724b8a00f9565a9673ac73a9fadb8d25617043d53c56773f7d7b9c62876cf178

Analysis

max time kernel
914s
max time network
896s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-01-2025 16:14

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sample.html
Size

266KB
MD5

a83e9b6a247d62ce76e7322c48f9b72b
SHA1

a7b293aab7ebb140ce48325402180c726793f6b2
SHA256

724b8a00f9565a9673ac73a9fadb8d25617043d53c56773f7d7b9c62876cf178
SHA512

3eafedde6bdc06bb7a30e35d2a227fde7e5c52c5880f245de6bf7abbad1958ae6275f895be769cfd809396a15bdb59b5d5077c1930097bc7360c0abb36c2399d
SSDEEP

3072:P9GPOIZ7aCZZ9eBIJZ9l5pRA+JejIpzr3Af1IjAwtN+25/j4PA:P9GPOy7aCZZGIJrpRNVpzr0Iz4PA

Score

8^/10

bootkit steam defense_evasion discovery persistence phishing privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
205	540	msedge.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 20 IoCs

pid	Process
4068	vcredist_x86.exe
5016	vcredist_x86.exe
3840	vcredist_x64.exe
3396	vcredist_x64.exe
3168	DXSetup.exe
4748	infinst.exe
3972	infinst.exe
4700	infinst.exe
2824	infinst.exe
4128	infinst.exe
2548	infinst.exe
3724	infinst.exe
4080	infinst.exe
5476	MEMZ.exe
1568	MEMZ.exe
5136	MEMZ.exe
3956	MEMZ.exe
4968	MEMZ.exe
5160	MEMZ.exe
3160	MEMZ.exe

Loads dropped DLL 17 IoCs

pid	Process
1520	UE4PrereqSetup_x64.exe
5016	vcredist_x86.exe
3396	vcredist_x64.exe
2432	MsiExec.exe
1200	rundll32.exe
1200	rundll32.exe
1200	rundll32.exe
3168	DXSetup.exe
3168	DXSetup.exe
3168	DXSetup.exe
3168	DXSetup.exe
3168	DXSetup.exe
3360	regsvr32.exe
436	Game-Win64-Shipping.exe
436	Game-Win64-Shipping.exe
436	Game-Win64-Shipping.exe
436	Game-Win64-Shipping.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{0d995f46-317b-4b5f-bf3e-9f98bae9d339} = "\"C:\\ProgramData\\Package Cache\\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\\UE4PrereqSetup_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\UE4_Prerequisites_(x64)_20250127162437.log\" /burn.runonce"	UE4PrereqSetup_x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
199	raw.githubusercontent.com
205	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Detected potential entity reuse from brand STEAM. 1 IoCs

phishing steam

flow	pid	Process
96	5032	msedge.exe

Drops file in System32 directory 56 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SET8A33.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SET8AE5.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\SET8BE8.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET8764.tmp	infinst.exe
File created	C:\Windows\system32\SET8764.tmp	infinst.exe
File created	C:\Windows\system32\SET88EB.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SET890D.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET8B64.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\xinput1_3.dll	DXSetup.exe
File created	C:\Windows\system32\SET87E1.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET8AA0.tmp	infinst.exe
File created	C:\Windows\system32\SET8AA0.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SET8716.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\xinput1_3.dll	infinst.exe
File created	C:\Windows\system32\SET89A6.tmp	infinst.exe
File created	C:\Windows\system32\SET8B2D.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SET8716.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET87B3.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\X3DAudio1_7.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\XAPOFX1_5.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\XAPOFX1_5.dll	infinst.exe
File opened for modification	C:\Windows\system32\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\SET87E1.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\d3dcsx_43.dll	DXSetup.exe
File created	C:\Windows\SysWOW64\SET88AE.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET89E9.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET8B64.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\XAudio2_7.dll	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SET88AE.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET8A67.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET8B63.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\D3DCompiler_43.dll	infinst.exe
File created	C:\Windows\system32\SET8BE9.tmp	infinst.exe
File opened for modification	C:\Windows\system32\SET88EB.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\d3dx10_43.dll	DXSetup.exe
File created	C:\Windows\SysWOW64\SET89E9.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_43.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\SET89A6.tmp	infinst.exe
File created	C:\Windows\SysWOW64\SET8A67.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET8B63.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\SET8BE9.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\SET890D.tmp	DXSetup.exe
File opened for modification	C:\Windows\system32\d3dx10_43.dll	infinst.exe
File created	C:\Windows\system32\SET8A33.tmp	infinst.exe
File opened for modification	C:\Windows\system32\d3dcsx_43.dll	infinst.exe
File created	C:\Windows\system32\SET8BE8.tmp	infinst.exe
File opened for modification	C:\Windows\system32\vcomp110.dll	msiexec.exe
File opened for modification	C:\Windows\system32\d3dx11_43.dll	infinst.exe
File opened for modification	C:\Windows\system32\SET8B2D.tmp	infinst.exe
File opened for modification	C:\Windows\SysWOW64\XAudio2_7.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\d3dx11_43.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\SET8AE5.tmp	DXSetup.exe
File created	C:\Windows\SysWOW64\SET87B3.tmp	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\X3DAudio1_7.dll	DXSetup.exe
File opened for modification	C:\Windows\SysWOW64\D3DX9_43.dll	DXSetup.exe
File opened for modification	C:\Windows\system32\D3DX9_43.dll	infinst.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Installer\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Setup.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File created	C:\Windows\Installer\e607f69.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\CustomAction.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\APR2007_xinput_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Jun2010_d3dx9_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File created	C:\Windows\SystemTemp\~DFEDC11C8649C49BC3.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Setup.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\DSETUP.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\dxupdate.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Jun2010_d3dx11_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\APR2007_xinput_x86.cab	rundll32.exe
File created	C:\Windows\SystemTemp\~DF0E71975401555FD5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e607f65.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI812A.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\SourceHash{D7B591D8-1091-4A00-A0B3-5301C45E5D51}	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Jun2010_D3DCompiler_43_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Jun2010_XAudio_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Jun2010_XAudio_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\SystemTemp\~DFDCDA1AC59711BAE1.TMP	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x64.05F0B5F5_44A8_3793_976B_A4F17AECF92C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Jun2010_d3dx11_43_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	infinst.exe
File created	C:\Windows\SystemTemp\~DFC6EFF4AA020899D1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x86.DF495DFD_79F6_34DF_BB1E_E58DB5BDCF2C	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Feb2010_X3DAudio_x64.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Feb2010_X3DAudio_x86.cab	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\Jun2010_d3dx10_43_x64.cab	rundll32.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x64.4006A2C6_1BD5_3759_9C0C_17A8FFBF6E3C	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcp110_x86.F9D0B380_EB85_31D4_96AC_C6CB40086A55	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr100_x64.1C11561A_11CB_36A7_8A47_D7A042055FA7	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8D195B7D190100A40A3B35104CE5D515\1.0.14\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI82C2.tmp-\DXSETUP.exe	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UE4PrereqSetup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DXSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UE4PrereqSetup_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
436	Game-Win64-Shipping.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d3755855d3e98e80000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d3755850000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d375585000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d375585000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d37558500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 53 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DXSetup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DXSetup.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133824689523794556"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DXSetup.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DXSetup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "1"	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DXSetup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DXSetup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\PackageName = "UE4PrereqSetup_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\DisplayName = "UE4 Prerequisites (x64)"	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Dependents	UE4PrereqSetup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}v1.0.14.0\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\ = "XAudio2"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06160A3C31624122A971135BA0D60E46\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Dependents\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Version = "1.0.14.0"	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\SysWow64\\XAudio2_7.dll"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\06160A3C31624122A971135BA0D60E46	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\DisplayName = "UE4 Prerequisites (x64)"	UE4PrereqSetup_x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\ = "{0d995f46-317b-4b5f-bf3e-9f98bae9d339}"	UE4PrereqSetup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Version = "16777230"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}	UE4PrereqSetup_x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter"	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2499603254-3415597248-1508446358-1000\{8B9681BF-744E-4BA0-A6E2-348386F9D6AE}	SchoolBoy Runaway.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5a508685-a254-4fba-9b82-9a24b00306af}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ = "C:\\Windows\\system32\\XAudio2_7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\Dependents	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\PackageCode = "58B2C1A7070C8C44ABD5ABFD86427F57"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\ = "AudioVolumeMeter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}\InProcServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D195B7D190100A40A3B35104CE5D515	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cac1105f-619b-4d04-831a-44e1cbf12d57}	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\InProcServer32	DXSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Dependents\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8D195B7D190100A40A3B35104CE5D515\VCRedist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\ProductIcon = "C:\\Windows\\Installer\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}\\Setup.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{6a93130e-1d53-41d1-a9cf-e758800bb179}\ = "AudioReverb"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\Version = "1.0.14.0"	UE4PrereqSetup_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8D195B7D190100A40A3B35104CE5D515\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{D7B591D8-1091-4A00-A0B3-5301C45E5D51}v1.0.14.0\\"	msiexec.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 522053.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\SCHOOLBOY RUNAWAY.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
2472	msedge.exe
2472	msedge.exe
1948	identity_helper.exe
1948	identity_helper.exe
4412	msedge.exe
4412	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
3084	msedge.exe
576	msedge.exe
576	msedge.exe
1208	msedge.exe
1208	msedge.exe
4800	msiexec.exe
4800	msiexec.exe
436	Game-Win64-Shipping.exe
436	Game-Win64-Shipping.exe
1988	chrome.exe
1988	chrome.exe
540	msedge.exe
540	msedge.exe
4792	msedge.exe
4792	msedge.exe
1036	identity_helper.exe
1036	identity_helper.exe
4152	msedge.exe
4152	msedge.exe
5236	msedge.exe
5236	msedge.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
436	Game-Win64-Shipping.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 48 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	908	AUDIODG.EXE
Token: SeBackupPrivilege	4868	vssvc.exe
Token: SeRestorePrivilege	4868	vssvc.exe
Token: SeAuditPrivilege	4868	vssvc.exe
Token: SeShutdownPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeIncreaseQuotaPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeSecurityPrivilege	4800	msiexec.exe
Token: SeCreateTokenPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeAssignPrimaryTokenPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeLockMemoryPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeIncreaseQuotaPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeMachineAccountPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeTcbPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeSecurityPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeTakeOwnershipPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeLoadDriverPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeSystemProfilePrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeSystemtimePrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeProfSingleProcessPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeIncBasePriorityPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeCreatePagefilePrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeCreatePermanentPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeBackupPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeRestorePrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeShutdownPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeDebugPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeAuditPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeSystemEnvironmentPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeChangeNotifyPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeRemoteShutdownPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeUndockPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeSyncAgentPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeEnableDelegationPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeManageVolumePrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeImpersonatePrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeCreateGlobalPrivilege	1416	UE4PrereqSetup_x64.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe
Token: SeTakeOwnershipPrivilege	4800	msiexec.exe
Token: SeRestorePrivilege	4800	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
2472	msedge.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
1988	chrome.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe
4792	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4836	SchoolBoy Runaway.exe
436	Game-Win64-Shipping.exe
5136	MEMZ.exe
1568	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
5136	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
1568	MEMZ.exe
5136	MEMZ.exe
3956	MEMZ.exe
1568	MEMZ.exe
4968	MEMZ.exe
4968	MEMZ.exe
1568	MEMZ.exe
3956	MEMZ.exe
5136	MEMZ.exe
5136	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
1568	MEMZ.exe
1568	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
5136	MEMZ.exe
3956	MEMZ.exe
4968	MEMZ.exe
1568	MEMZ.exe
5136	MEMZ.exe
5136	MEMZ.exe
1568	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
3956	MEMZ.exe
4968	MEMZ.exe
1568	MEMZ.exe
5136	MEMZ.exe
5136	MEMZ.exe
1568	MEMZ.exe
3956	MEMZ.exe
4968	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
1568	MEMZ.exe
5136	MEMZ.exe
5136	MEMZ.exe
1568	MEMZ.exe
3956	MEMZ.exe
4968	MEMZ.exe
1568	MEMZ.exe
5136	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
5136	MEMZ.exe
1568	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
1568	MEMZ.exe
5136	MEMZ.exe
4968	MEMZ.exe
3956	MEMZ.exe
5136	MEMZ.exe
1568	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1548	2472	msedge.exe	77
PID 2472 wrote to memory of 1548	2472	msedge.exe	77
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 2764	2472	msedge.exe	78
PID 2472 wrote to memory of 5032	2472	msedge.exe	79
PID 2472 wrote to memory of 5032	2472	msedge.exe	79
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80
PID 2472 wrote to memory of 2444	2472	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff858863cb8,0x7ff858863cc8,0x7ff858863cd8
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Detected potential entity reuse from brand STEAM.
  - Suspicious behavior: EnumeratesProcesses
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
  2⤵
  PID:1832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2456 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7624 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1844,12331859055772476831,1848249978656360499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7732 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1984

