51c02462edd6308e2aa393cb8325fde256ed77037

Download Submit
C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\cab5046A8AB272BF37297BB7928664C9503

Filesize
962KB

MD5
8eccd85b6c4273a28a54b0687feb6a96

SHA1
be791128af5713d407df2f7436ea8de1a80ca725

SHA256
8fafd6d0754ee53125902df1b67ef2db86eb7af4c097522f2fb58443501fecdd

SHA512
9fdcb359a5748d0d920e1e12cf31de42fa224840fd11e5878f7caff7c4495b4facacf1a58cdaf0caadd0d9a3af871870b755245d2c1af33f07f3229b85101da0

Download Submit
C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\vcRuntimeAdditional_x64

Filesize
188KB

MD5
5fc68510b7425822a9d0928567ffbd1b

SHA1
f506d97ceac3c435ce6bafda7c47d9a35fc57714

SHA256
7489cdde6a0c8aadb3253f22c460c2dc8099ba677f42d46b277f7040327c9b28

SHA512
4dd4d99ace30eb1add9ae225f159f68636d42d1899acb50f616717f05045e402a2bbb76e4d86569a08ae74bb161b3911a73910fcc7044429da34159cf6b9f473

Download Submit
C:\Windows\Temp\{ABE36E13-7876-4680-AD49-E1FC856D14F4}\vcRuntimeMinimum_x64

Filesize
188KB

MD5
0d00edf7e9ad7cfa74f32a524a54f117

SHA1
eea03c0439475a8e4e8e9a9b271faaa554539e18

SHA256
e55a6c147daab01c66aed5e6be0c990bbed0cb78f1c0898373713343ef8556cd

SHA512
0b6730fa8d484466a1ee2a9594572fa40fb8eea4ec70b5d67f5910436ee1d07c80a029cf1f8e488a251439ac1121fd0a76a726836e4cb72dd0fe531ce9692f6a

Download Submit
C:\Windows\Temp\{AD2BBF8F-2359-41DD-97C6-F05207ACBF0B}\.cr\VC_redist.x64.exe

Filesize
635KB

MD5
ae0540106cfd901b091d3d241e5cb4b0

SHA1
97f93b6e00a5069155a52aa5551e381b6b4221eb

SHA256
8cd998a0318f07a27f78b75edb19479f44273590e300629eff237d47643c496c

SHA512
29bb486bfdd541ba6aed7a2543ff0eb66865af737a8fb79484fb77cb412c3b357c71c16addf232c759d3c20c5e18128df43c68d1cba23f1c363fd9e0b7188177

Download Submit
memory/1728-2927-0x0000000000440000-0x00000000004B7000-memory.dmp

Filesize
476KB

Download
memory/2860-2964-0x0000000000440000-0x00000000004B7000-memory.dmp

Filesize
476KB

Download
memory/3824-2965-0x0000000000440000-0x00000000004B7000-memory.dmp

Filesize
476KB

Download
memory/4852-8642-0x0000016C0A3F0000-0x0000016C0A4AD000-memory.dmp

Filesize
756KB

Download
memory/4852-7458-0x0000016C0A3F0000-0x0000016C0A4AD000-memory.dmp

Filesize
756KB

Download
memory/5516-8058-0x00007FF667C70000-0x00007FF668159000-memory.dmp

Filesize
4.9MB

Download
memory/5516-8057-0x00007FFC420A0000-0x00007FFC426B3000-memory.dmp

Filesize
6.1MB

Download
memory/5516-8056-0x00007FF667C70000-0x00007FF668159000-memory.dmp

Filesize
4.9MB

Download
memory/5516-8059-0x00007FFC28B70000-0x00007FFC28B80000-memory.dmp

Filesize
64KB

Download