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E8 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1540

C:\Users\Admin\Downloads\SCHOOLBOY RUNAWAY\SCHOOLBOY RUNAWAY\SchoolBoy Runaway.exe
"C:\Users\Admin\Downloads\SCHOOLBOY RUNAWAY\SCHOOLBOY RUNAWAY\SchoolBoy Runaway.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4836
- C:\Users\Admin\Downloads\SCHOOLBOY RUNAWAY\SCHOOLBOY RUNAWAY\UnityCrashHandler64.exe
  "C:\Users\Admin\Downloads\SCHOOLBOY RUNAWAY\SCHOOLBOY RUNAWAY\UnityCrashHandler64.exe" --attach 4836 1935177289728
  2⤵
  PID:4240
- - C:\Users\Admin\Downloads\SCHOOLBOY RUNAWAY\SCHOOLBOY RUNAWAY\UnityCrashHandler64.exe
    "C:\Users\Admin\Downloads\SCHOOLBOY RUNAWAY\SCHOOLBOY RUNAWAY\UnityCrashHandler64.exe" "4836" "1935177289728"
    3⤵
    PID:3852

C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\Game.exe
"C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\Game.exe"
1⤵
PID:3120
- C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe
  "C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe"
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1416
- - C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe
    "C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\Engine\Extras\Redist\en-us\UE4PrereqSetup_x64.exe" -burn.unelevated BurnPipe.{71D54CCB-2625-405D-BDAD-5D21EF91548C} {5E0F055A-50F0-42A8-B689-DB9A7F1545B4} 1416
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1520
- - C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe
    "C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe" /quiet /norestart -burn.embedded BurnPipe.{BF9EDA00-031B-4B6B-A509-EC94AAF3D33C} {50597CFA-78FD-4E2C-ACA7-58F6BAFA0B15} 1416
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4068
  - - C:\Windows\Temp\{A9CB2BEA-2082-48AF-9CAC-F8A5362DEE2E}\.cr\vcredist_x86.exe
      "C:\Windows\Temp\{A9CB2BEA-2082-48AF-9CAC-F8A5362DEE2E}\.cr\vcredist_x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\AFA5BADCE64EE67290ADD24E0DC3D8210954AC6C\vcredist_x86.exe" -burn.filehandle.attached=592 -burn.filehandle.self=600 /quiet /norestart -burn.embedded BurnPipe.{BF9EDA00-031B-4B6B-A509-EC94AAF3D33C} {50597CFA-78FD-4E2C-ACA7-58F6BAFA0B15} 1416
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5016
- - C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe
    "C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe" /quiet /norestart -burn.embedded BurnPipe.{29BF3D0D-E6AF-4792-A1F8-D504A8BCA03D} {66142129-D1E7-4374-BC09-3201AB7BB5EE} 1416
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3840
  - - C:\Windows\Temp\{2DEB4908-D479-49CF-A114-2B33AEE4C314}\.cr\vcredist_x64.exe
      "C:\Windows\Temp\{2DEB4908-D479-49CF-A114-2B33AEE4C314}\.cr\vcredist_x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\B87C38D093872D7BE7E191F01107B39C87888A5A\vcredist_x64.exe" -burn.filehandle.attached=764 -burn.filehandle.self=572 /quiet /norestart -burn.embedded BurnPipe.{29BF3D0D-E6AF-4792-A1F8-D504A8BCA03D} {66142129-D1E7-4374-BC09-3201AB7BB5EE} 1416
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3396
- C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\BabyInYellow\Binaries\Win64\Game-Win64-Shipping.exe
  "C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1\BabyInYellow\Binaries\Win64\Game-Win64-Shipping.exe" BabyInYellow
  2⤵
  - Loads dropped DLL
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:436

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:3844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4800
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EB3AF1236ECB077A3FF4408888B74082 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:2432
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI82C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241206000 2 CustomAction!CustomAction.CustomActions.InstallDirectX
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:1200
  - - C:\Windows\Installer\MSI82C2.tmp-\DXSetup.exe
      "C:\Windows\Installer\MSI82C2.tmp-\DXSetup.exe" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Modifies registry class
      PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe xinput1_3_x64.inf, Install_Driver
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4748
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe X3DAudio1_7_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe D3DX9_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe d3dx10_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe d3dx11_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe d3dcsx_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:2548
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe D3DCompiler_43_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:3724
    - - C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe
        
        C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe XAudio2_7_x64.inf
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        
        PID:4080
    - - C:\Windows\system32\regsvr32.exe
        
        C:\Windows\system32\regsvr32.exe /s C:\Windows\system32\XAudio2_7.dll
        5⤵
        Loads dropped DLL
        Modifies registry class
        
        PID:3360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8537dcc40,0x7ff8537dcc4c,0x7ff8537dcc58
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4368,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4396 /prefetch:1
  2⤵
  PID:3344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4312 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Windows directory
  PID:2420
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff6cd8d4698,0x7ff6cd8d46a4,0x7ff6cd8d46b0
    3⤵
    PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4924,i,15918510294699291325,9416719498757638758,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:1580

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff858863cb8,0x7ff858863cc8,0x7ff858863cd8
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6268 /prefetch:8
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,10728977973411179580,16153362428697545755,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1704

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:648

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5476
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5136
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3956
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4968
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5160
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /main
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  PID:3160
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e607f68.rbs

Filesize
22KB

MD5
219ab09f208c899c33a96c9f55e286e9

SHA1
e9521f3207ca7789cc01f698b68a3c55af1a2846

SHA256
96f3381215fe235ba65e348d2fad69427b4f0bfee6fafd324250679867f2c82d

SHA512
85730f8a529109ef8e3f739ccaa0af921a7e7db144d97782db63ff2974e015340f50caa58d1c116200af92b0126e5101566b1581ebde5bb9206c6821bdc2cfed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
5cb16e48b582bf86a4b396fcbc235981

SHA1
3e7cbf189fbbff1efb9b04c398ceb902e816f15b

SHA256
ba479af493eeefdf7de4c86890f5d87886bc0bc92522d39dd09eb21f85cf23f9

SHA512
55210eb21fd974bb189063d4e377c37b2cf1c2e0d7ec056dee48f8619cfe04a7a8c1ba329abcfa7edb4785fac08375df4c8261e98dc3a8294f0f4fc29cf61eee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BEF5BD13CF5F13F6FF3D15BBADC93CE5

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ECF3006D44DA211141391220EE5049F4

Filesize
92KB

MD5
8cd82b20163d878553d9bb28346ff5e9

SHA1
749f3a980badee739c8aca2aa0cdda843a3eaefd

SHA256
f6ff5bdf8d570f160a2e75f133aec65121e3c9b67638389b55f7bee801adbb7b

SHA512
fdd18abfb1ec697f34654c461d1142e21470838f6958dffc68299c092b43a0f075746ce59e7ff0a8a6d649c147f55c04a3c70d52dda5950043a9f1e5b47a8ffc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
47d588e2738559f69b3fdd1dc802857e

SHA1
111b59b5fe463c61e64b99ff40545e489d185186

SHA256
7a72fcc1d4ea36be7352487781f7dc78b491bd3db0b0eddcb3c699acb10cfd51

SHA512
1c048df471e59a1a83901f6b5b2e8b87d031dbc2cfc6cceee2969cc0390abb976350b18c5a6b2dd5be77146250c78fdee0fd9d2f9a55327f64cea6438056480c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
93823252f9fd457190008ce3dbf0c824

SHA1
53919bbb2684f93e91e539668a7c08a4ab3a0646

SHA256
a6176309f087d08f54a61637c56ca25b79f96081039b2af6f6b66d7b7eeee416

SHA512
b4826c35110f403958ac4dd819774f6381a1c17227125669e9691124918977511f87f152a566d3b997649b50240414f579c48697d58ddd4bf124b61887dddba8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BEF5BD13CF5F13F6FF3D15BBADC93CE5

Filesize
402B

MD5
ba5a1c2c6dfe11fe228743b5754a33ea

SHA1
f41757f580cbea50efe020c613116166dcf5318c

SHA256
20e552b39d64c0943334a8c9a3e1d8aa210e277ef29fed8db8594e3fead95e7e

SHA512
fa5d1b6125435cb6db1f37640f217a4141be1b3b40f71108725ae0a21259140fc37d0a05acd3406e43da9f56719b0fb18fe820e79583160c600065f83e2a4b0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ECF3006D44DA211141391220EE5049F4

Filesize
170B

MD5
7eaa0ed6f8d1e35d0a1aa141a48ba83f

SHA1
86cf076ef340fa6cff97195a7a92936016dc8f78

SHA256
97fe88d7bd44028408b7c5f00f101b2f79cefe55966cf65cb58cb53cd2359e35

SHA512
1030be7ff73ea31d0b3b8c72242b132100b59b04627274259dcb9a528065566127b2ea9c10844b8d785af4551f0bd7d9b37675b808e30691bd95ef973e387c0b

Download Submit
C:\Users\Admin\AppData\Local\BabyInYellow\Saved\Config\WindowsNoEditor\Compat.ini

Filesize
2B

MD5
81051bcc2cf1bedf378224b0a93e2877

SHA1
ba8ab5a0280b953aa97435ff8946cbcbb2755a27

SHA256
7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

SHA512
1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d35699d9dd4e4520d1b8ab076c8c345b

SHA1
af782090a3452f5cd1cddc6b8026f006d7c7ace0

SHA256
c3f3928c56d7c830d4a15c3f10c37620e3bf3a529b9c518391492f1e8d375a9b

SHA512
8b86c554f5d29fe444e339cedd8312c5e6388856fc83184499e3ac9ad483538c0ee2979b905808d820747bdba527cce0892518e67c910f7a02d31d633aa79461

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
7b49e7ed72d5c3ab75ea4aa12182314a

SHA1
1338fc8f099438e5465615ace45c245450f98c84

SHA256
747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6

SHA512
6edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
80bd1a95d328a4cd2eefc1f4eef9ad6e

SHA1
3f36329e012f39f66416b6cc49a804e17af90565

SHA256
9161b7da196ef8ac4035cbdee3ff934a72be9e43da7d5a3074934f5fedc00869

SHA512
51fb375d2c6dd5b596053a677ade2b08f44bb057d8e018eb41433fac1e16808aaa76cafe157b9d8a418ad733a7f68e7251c61a070e09771e9a51516c86145d77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
82799b7bbf791e770f2e25e58e1287bf

SHA1
ec0197f00e52e44414aeeaac003fa5ced9bbb5eb

SHA256
78521ec8a18838f64d905f3ae222f3a4c5d953f083d1ceb1eae066187a309b83

SHA512
3e639faf362f59c0a56858c415e3011866dcd5b2e2cf9e9dcc30878789bbf56141eb96059a2ed52d9f93f81dc69e2d33fb9e0c29785862ad8b272c5161ced904

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cc234b0f5db5b11a0954f047b7465a59

SHA1
ce0d112956b32b18779c5580364fa353d1a991af

SHA256
8d07f413d00e0d442911913f7a95cda4ee246138f35a9239c707efe4eb7c05f1

SHA512
643b8118c4ef226fe1d214452b1c042f2545b04499e556ed33b786b33fee8948c3315d8727cda39d90468213955113d8f75eda97460d99ac8f874afce46c280d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e6dd3eb00ec53c2967755aaf0cb8033

SHA1
4130baacae08e1bace0d3ecab755ab636729635a

SHA256
7d246792fd520a8467f966eb8f76471f07b8a4857f888a75cbcafa87e5141bbf

SHA512
ee6370849a4b6203e1512e0d624081ce094a16e097ff9a1a2d1808afdfc8b4a4f62124c05059da2da72819af31aeb7fa94e9c91e6242d39c90017f1892b2eef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e338ee6d16fd5831da16cd4d86379b5e

SHA1
d84577204889abe569aa3ecd915b2b971a8a7f70

SHA256
0fcdf88f5bea8b87e281f61435e4aae0c21c27553a046ca7bddd268983c2c7c1

SHA512
dc821e959832d5dcf4a018d1498fbc6359f8d9403cf640f3cf3a073146dd14ec612901e6948762b14910e72319bbf248a685a268bd065417990b1909e95871b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
24ca6d93c188f53f9b1a3b8488078cd6

SHA1
bc366438a686badfe6d073075ad048e2da638e1b

SHA256
f1a4fba2c19fdd8bda503c9307dade447aed6782fec024f333ed0ad70a75df65

SHA512
c765125b9e4cf1acebd2dd0965b37b34ec120ca3b813aef9846e4d8100f84b7f7ac975ecae1d349e2b20f13fa10755e941474e7a0af207937df0f58af00290d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15a1a8ca2640d53ab428d068a7ff4dcb

SHA1
a37f7adb463ac7c2afbafe25d4f0a6973a821c69

SHA256
50e7a9edd203d92454ef747e2c627ef74751b885450890be4dc451d08f1e8390

SHA512
886b45177647d6a8a6db3be7da9da5cfa00b43a373ed8dd554eb42c5fb66e60a4ff877ba817ea1ac3f4b26d29b185fe7a2f4f43ea20645722c42856199e4e249

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
85ef97be369def36957a6095db4f3237

SHA1
d68edf5eae1b0d52d669c18a52dc246da54b725d

SHA256
75157fc11f4bfeb933ac0396f9b076f05e8a72f4c53b10759233297ab9b44dd6

SHA512
1d7459a61c2e1948be87dc99cdb40104b2f45a03f4d3df156d891abe0333fb09f71f2aad9db700fbd8b5306be95f60d1104a3e0bb33b7e2923e333109a55b7d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
c23410e0fecb6cc5a30a14445dfbd52d

SHA1
7d108f912192d9a5fe80b49957fca986f9115694

SHA256
bc0ebd4ee1961acf9cd43030536d7e5306e4826aa96899bc1b3b14e04bcf40be

SHA512
fb3d0fb71a22f7230b92759bf2c21849217237de8992620dc9dd00335c8af7cde223819f2a53e67b8a403ac43c695dcbd3827bb4c34a7f64059e744eace6425a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
06af88e2fb2219165331f0d705fba98f

SHA1
34d3b942f030c3f0c5676a5b1fcf056e190e956c

SHA256
3d41d2eafa8b8e942e0a8ed55067b42cc95d0bc4426b0537c4ca4f07cfb23078

SHA512
17eb1cd31bdb8027e96b7cc6f1e1e6ffca9c0d427e8a2fe56bc7f6628770ab6451dfee2a119c4d9751552b0793434c71e46e4a58557bb234efd2dc4cd4b1b7b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
1b38f9a1537044fc71730c9fd4358b64

SHA1
cac17ed6c4d2e1d2bd1ae9dc24d7dfd76a44d64f

SHA256
b363e6dd69e072c65462a53d0464f960946cc3e35298ae2e570b8878e91a1f6e

SHA512
742b596c6572c2ce5cba637de55f4972a479afb0c793a20985b8b3bcf4b9bf104bae0e6688b71d404f61d3b38ee326b101fd68ad5e5025e417607193be64d5ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6b11a25bfd88bdb21b6b962a10ce18b5

SHA1
363403b6c1886305b4e7075b90b5314b19e9ff32

SHA256
6dca21feece386020cb63d1bad999c530a08327731894588bfedac85f387d7fa

SHA512
fe0ac0e4ee9652981fb1fee68b42bcd0cd53b2bf1184eddcfd742d54bdfd88d7e6d6f116b287c7c5ebcaa9a836928cee6ee54dd0d5f5cafd5a80678c5dfe4562

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b3fee11513ee6fa136a436b19f6e6e9

SHA1
5ebaff59b14176343b4fec60cfb78998c97b402a

SHA256
6cb8774235cf3a4dd731a1081615c1b3c025f8345b55595208b393e27f437fe9

SHA512
ba90e20a2359e7ebaeacee48d8f32a7459e8e8a5619061f22fc18897c4e7caf695c1c816ca701f63685119bb263e3ced67465c64af4dd8fd7f88caf7269b1f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\79080b85-21a4-4b55-866a-61b3f68424e5.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
101KB

MD5
cc4a4effdd17d4e3a8ae976ec0bfa546

SHA1
adf05cc55fd4484b54c0d37093a1082a33877bcf

SHA256
bc45d217bf2e49c66156280c69211793fcbdde7e94beb7a0cf05b3c96670c44d

SHA512
6bb94022d27138270416d1670525ba2bebc4e020817f1e9d10e748931c6c5df264fce5b58a13fef438a95e51f90455cf0409a913db8d37d2c8c15aeea1b965ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
52KB

MD5
7166c2a215e6f77d6a2d997b21ccc2e7

SHA1
a5c408774e0b64c3902a233c7dd3eee476d9dec4

SHA256
4dfbd388e31d555aed5a47fcdb39251eb64799c64675d0ace511daf419a7e5a9

SHA512
46725f1f1a3104f2213b3fb331ebefd58db7ab0434988dd9379300e33b50f83d110baa48e8e69728328e60155b731816082f3df7f4b0978531f41d5624f5b557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e6c6eb0f0011d6739bb7413517171425

SHA1
be3ace6f155459d5204eb027cc59ba8be181f3eb

SHA256
6413edd55a01a17de999a9543b8d04658b899bbbc46aaad67c601c1d776ac1a5

SHA512
158e39cb6261f44b190f43ce1dd5cbfdb8e34e608c27d5f0fc7e14d05e8d2730474db74629e8531d561ea6964456948a8fe701b1d63b90b58ca9c45666089a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
46ef1719d85dec6dade83a5cc22fe5c9

SHA1
90518fe5195662fd1959a160494cb542e0ed6b4c

SHA256
6a8e852ae2815dff1b52fb786e34e3ca45646eafdb77a6f6850649a1b335de15

SHA512
118dea5ea69c7fd1e5204fcc074312bcb553be485ed9e83a7994d8b9af1dba331cbdbd524547e8edec521264f3930ca5b748256047f3d4657aa616625c369116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
28fc2f6f1116c7f75c585ffb0d088eaf

SHA1
1d2a44796f29542b9f356789631a54d103f2b9e4

SHA256
35414a4bcfeccbe31d2b1e5fd0f9c1ccc1c5feff02e4cc5ad49d1cf5cb97d1f8

SHA512
8f5bdefcb8bcd87da69352ec6e01d13cbaad21b0d2dc1d0ad8ebd6457768281a27dcbffc7f4c54945ca8929332315fb98c8d0c4009f1cac009521ee9a6bca0b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4b4286c671a935df1037e6d8374ff730

SHA1
6534bd3367e1b0063b6d5c0fe25b4369a06e3249

SHA256
44fa259eef92d9fce64f1e5879ae545614f998e709b90ff7e5f5a54a0155d285

SHA512
c1786cb4dfc0e8456d9d7e005428c0f1d212a255ba1d7bf5db44200257514ff2796419e1da8c448c4f53a750378ee3300673cc98b5ef5cf6d72d19627145b01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
baf05ee9373d947515a1cf15e41f0c04

SHA1
9df4a62926ee3f0c7738e0b87c47b9512c006887

SHA256
48f6081f24e2e99082b93add5c288b5189b583ec2805836f17955b6bce27fb55

SHA512
02aba3c740e5a8be9105befbbd76272bd8bd451aad6b61ae8070778dacf926b240616a80912683b6ca006f7a93934a401c14e47d3cb384dcb13ea9769ecd6df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
19b0312d5bba390da100ebed7cc33f06

SHA1
e121a821cbd4f86e9b43beb0b2f33d120c153522

SHA256
1a091781612b95c07a2a1b2d61dbbff5635c15f2d254951c7d410dc5ab392f67

SHA512
61545334846f7d5a77d98152cc86b93dd53a3bc9a52584003934f2ca05a867de0c2ab7ea96f54db1ca5cb305bae7be2c00dd362ac3ac3d4311e64644dfeea6aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4c3c9ee58e5531c6f468aca243fd7cb6

SHA1
f82a82e9932090492528207fbbabc00af5cdbdf9

SHA256
246e3656cba826059eda9491b9b864a5d690abe8f2af0739040c8f1c51f045f5

SHA512
5c22cb8152e8b645ba64d9eca9a28845a890e9e18c972e4f3e0c29c0aba28dc5e679b14b5f6f8a0a64ef5b475653ff9d6681b0dee66e1945a11277e7d5d2edc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
2cb9f2105c4cae18ce986bb327324af8

SHA1
fc3f40e0ba6e48d29f96de483704483cea32c2fc

SHA256
27add31dd1441663d132376ede1240af36ceada6b224f71f2540440d82bd6dd3

SHA512
13b2a6fa885b46fdf1aded694c2f223c80b5c21b2838f67c6b290e593dd9c985f66f3503f44a8865e60dca358855dbe6b2ff902ce82528028029b335289bb304

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b091db42a4ac78ff89fad2a7d60eb897

SHA1
959595b843ec6b7985b36aafce76335ea35df444

SHA256
6e5ceae7a6cc0c28d3dcedf64b334528a8df0958b9b78cb6e82542160c91a1a2

SHA512
30043a55afac4202d6561d03021cfb66bc4d542c486119c9ee14831f2b7b454d8f3fbae1b11e21ea42fc0b275198f02cd2ffac3feaa44bbded34ddf78be331c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e3f193e3e95dca1123237f7222d25d83

SHA1
106ae9e64284206991d5f5885c5780fb180b7cfa

SHA256
036590ac8d06b542925b3b12f504e1fcca1831df66390a153976393a0e0a3ead

SHA512
440cd5fa3bc86f1486d368f99240aa1b741590d9c0c1fd8fe5f37af03cda7482d734831a64804a01852f999582fbccae7dbf30b832683d1153a81269c07ca45d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4289af2d448784214fbe497b555f5d83

SHA1
62630d92492a55254e1a61d0bb0156152e67662b

SHA256
793ba82f98707f88aac2c11d3403c7e31d760c3bd5cb213054ba5379eacb55e8

SHA512
e5800c8de08f6ef67e3e47d2a899151249c52df2fbacb0bf20fb087cbb3d511ba529a41f1cb939ca1df435e660ad8eebd6df28f82fc3ade92af6d1a3efcb1305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
892968ef74f4cf34f5daa95588a6174b

SHA1
0b18e1774a07f4af68022f8cff9881ab713db8d8

SHA256
eb82e684edfd27d9e7e8ed0ad81f4ddb84dce972682347bf9236fbe85a378177

SHA512
9536877d284faa8f60c52f4bd777813cb3a2701fddace1a1bf411e87fedbe7fb0e415007433ba0825514a42eee253d0cd004764e8149a9165c58d790e04a2bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
90157fa18c099b1ed2bdf6390e1e6224

SHA1
16975b93df5c997abc80ad2c0ff579dda2208732

SHA256
6ad9aebccc53c79eaa59a647270df2d4ae60acd38b3295435b23b6585ab66b5c

SHA512
9e2d7fd6076b19eaed5210cb7280ed47d66f6b37ad71c0b843878051430128cb68b3bd100be930c65e91492e616b1c846abaaaecbfdf6a99e266ef15bba2d69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5eebe4864969038e63c30bb890b4ae6f

SHA1
2d5af7e4914bb0f535947eb5d0310584a628f0b0

SHA256
4446930d827b3c033352bf2c12799e584015136caf01921d84e3c0e87b9966ff

SHA512
1a5dd77c833067808a64b2d0a1c593e25f9cd6deb824531be2c30d5c1eea50ff79bba1431de0693cf57e3b0c577945ff86bff6ac49a554914422dabfd9cee189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
cfdc76d403cf32556bd95a54ca8d96c3

SHA1
233884d665a6734193efd7fa7271ef16030e3660

SHA256
165340521739a56372913e5ff11dd97c57769f09a7e4a04d67cbea6c618e2d8d

SHA512
5b43e6d053437da0007f65959de8958147990685ab2067d45e8a166b8559858db24e07cd2b4f4a003505ba8638437868c470d800adfdf87430fdf60e00e4b922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
553a742b98fe21412c99b2c892c5a670

SHA1
8dded9e103848603ccc160cbbc66229c9160a5cd

SHA256
6514b463ea8a4888ddc73f2c39e3df8b772438b4a6e57e5ef338e6273e16af08

SHA512
d310c8e0c29dac0a9337e1f0c9ef6177c8082a4750e25188fc98016ed78cb9a3102faac40470629716e8f6ce047f23bdfd02a414684e506ee92bec7dc0543579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
40b91a365de393adaf5be54249313779

SHA1
f462f9e8cdae9642b38cc523f2b1b883319a8e65

SHA256
024c3965bb9f29795c9b4a2c16dd880c6d8c482699b95cff81e035bd9ddd03bd

SHA512
bd824ec06454adc8f696d0f30db111d6a69fff4ea0098f726f486d657ae95432865eb766673991a3df4f4d0f0b2f8c2894fd615b802bd47d0768623e2e7bff2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
7da60130810bbf5f4bc5bedbf5fa8d10

SHA1
247c8a84f950136d64f7cccfdd91fad8e8f55803

SHA256
b158bdafae4c0d640334948c5dd007b685931cc5196a3b38d3aafc4d6937ae03

SHA512
4f66c90f965d91db3454d011df1e25b5d13371a3bc0b0fa2d992c780e7ecaa22a2b1c5c7a0907fa20aed53d4b33f57a20aff843e15dbeddffa8a1f542f7b8928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
8cbd8b341c643ec47799ae4ed63f3ce7

SHA1
7d8e53d9b040fee0a07f4adc21e68bfc26dd9d1f

SHA256
cdf72c983fde2f6df551f6ad8ba85673108d791a9ce49d62aeb27a8146e33ee8

SHA512
25443a32eb77397aa5f697c4947d5b6cfb2f68ddf81e1e3a7ebf08edec7813998b8d8f3629fa62464b83b9996dc5cd96fce764dac6c8825787f594b73fc5ab56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
992613f2c660745fda65c1fd2384fe4d

SHA1
045cb8f00ae4230823f26e99b45010f083161957

SHA256
316c522ddbbc70535a7042485da0527561ae15727adc711eea6333533ea71013

SHA512
fbe1b11d59f72c4f12db175076e5b38fdc08577742f65e950344565ea94b2594b8eb1e6f01a3cff050db20eea1ced254a8e0d9019e31da26c9728a465ffc3951

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2613812ecf40f055ce967486bc5128c

SHA1
aab3ba869fad964df626727b59f305bae4941f51

SHA256
d77f6a3641014a0e30e8af7716adf5d034c96295f9161f9ae74539767be3b1ef

SHA512
39242590a51b89c4c0f0653dcf20c6a893f24fbc2dc43e54bcb8e6b500f57eb0860793bcdf9f68c3003c352a07a5314e903afc78806d5de71a8f24c836e76eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5457db3a82ae88f3cf02b7d11712d2a1

SHA1
640fdfce3a5285256cd81453595e03760aa87e16

SHA256
647be5d3e73ffbd095cfcc1deddbf48bcee8058bd4d28be6fa2a2cf1d593637b

SHA512
1fcf5d71ae36920ad34df124fce0a131870d7961832aad1a0c98a9fba61093f4c9135050c054e6cee17aa163dd77c56f302292bdc319e65852b2b803230e84b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4967df262ef8998c5d0e4629b846da57

SHA1
fe1bf6e323305136cfde1e791e1539a2d5233f48

SHA256
3b6a86d5d614cf9b2b0aee8f7b9fcca7ad039d32e3ddd5a727a788291a8e21c7

SHA512
27fba0204bc6dbbaea8b7d13b8589e911130d6411c91393f8aee5836941a8aa3e4eb4300be736bf0584cae9e08154c2bbd53afa60e00e9ab5fa183f25dce073a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ce11001957aecc911f411c35a70729bd

SHA1
a3edfef518ae657e523d8990b9b2f7cc56fb5784

SHA256
41040ee4fa038735ad1b08c356b2aedd08323d301ca6bd7df1f3daa3ad5df16c

SHA512
d476d1587d9a6b48da7c09185dc336e5b19391cd342c38920b1c6c8db6449f2e465ec5ed65a5e7c4e2d76194cfaef5c1d2d0bdea7e87645eade9dd24c2b4c023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c1d45a8cbc4871644270bc03256a7ced

SHA1
2578a7b238efcc58c87accea85c9729965b97c51

SHA256
9cb7fa998a79ffe1a31d9fc9143108584cde3b11006126331ae3ecfcc4cc548e

SHA512
03204086cad507c92026edf514a3ed017ecbd0189e3c46430fafef6ef39130bcad03a18ce0ca1a257ab3c7a86ec17ac8df9b4accf60d02e8b9136c6ab24d74ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1dd5c69d0a183090507f450e72e898cc

SHA1
151b4d9d4b876ffe1b2879c7d17ed3ef6f5e1d5a

SHA256
cc85ea7123291e70a154696fcc49012adbb108961b2df43f99d396975ca560ad

SHA512
d591e108552439f7d826b68ce3289cb5faef89c0675bd5caa6a38df51fc36a4482546f76afe5d62b2808c74254c82313d5fbed8dc6bec25716ae13c6afc595c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5831c9.TMP

Filesize
534B

MD5
f76b644eb5b2c7b3a28ad97442973d80

SHA1
bacfd8869bad1592001b9dd34438ad81b9dc1028

SHA256
5a403272cf36c32d73797124df95426878d2df4f22119a9e40f0d28b14e79f3c

SHA512
b04eef3c8bdc163741d004ece1a53631303ebc2c7b3548f3d35eed6b3c19d08f0b4b2de7caa49966d43b7434ea1cade5688385cd3a9457ca0c75657ee1bb5108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f6d17488-330f-4003-817c-6a62074f76d8.tmp

Filesize
2KB

MD5
740427ac6e73ffb39be39415a766aecf

SHA1
07b73b6a14d89446c7b0a78f2be9e896b8ec04b2

SHA256
a276aa86a485fc0563694eac1db24c9caff9458ffcf0312634c95e51e02ae31d

SHA512
d0d03a36a75886e031f8d530ef4d1cf6a8ea6bc852121a3c5cb99f89e9c8438866e57bbed63cc0a27f87556e01cd0aad68da0cc13cf69e7441fffe0a8e45867b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
801c33579c1444b8972acd7f90b4ea84

SHA1
b14e1e73d0c27cc99a8d9226d33e71dcdc5b4017

SHA256
351ce3e5b7fe893d397de21cf2329199f9fdd172297dd1986fdeaae1331860d6

SHA512
89ac665ad210a1195cad96d3ce683b6c28b6a34e93499b4561417459a4847aab80d589bab1fcc910de672cc1366080b0544b726871e8ba35b2cfbf0c517a1eb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
bae634cadf60d9887cb7e0c8a9adff86

SHA1
28cf20b3c0c87f301c70d521213d7a00ee18bab9

SHA256
795e6da98cc2cedab920c9e328e07bfeae3fbd4d284d8d9b84e3afdffba984cd

SHA512
ff265f1eb939dd1499ee4ff45d63bc5758ef836343fcce0a077b8584b9d76b2cd364dba51cc811ad7096f40fbe7d5040d1b8063cf5d41102005bd4389526c251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d2a168ea5b9668ad23cefb2ab125ff70

SHA1
b14bbbb7a66806683507d47cdc5e60803dc90b52

SHA256
74fe70c00b460230085c52045312cc5aae441eaa7624ce06f7d19fa361f1adab

SHA512
93226dbaada44adbb94ea1014e12c218bf92630ca74da61d9ce6c4f02416d77f053b657f9a8e396f88227572066f4840c28cffbac1714e148e6020074c12ff59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0c7b08d5b0af0a8217d2602f1559d2d5

SHA1
0cf2038bbd9fa3d0938851babb6daf72f4bcd6b1

SHA256
7092bb4ea5ddd9684bf79714fe744ef7f442a8ea9778bdaf86971b50f72c7b51

SHA512
3013962398c7f9696ce70e13746ada8e6b0056362a7e868403623b694693e877582914e15cf9b2c29df16c97de42a46988a3fe46befe9128a3c7211db8c441e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
0ade760896029460b130ab5f1cd3e242

SHA1
9fb73e9ce9662094bf828cd5468b338320ce86ee

SHA256
2d402c65a8d5f021f2c1f18cede4281ff8b807eb22b88969f67d0c9c6a4830d6

SHA512
d311f6d6eb32eb969c8dbe55ce9bb6e5cedb05d9e53140e5f4556f55f748047584d3fe5e0d05d7c22bd0de9143ed6f97a370c3a5182fdeea6da4486afbcd3994

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\D3DCompiler_43.dll

Filesize
2.0MB

MD5
1c9b45e87528b8bb8cfa884ea0099a85

SHA1
98be17e1d324790a5b206e1ea1cc4e64fbe21240

SHA256
2f23182ec6f4889397ac4bf03d62536136c5bdba825c7d2c4ef08c827f3a8a1c

SHA512
b76d780810e8617b80331b4ad56e9c753652af2e55b66795f7a7d67d6afcec5ef00d120d9b2c64126309076d8169239a721ae8b34784b639b3a3e2bf50d6ee34

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\FEB2010_X3DAudio_x64.inf

Filesize
815B

MD5
49460e9297b0faab5a5d73e7aa2caa67

SHA1
a7e211f3d4ae808f67a798924c4d3314183df873

SHA256
68351f03f4ef83e4b8c359e3e130441081690a1866b838a1b35d64674ef3abbf

SHA512
92c4c0751e9123e1eb09da312bc44041d13262e26cefb807dcd1b354c5bd12c0d7197f1d3d457ddef89714b77ffe45db9c717332963c6daa507ae02a6d5fc941

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\FEB2010_X3DAudio_x86.inf

Filesize
1KB

MD5
e84adf38d499ae39090ad60fd76d76e3

SHA1
6af4d58bc04aac2723e8b97649f1b35fb1aca84c

SHA256
d4da3e530982812d1e2a31570b80af541fac1b13c72997d2aad7ea3bfeaf4a4a

SHA512
6714992e7aee7bd0798fbec68f92c97ee502127580e21e1b6693ed6737312b44dbc9fd9ef579fe552590e9e5a4904df94e4116334265a34699a04aa76ab87c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_D3DCompiler_43_x64.inf

Filesize
830B

MD5
6494a3b568760c8248b42d2b6e4df657

SHA1
700f27ee4c74e9b9914f80b067079e09ec7c6a7f

SHA256
3e779533a273e3395109c7efac13ba1c804c01b3ddb16938406fbdf90d851216

SHA512
2bf68b123d7823ad7182e132d9e55f8de7580229e8e1b3b40030da50bb9bdeaf67bb9727ce2171fa83b7f804c24d9728ffabb44cb5017b16b771bb19e62b1b42

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_D3DCompiler_43_x86.inf

Filesize
1KB

MD5
1a86443fc4e07e0945904da7efe2149d

SHA1
37a6627dbf3b43aca104eb55f9f37e14947838ce

SHA256
5dd568919e1b3cbcb23ab21d0f2d6c1a065070848aba5d2a896da39e55c6cbbf

SHA512
c9faa6bb9485b1a0f8356df42c1efe1711a77efa566eee3eb0c8031ece10ffa045d35adb63e5e8b2f79f26bf3596c54c0bd23fea1642faae11baf2e97b73cf5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_XAudio_x64.inf

Filesize
923B

MD5
dd987135dcbe7f21c973077787b1f4f8

SHA1
ed8c2426c46c4516e37b5f9aac30549916360f7e

SHA256
1a0f1b929724f8b71d5ce922f19b9d539d2d804c89af947d5927b049ef0fd3d8

SHA512
f0469c94219b4df99d7b9b693161a736fa8eec88a3f6c7f2cf92fab2ade048dfe61fcde3a4cf4f7a2aaf841d079a46b17259dea22cfb02831983f55bd7f61899

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_XAudio_x86.inf

Filesize
1KB

MD5
31d8732ac2f0a5c053b279adc025619f

SHA1
c8d6d2e88b13581b6638002e6f7f0c3a165fff3c

SHA256
d786d06a709d5dc26067132b9735fc317763fcf8064442d6f77f65012ba179da

SHA512
abc37922307f081a1ffdc956ce59598c19ad1939ecfb6ea3280aa6aa7a99c3eba5462731586ca262f7d7257d7d2a74ff57a45abf6b93521eb6f1c9f22f8eb244

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dcsx_43_x64.inf

Filesize
815B

MD5
e1f150f570b3fc5208f3020c815474c8

SHA1
7c75fc0cf3e3c4fd5045a94b624171d4e0d3b25c

SHA256
5289b5ad22146d7cc0c35cdb2c9662742693550de8f013d1ec40e944288d155a

SHA512
a53618ed6ebcd50ef074b320eb3ebd38af4770a82caa808e47cba6a81982ced46cf954a1c5a383f171006e727d8211b4fce54c9faf27b4c14a770a45a09037b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dcsx_43_x86.inf

Filesize
1KB

MD5
cf70b3dd13a8c636db00bd4332996d1a

SHA1
48dd8fc6fa3dae23cb6ca8113bc7ad837b4570d7

SHA256
d5200b332caf4fff25eb3d224527a3944878c5c3849512779a2afcfeae4c3ca1

SHA512
ae31a9e20743a2052deec5d696a555460a03d400720679ed103759241b25d55e2fbc247170da3c0c0891f32b131ab6a6845de56c2d3387ad233aa11db970b313

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dx10_43_x64.inf

Filesize
815B

MD5
13c1907a2cd55e31b7d8fb03f48027ec

SHA1
ca37872b9372543f1dbe09b8aa4e0e211a8e2303

SHA256
a65f370a741d62c2be0ca588758d089dd976092cb910bb6b1b7d008741e18377

SHA512
545aaf268d141e2aae6800e095a1ae4eafe6bfe492d95dfe03789ccb245cc3ef3f50f43b10a41a3b0efdc7f8c63621b437323e133ba881f90a3b940095b80208

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dx10_43_x86.inf

Filesize
1KB

MD5
53a24faee760e18821ef0960c767ab04

SHA1
4548db4234dbacbfb726784b907d08d953496ff9

SHA256
4d4263cbb11858c727824c4a071f992909675719be3076b4a47852bf6affd862

SHA512
8371471624f54db0aca3ea051235937fc28575c0f533b89f7d2204c776814d4cd09ee1a37b41163239885e878fb193133ad397fe3c18232ad3469626af2d2ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dx11_43_x64.inf

Filesize
815B

MD5
590fe1ea1837b4bfb80dc8cb09e7815f

SHA1
792b5b0521c34c6b723a379dd6b3acf82f8afb1f

SHA256
2c4cf75b76203cba6378693668c8c00b564871c8bfd7fbda01e1e841477b2a3b

SHA512
80bee8f1ad5bfaba6b3ac5a39302a1427dbaa5919d76c89b279dc753170ec443924eadf454746ce331a6682ee729ab79bd390a5d3b55db8d08fd6f4869101f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dx11_43_x86.inf

Filesize
1KB

MD5
fb5d27c88b52dcbdbc226f66f0537573

SHA1
2cbf1012fbdcbbd17643f7466f986ecd3ce2688a

SHA256
3925c924eb4ec4f5a643b2d14d2eda603341fbbd22118cdd8ae04aaa96f443c0

SHA512
8aa2200f91eca91d7ee3221bc7c8f2a9c8d913a5d633aa00835d5fb243d9cb8afa60fe34a4c3daa0731a21914bc52266d05d6b80bfc30b2a255d7acdf0d18eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dx9_43_x64.inf

Filesize
812B

MD5
ce097963fc345e9baa1c3b42f4bfa449

SHA1
e7624afc3a7718b02533b44edfe4f90d1afda62a

SHA256
272650a2d9b1cfea17021f4bf941b21f2206791e279070d4e906ce0ce56ac16f

SHA512
f3c4f00eebd9d465bc2415d59c417bca0f5a07c8e13880b28704f770763609a653d4b06f53d98325b66c2c7094895190900c47980f81463215e919f00966ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\JUN2010_d3dx9_43_x86.inf

Filesize
1KB

MD5
a11deb327119b65bacce49735edc4605

SHA1
0be2d7fa6254b138aa53d9146cda8fedbba93764

SHA256
6b33d32da02f664092d44b05237990f825b4062c105a063badcf978648b5e95b

SHA512
b0134a3d6f2d576e5fafb601014ab66fef91d661013acc8a7a9129940369a1d9ed5c0f228bb1666a4e891f09b4b18e83f0cb2080047aa84fa45ab663e5739a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\X3DAudio1_7.dll

Filesize
21KB

MD5
c811e70c8804cfff719038250a43b464

SHA1
ec48da45888ccea388da1425d5322f5ee9285282

SHA256
288c701bdedf1d45c63dd0b7d424a752f8819f90feb5088c582f76bc98970ba3

SHA512
09f2f4d412485ef69aceacc90637c90fad25874f534433811c5ed88225285559db1d981a3ab7bc3a20336e96fb43b4801b4b48a3668c64c21436ee3ea3c32f45

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\XAPOFX1_5.dll

Filesize
72KB

MD5
8a4cebf34370d689e198e6673c1f2c40

SHA1
b7e3d60f62d8655a68e2faf26c0c04394c214f20

SHA256
becfdcd6b16523573cb52df87aa7d993f1b345ba903d0618c3b36535c3800197

SHA512
d612e2d8a164408ab2d6b962f1b6d3531aed8a0b1aba73291fa5155a6022d078b353512fb3f6fff97ee369918b1802a6103b31316b03db4fa3010b1bf31f35fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\XAudio2_7.dll

Filesize
514KB

MD5
81dfddfb401d663ba7e6ad1c80364216

SHA1
c32d682767df128cd8e819cb5571ed89ab734961

SHA256
d1690b602cb317f7f1e1e13e3fc5819ad8b5b38a92d812078afb1b408ccc4b69

SHA512
7267db764f23ad67e9f171cf07ff919c70681f3bf365331ae29d979164392c6bc6723441b04b98ab99c7724274b270557e75b814fb12c421188fb164b8ca837c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\apr2007_xinput_x64.inf

Filesize
860B

MD5
94563a3b9affb41d2bfd41a94b81e08d

SHA1
17cad981ef428e132aa1d571e0c77091e750e0dd

SHA256
0d6e1c0e961d878b319ac30d3439056883448dcf26774003b73920f3377ecac8

SHA512
53cac179d7e11c74772e7b9bd7dd94ffbc810cfc25e28326e4d0844f3f59fd10d9089b44a88358ac6dbd09fb8b456a0937778f78ecc442645764f693ccd620b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\apr2007_xinput_x86.inf

Filesize
1KB

MD5
e188f534500688cec2e894d3533997b4

SHA1
f073f8515b94cb23b703ab5cdb3a5cfcc10b3333

SHA256
1c798cb80e9e46ce03356ea7316e1eff5d3a88ccdd7cbfbfcdce73cded23b4e5

SHA512
332ccb25c5ed92ae48c5805a330534d985d6b41f9220af0844d407b2019396fcefea7076b409439f5ab8a9ca6819b65c07ada7bd3aa1222429966dc5a440d4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\d3dx10_43.dll

Filesize
459KB

MD5
20c835843fcec4dedfcd7bffa3b91641

SHA1
5dd1d5b42a0b58d708d112694394a9a23691c283

SHA256
56fcd13650fd1f075743154e8c48465dd68a236ab8960667d75373139d2631bf

SHA512
561eb2bb3a7e562bab0de6372e824f65b310d96d840cdaa3c391969018af6afba225665d07139fc938dcff03f4f8dae7f19de61c9a0eae7c658a32800dc9d123

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\d3dx11_43.dll

Filesize
242KB

MD5
8e0bb968ff41d80e5f2c747c04db79ae

SHA1
69b332d78020177a9b3f60cb672ec47578003c0d

SHA256
492e960cb3ccfc8c25fc83f7c464ba77c86a20411347a1a9b3e5d3e8c9180a8d

SHA512
7d71cb5411f239696e77fe57a272c675fe15d32456ce7befb0c2cf3fc567dce5d38a45f4b004577e3dec283904f42ae17a290105d8ab8ef6b70bad4e15c9d506

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\d3dx9_43.dll

Filesize
1.9MB

MD5
86e39e9161c3d930d93822f1563c280d

SHA1
f5944df4142983714a6d9955e6e393d9876c1e11

SHA256
0b28546be22c71834501f7d7185ede5d79742457331c7ee09efc14490dd64f5f

SHA512
0a3e311c4fd5c2194a8807469e47156af35502e10aeb8a3f64a01ff802cd8669c7e668cc87b593b182fd830a126d002b5d5d7b6c77991158bffdb0b5b997f6b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\dxdllreg_x86.inf

Filesize
724B

MD5
8272579b6d88f2ee435aeea19ec7603d

SHA1
6d141721b4b3a50612b4068670d9d10c1a08b4ac

SHA256
54e098294ef0ad3b14b9c77642838b5992fe4573099d8397a1ef566d9e36da40

SHA512
9f1311803db1607e079b037f49d8643daa43b59ce6eafb173b18d5a40239a5515091c92b244ffe9cfef2da20530fb15deb6cf5937633b434c3262e765d5a3b21

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\dxupdate.dll

Filesize
168KB

MD5
94202f25810812f72953938552255fb8

SHA1
c1e88f196935d8affc1783ccf8b8954d7f2bfb62

SHA256
6dcad858cc3ff78d58c1dae5e93caf7d8bacb4f2fcf9e71bccb250bf32c7f564

SHA512
65b66d07ef68e0d1e79f236a4800c857e991ee3ff80ece4cfdd0b5f6083ea16f8a52d351c3af721cb05c06394ec91b4b5e3cfa4b0f0879f7549f3e3ed035e79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\dxupdate.inf

Filesize
12KB

MD5
e6a74342f328afa559d5b0544e113571

SHA1
a08b053dfd061391942d359c70f9dd406a968b7d

SHA256
93f5589499ee4ee2812d73c0d8feacbbcfe8c47b6d98572486bc0eff3c5906ca

SHA512
1e35e5bdff1d551da6c1220a1a228c657a56a70dedf5be2d9273fc540f9c9f0bb73469595309ea1ff561be7480ee92d16f7acbbd597136f4fc5f9b8b65ecdfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\infinst.exe

Filesize
81KB

MD5
a7ba8b723b327985ded1152113970819

SHA1
50be557a29f3d2d7300b71ab0ed4831669edd848

SHA256
8c62fe8466d9a24a0f1924de37b05d672a826454804086cddc7ed87c020e67ff

SHA512
60702f08fb621bf256b1032e572a842a141cf4219b22f98b27cb1da058b19b44cc37fb8386019463a7469961ca71f48a3347aaf1c74c3636e38d2aea3bca9967

Download Submit
C:\Users\Admin\AppData\Local\Temp\DX8486.tmp\xinput1_3.dll

Filesize
79KB

MD5
77f595dee5ffacea72b135b1fce1312e

SHA1
d2a710b332de3ef7a576e0aed27b0ae66892b7e9

SHA256
8d540d484ea41e374fd0107d55d253f87ded4ce780d515d8fd59bbe8c98970a7

SHA512
a8683050d7758c248052c11ac6a46c9a0b3b3773902cca478c1961b6d9d2d57c75a8c925ba5af4499989c0f44b34eaf57abafafa26506c31e5e4769fb3439746

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\Banner.bmp

Filesize
123KB

MD5
461fa4877514f318a0d5cbc602daf7df

SHA1
5d2ed3abc96bb1fb419828e3de3fc75a6292536a

SHA256
638d5bfc987b45d28a308e8a4d68bd7c0a82d21e615e534fbfaa3cd0ad53889e

SHA512
c4def63dfde38cb2e35d75c7e61428cb9df2429af799e3e0b29c7bc1d9c60e8e32f18cc0e7b55e177d95bdb333a7a0d1f4369b02f5c574b6688047e01e9f98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\LogoSide.png

Filesize
43KB

MD5
63c9775d703ec8bdc9703f80d52ffc24

SHA1
1a5f3fa1fc4ee2a7e08506f8178d769cdcd7ec62

SHA256
8f03c6e8ce5f4898cc230e04d485e0e0744eb7ee180a3d8bb154f2fc9c7a93e5

SHA512
b2d9d18a3d6a1df401ede41e35af7167c6f253f54c290d1db64db212b5a2e9a2534e86e031e1e5499b2ce11bb952afc6bcd8f85aca351d49867c77dd4edba458

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.ba1\wixstdba.dll

Filesize
135KB

MD5
36b53c5299a3b39e5c9cdbbd28a09506

SHA1
9f4c767ef7ea887a88a698bcd66e4ba691e1c17a

SHA256
97f1901e7c928b9231e503cd3a1315f0d8449356b9f25e7eb4c2cebeee72012a

SHA512
af4c7cea8bebe0f125b59eed11fa0053178dd546784f68ad7a642eb128ed0d05dd6ccfe685b912381b61becf9c336dcbbc8c4ce56884a511f3f0a69826d8de83

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\.be\UE4PrereqSetup_x64.exe

Filesize
786KB

MD5
ddf7b1641565da963c4b5fa54da0c6fb

SHA1
06e78b6490aa53b0aadd69689767b900559b1aad

SHA256
62182da08e543edb383be4cccba214e30f1dcd73395f461af3a142a69893f254

SHA512
194490ea8b440841924a2e453c4e660ec781d7959620118504b16ea7ad799107eab26eab765d8378509d6a6f67fed3e5673ad362789245f46a67a8c81b07076a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\PrereqSetup

Filesize
11.7MB

MD5
4cc0e85424b8c7ec50c29554637e5c14

SHA1
5ee1bdf3f72b16a1780cabb6288bb97db7eb4a12

SHA256
6e3f68b3f747899b658a5946b1bdc4cb5a8956c93e54cc1fd7dae454e4fa1d22

SHA512
49768efd40965167fa5e7c87b2c885f73eb4e9808b1fe923ad212d49c8b9c58efb8d2ac7ea9de4a2019b6d548aaac82290127beb1f711fb23cf32d038326ce45

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\VC140_X86

Filesize
13.7MB

MD5
24e8177b25c072f4fb0d37496ccdbb34

SHA1
afa5badce64ee67290add24e0dc3d8210954ac6c

SHA256
e59ae3e886bd4571a811fe31a47959ae5c40d87c583f786816c60440252cd7ec

SHA512
2fda8abc77b6ed9e98a2b120628e4e3b9458f2b18998c836eec1de82642244fe55234c7e52d6036d8b75c4b707a24f12fa639cc92d4234e94ed604a259d651e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0d995f46-317b-4b5f-bf3e-9f98bae9d339}\vc140_X64

Filesize
14.4MB

MD5
be433764fa9bbe0f2f9c654f6512c9e0

SHA1
b87c38d093872d7be7e191f01107b39c87888a5a

SHA256
40ea2955391c9eae3e35619c4c24b5aaf3d17aeaa6d09424ee9672aa9372aeed

SHA512
8a050ebd392654ce5981af3d0bf99107bfa576529bce8325a7ccc46f92917515744026a2d0ea49afb72bbc4e4278638a0677c6596ad96b7019e47c250e438191

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ef3a8f7925c4b903fa17b68dbdcbc66c

SHA1
d8b75c54360149ad81af677a342834b96820205a

SHA256
07db1f69b428d8ed325b6b3255b74a84c3d7e0187d6cc761e2b3d031b09276b6

SHA512
727c8b67e1bd2156894ac80e2cb45cc54fe5e24e66369ebf6e63c554414679e1fbf8797bd690687510f412a543e57f2e91eb8f4aa287c8a5dcb849a61797b7ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
a1de8614fad8487c2d81e2fcc8df431c

SHA1
b1c5b6c322799859e9dc55b2afb3dc54c85b8a26

SHA256
86a467f87596eacdb14141fe2f05df0312a4ea67e63c91c3a5e66fcd75261ea4

SHA512
bc2aa50b5ffeea3b096aae97228acd076d1129751abfa3e49ab262b841d9c7d492350c74743225fd427193e354bc84cba658f21831eb1891a3b2a8b4c478e251

Download Submit
C:\Users\Admin\Downloads\BabyInYellow_Win64_v1.6.1.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Windows\Installer\MSI82C2.tmp-\DXSETUP.exe

Filesize
524KB

MD5
ddce338bb173b32024679d61fb4f2ba6

SHA1
50e51f7c8802559dd9787b0aebc85f192b7e2563

SHA256
046041aba6ba77534c36bb0c2496408d23c6a09f930c46b392f1edc70dfd66de

SHA512
7a63925278332c8e7949555383b410d8848a7834b85f34d659e351ba78cbe4d2ec09caccb2178d801b9b68725c9cbae48a6a1f07f0804a0c41eb51df79b7eca4

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
2KB

MD5
e431598d4da17dc5dd44bdeb6fa6f490

SHA1
2eebacdf1241791e82c01c14ca309357dff903d2

SHA256
33e6f8e408a8a53c967f47747e899ba5a30ae8a0b4df8c2370f66647b456cc74

SHA512
d43fb6edaa38ccedbfa4f95797e391202352ba99b2e54195a4a929f3d2f8157d99784c6c9f73822f3aee7847be40cc5023bc5f6599c7b6d7dcc4872c8a9a8c2f

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
3KB

MD5
dca3d0d6ae1f61e4bdd2810c14dc66ec

SHA1
12266134bdec9dc543b9462a6976f37cce7f5d2d

SHA256
bf2ac795204c7b749fe5ab7d4a26ebd7d3c9c60299963ee98b32784cd6afb3b4

SHA512
fd83bfd49d1874acdf389bb06247cadf90a5a43274dbe9de4d250565dd1a8e00947cb99ff6d40ae8fd20908e7dc762bbb234b502ba4d08baf50e7eeb3e427b00

Download Submit
C:\Windows\Logs\DirectX.log

Filesize
4KB

MD5
f3acf3285b40930f5c2ac24eb94e94a2

SHA1
7334e573cb3221f0afac1017f8f8d8a722448318

SHA256
498b486a83a9e5a98f31f015176a1210a360e4b586a37cbbca47bc8d0b1d88ae

SHA512
ab5a380a031d8a2e6d4e26e24fb62de75561c9f95380a0f3e51211e10eda976ca3635027e0991eef48abe3d3dc2f461aa10c6137a0949ac42d0f22e6362bb010

Download Submit
C:\Windows\SysWOW64\d3dcsx_43.dll

Filesize
1.8MB

MD5
83eba442f07aab8d6375d2eec945c46c

SHA1
c29c20da6bb30be7d9dda40241ca48f069123bd9

SHA256
b46a44b6fce8f141c9e02798645db2ee0da5c69ea71195e29f83a91a355fa2ca

SHA512
288906c8aa8eb4d62440fe84deaa25e7f362dc3644dafc1227e45a71f6d915acf885314531db4757a9bf2e6cb12eaf43b54e9ff0f6a7e3239cabb697b07c25ea

Download Submit
C:\Windows\Temp\{03F4DE9D-B24F-44F1-BF59-D17B698D04F0}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Windows\Temp\{03F4DE9D-B24F-44F1-BF59-D17B698D04F0}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{2DEB4908-D479-49CF-A114-2B33AEE4C314}\.cr\vcredist_x64.exe

Filesize
632KB

MD5
94970fc3a8ed7b9de44f4117419ce829

SHA1
aa1292f049c4173e2ab60b59b62f267fd884d21a

SHA256
de1acbb1df68a39a5b966303ac1b609dde2688b28ebf3eba8d2adeeb3d90bf5e

SHA512
b17bd215b83bfa46512b73c3d9f430806ca3bea13bebde971e8edd972614e54a7ba3d6fc3439078cdfdaa7eeb1f3f9054bf03ed5c45b622b691b968d4ec0566f

Download Submit
C:\Windows\Temp\{A9CB2BEA-2082-48AF-9CAC-F8A5362DEE2E}\.cr\vcredist_x86.exe

Filesize
632KB

MD5
c9d95472a5627c6c455e74c8b8fef5be

SHA1
34cb7f8f8b8dede7be6fd99e2b4bddaa37e5db82

SHA256
4b1bf90a0e4e3a628613c2fe42ddba589ee6303e37ccc70cf99ddc92dde03b0b

SHA512
989caff542f310972c15364925af542984ca73c1c1eec82fcbd1ea4bf9186487fd8349989afc95db4e761ebcbb8b14ce49482bc61d51b3259d134c571f4fab31

Download Submit
memory/1200-1608-0x00000238221A0000-0x00000238221D0000-memory.dmp

Filesize
192KB

Download
memory/1200-1610-0x0000023822040000-0x0000023822046000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads