1a002135b26f316cdc8d6bd0b1e089bbd80dc2b4616e7024b86968b33e78095b

Analysis

max time kernel
927s
max time network
917s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27/04/2024, 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jmjkjkkj.txt
Size

37B
MD5

3ac7d7b9f4be93e6e1f6ae5942e2e56f
SHA1

30c9fc0ca55ad4e5a790ae3e376b1f22bf49dda7
SHA256

1a002135b26f316cdc8d6bd0b1e089bbd80dc2b4616e7024b86968b33e78095b
SHA512

1ffbd4be03e14de0860363210f5bf012ed7acf3992e18aa701097b71b53fa69620acb2fc813ffaccad545d5e110515dce448b10cfec84c18924f7e37b8c60f32

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
984	File_001.exe
3584	setup-.exe
4728	setup-.exe
2184	OfferInstaller.exe
5384	Steam.exe
5496	OperaGX.exe
5536	OperaGX.exe
5632	OperaGX.exe
5680	OperaGX.exe
5728	OperaGX.exe
5936	Steam.exe
4840	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
5332	assistant_installer.exe
5348	assistant_installer.exe

Loads dropped DLL 64 IoCs

pid	Process
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe
4728	setup-.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	OperaGX.exe
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe
File opened (read-only)	\??\D:	OperaGX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4840	timeout.exe
5160	timeout.exe
5220	timeout.exe
5284	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
3936	tasklist.exe
2324	tasklist.exe
5176	tasklist.exe
5240	tasklist.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Opera GXStable	File_001.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	File_001.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup-.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup-.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup-.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGX.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\File_001.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2272	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
3584	setup-.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
2184	OfferInstaller.exe
2184	OfferInstaller.exe
2184	OfferInstaller.exe
2184	OfferInstaller.exe
2184	OfferInstaller.exe
2184	OfferInstaller.exe
2184	OfferInstaller.exe
984	File_001.exe
984	File_001.exe
2184	OfferInstaller.exe
2184	OfferInstaller.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
984	File_001.exe
5936	Steam.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3120	firefox.exe
Token: SeDebugPrivilege	3120	firefox.exe
Token: SeDebugPrivilege	3584	setup-.exe
Token: SeDebugPrivilege	2184	OfferInstaller.exe
Token: SeDebugPrivilege	3936	tasklist.exe
Token: SeDebugPrivilege	2324	tasklist.exe
Token: SeDebugPrivilege	5176	tasklist.exe
Token: SeDebugPrivilege	5240	tasklist.exe
Token: SeDebugPrivilege	5496	OperaGX.exe
Token: SeDebugPrivilege	5496	OperaGX.exe
Token: SeDebugPrivilege	3120	firefox.exe
Token: SeDebugPrivilege	3120	firefox.exe
Token: SeDebugPrivilege	3120	firefox.exe
Token: SeDebugPrivilege	3120	firefox.exe
Token: SeDebugPrivilege	3120	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe
3120	firefox.exe
984	File_001.exe
984	File_001.exe
3584	setup-.exe
984	File_001.exe
5384	Steam.exe
5496	OperaGX.exe
5536	OperaGX.exe
5632	OperaGX.exe
5680	OperaGX.exe
5728	OperaGX.exe
5936	Steam.exe
4840	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
5332	assistant_installer.exe
5348	assistant_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 5068 wrote to memory of 3120	5068	firefox.exe	74
PID 3120 wrote to memory of 4960	3120	firefox.exe	75
PID 3120 wrote to memory of 4960	3120	firefox.exe	75
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 4692	3120	firefox.exe	76
PID 3120 wrote to memory of 5108	3120	firefox.exe	77
PID 3120 wrote to memory of 5108	3120	firefox.exe	77
PID 3120 wrote to memory of 5108	3120	firefox.exe	77

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\NOTEPAD.EXE C:\Users\Admin\AppData\Local\Temp\jmjkjkkj.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2272

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.0.916862274\1652718131" -parentBuildID 20221007134813 -prefsHandle 1672 -prefMapHandle 1656 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {925865be-ab11-4246-9097-df5b2899e93e} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 1764 278bd307558 gpu
    3⤵
    PID:4960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.1.1793976044\2099011365" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c02c99ba-2182-4625-ace5-f546650020f0} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 2120 278bbc3c558 socket
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.2.511596852\799186969" -childID 1 -isForBrowser -prefsHandle 2568 -prefMapHandle 2720 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e08ba98-feda-4f1d-b3fb-91d9ae0c0584} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 2864 278bc259e58 tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.3.1865080759\2126261569" -childID 2 -isForBrowser -prefsHandle 3400 -prefMapHandle 3396 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5db5d98d-9664-4b27-844e-179cdbee7218} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 3408 278a9c68758 tab
    3⤵
    PID:1440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.4.1356191378\947984271" -childID 3 -isForBrowser -prefsHandle 4368 -prefMapHandle 4260 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7de2d1a-59b0-412d-bbab-47a74c1ca986} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 4392 278c117f458 tab
    3⤵
    PID:2192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.5.1158851665\479488423" -childID 4 -isForBrowser -prefsHandle 4696 -prefMapHandle 4544 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {af664452-6e00-4adc-aab3-c2d9f965e5cb} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 4368 278c117f158 tab
    3⤵
    PID:344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.6.464363283\44746221" -childID 5 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {26f5b980-e373-4aff-95e6-d8db4c0d6370} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 5004 278c2718c58 tab
    3⤵
    PID:4812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.7.1556595367\899563469" -childID 6 -isForBrowser -prefsHandle 5208 -prefMapHandle 5212 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a40e84c1-9106-47b1-bbef-1fc31051a3b6} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 5200 278c2717458 tab
    3⤵
    PID:3896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.8.1567990688\337517101" -childID 7 -isForBrowser -prefsHandle 2980 -prefMapHandle 3068 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a25f56b-fa0a-4787-9275-94d37e1c010f} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 2612 278c1dc1858 tab
    3⤵
    PID:2156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3120.9.2107345467\685133225" -childID 8 -isForBrowser -prefsHandle 4884 -prefMapHandle 5392 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1272 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf0ec588-a8d2-4d70-8e74-0460cf4728ad} 3120 "\\.\pipe\gecko-crash-server-pipe.3120" 4976 278a9c63258 tab
    3⤵
    PID:2532
- - C:\Users\Admin\Downloads\File_001.exe
    "C:\Users\Admin\Downloads\File_001.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:984
  - - C:\Users\Admin\AppData\Local\setup-.exe
      C:\Users\Admin\AppData\Local\setup-.exe hhwnd=131660 hreturntoinstaller hextras=id:d8d090d10951db6-AU-error
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3584
    - - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
        6⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2184" /fo csv
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "2184"
        7⤵
        
        PID:5124
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:5160
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2184" /fo csv
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "2184"
        7⤵
        
        PID:5184
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        7⤵
        Delays execution with timeout.exe
        
        PID:5220
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2184" /fo csv
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5240
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "2184"
        7⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        7⤵
        Delays execution with timeout.exe
        
        PID:5284
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
        5⤵
        
        PID:1200
      - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 3584" /fo csv
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3936
      - C:\Windows\SysWOW64\find.exe
        
        find /I "3584"
        6⤵
        
        PID:5088
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        6⤵
        Delays execution with timeout.exe
        
        PID:4840
  - - C:\Users\Admin\AppData\Local\setup-.exe
      C:\Users\Admin\AppData\Local\setup-.exe hready
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4728
  - - C:\Users\Admin\Downloads\Steam.exe
      "C:\Users\Admin\Downloads\Steam.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5384
  - - C:\Users\Admin\AppData\Local\OperaGX.exe
      C:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=0
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5496
    - - C:\Users\Admin\AppData\Local\OperaGX.exe
        
        C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d4,0x70cc4208,0x70cc4214,0x70cc4220
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5536
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe" --version
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5632
    - - C:\Users\Admin\AppData\Local\OperaGX.exe
        
        "C:\Users\Admin\AppData\Local\OperaGX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5496 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240427221646" --session-guid=bc98d345-afbd-4e0a-9fe6-5d9df918b5a0 --server-tracking-blob=YmQ5NDkwNmU3OTkxNDE0ZjcxOTQ3YjczNzU4MjAzODUwNDllNzNkMjU3ZGVjYjYwNWY2NDEwZmMzMTU0ZTQ3Nzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD1mYzkwZjM4YjNmMjU0Yjg3OGM2NWJmNzMwZmM4ODY2MiZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxNDI1NjIwNS4yOTI2IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiJmYzkwZjM4YjNmMjU0Yjg3OGM2NWJmNzMwZmM4ODY2MiIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImE5MGQyOThmLWY1ZmEtNDJjYi05NmYwLTRkZGM0MDVlMDMxOCJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B004000000000000
        5⤵
        Executes dropped EXE
        Enumerates connected drives
        Suspicious use of SetWindowsHookEx
        
        PID:5680
      - C:\Users\Admin\AppData\Local\OperaGX.exe
        
        C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.62 --initial-client-data=0x2a0,0x2d4,0x2d8,0x2c4,0x2dc,0x700c4208,0x700c4214,0x700c4220
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5728
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4840
    - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\assistant\assistant_installer.exe" --version
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5332
      - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x268,0x26c,0x270,0x244,0x274,0x1514f48,0x1514f58,0x1514f64
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5348
  - - C:\Users\Admin\Downloads\Steam.exe
      "C:\Users\Admin\Downloads\Steam.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\D16D9D1FAB3C916BB625D3AB03BF425427876BA2

Filesize
39KB

MD5
7c936d15a9ad989711b1be906b67baf1

SHA1
a93560f7d5b860ae5df1b9043a3808f5f8e694f9

SHA256
e108d72ce79830c24c74f808255b1c6aa4ef2f49d8ee8867d3903b03cd83bd78

SHA512
0d60e43860e680f156f4aebc52df08bdc4a035af5971c01fdfae3d74ace942fe9cf6ef61045dde448d17669f4625f14b9b251db407a13ade22c7a4c875fc6184

Download Submit
C:\Users\Admin\AppData\Local\OperaGX.exe

Filesize
5.7MB

MD5
23220a453663b0ecf2450a813509b23e

SHA1
14fac8f38991881b0e5e874982e127652b5ae6c3

SHA256
338127a98bff69c2fbf3b69712c0a62cd52d9829c213292dfb027515e5d2ca92

SHA512
500eb3ed6d827c5fafcd0a2cc90a2917a20656911c87af615c7fdd573d00b7af2b55a1168d1363b9914068191462b10ed03719f7acc9f67fa5a380905fe34dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202404272216461\opera_package

Filesize
136.1MB

MD5
6657e5a4abb7716d45335190ad105697

SHA1
eb91bc6cac6baa5c9c0828a7240bde2e6cd39dc1

SHA256
ccdd3f26f1f3c6867a3025699536588959d3655a1a02bcf38c0513e54c2975d2

SHA512
710de1bef7dd97f7d8e08f189be4167ac703916eeac5600eb91f5b43ce2aebe451819a42b22e6cedd473b8eceb13518ed650f4a0319579eba4e4cf8c0e26dfad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2404272216468235536.dll

Filesize
5.2MB

MD5
d9381da82bb61f1c9a062efc9cd97ad1

SHA1
5735dd07793e53d0a03e71460f28758e4d723044

SHA256
9d3843246ca4774fcefe7c55fa90018c661a0e54c6f92f9d24aebfa07124b519

SHA512
bba0b159e90ea1eec4e2f1798500e6ca482a0b583142b11da530fb86a3fdee2fd9a17b7ba020d3ab2a49cc0a603e29533b811246c345c996ae753b16671dfd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3020.tmp\modern-header.bmp

Filesize
25KB

MD5
da3486d12bb4c8aec16bd9e0d363d23f

SHA1
863244a4845c9d5dea8dd36e1083f5639e1224e1

SHA256
d93b76d51bd2214fa6e999c1bf70b4aff5165a6542f9b9b2a92b5672601f4624

SHA512
8e40adb65a4ad46f3bc5920d7fd8294397268e754b1eb00d4f7b0883be6468448033d9a46cf3a00fccddb4a7c81e7f984cf5a25731532c1aeface69573dfe59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3020.tmp\nsProcess.dll

Filesize
15KB

MD5
08072dc900ca0626e8c079b2c5bcfcf3

SHA1
35f2bfa0b1b2a65b9475fb91af31f7b02aee4e37

SHA256
bb6ce83ddaad4f530a66a1048fac868dfc3b86f5e7b8e240d84d1633e385aee8

SHA512
8981da7f225eb78c414e9fb3c63af0c4daae4a78b4f3033df11cce43c3a22fdbf3853425fe3024f68c73d57ffb128cba4d0db63eda1402212d1c7e0ac022353c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq1F38.tmp\System.dll

Filesize
22KB

MD5
a36fbe922ffac9cd85a845d7a813f391

SHA1
f656a613a723cc1b449034d73551b4fcdf0dcf1a

SHA256
fa367ae36bfbe7c989c24c7abbb13482fc20bc35e7812dc377aa1c281ee14cc0

SHA512
1d1b95a285536ddc2a89a9b3be4bb5151b1d4c018ea8e521de838498f62e8f29bb7b3b0250df73e327e8e65e2c80b4a2d9a781276bf2a51d10e7099bacb2e50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq1F38.tmp\modern-wizard.bmp

Filesize
150KB

MD5
3614a4be6b610f1daf6c801574f161fe

SHA1
6edee98c0084a94caa1fe0124b4c19f42b4e7de6

SHA256
16e0edc9f47e6e95a9bcad15adbdc46be774fbcd045dd526fc16fc38fdc8d49b

SHA512
06e0eff28dfd9a428b31147b242f989ce3e92474a3f391ba62ac8d0d05f1a48f4cf82fd27171658acbd667eaffb94cb4e1baf17040dc3b6e8b27f39b843ca281

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsq1F38.tmp\nsDialogs.dll

Filesize
20KB

MD5
4e5bc4458afa770636f2806ee0a1e999

SHA1
76dcc64af867526f776ab9225e7f4fe076487765

SHA256
91a484dc79be64dd11bf5acb62c893e57505fcd8809483aa92b04f10d81f9de0

SHA512
b6f529073a943bddbcb30a57d62216c78fcc9a09424b51ac0824ebfb9cac6cae4211bda26522d6923bd228f244ed8c41656c38284c71867f65d425727dd70162

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\setup-.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
10KB

MD5
fa47c431b2de64e67b085939aefc884d

SHA1
6f971ace04147bbd28b33e5e8a883a9b64f9c8d6

SHA256
9f5632a9e33836a3a3386029ad63159c9dea37b1f446a8be7ea58b543e7c72df

SHA512
cd6b3637be090ae04ac1d7016b6339ae5bb1ae0de7af6498523ddd7aba2b53ea5d9ea6a52825cc6156758f8f361a4fef568f6c351761af914b3268a6523159c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\SiteSecurityServiceState.txt

Filesize
372B

MD5
91205ecbcb8acf728e1df00b2c0cbc7c

SHA1
f3fdac75e2ddc3ceec2208c83d0ee1d96f399ddd

SHA256
b6f75112705c1037afdcb0a651f63ee1ef7cde5abf699cfaa10127b9686e5ebf

SHA512
f3a037f80b370ccb34224ce08c11201d34cb536973f6e3222ccc27de5c2d30bd17141c6ca288126618bfcfd753b441b932f334db4c850da851a898d26e28c339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\bookmarkbackups\bookmarks-2024-04-27_11_ScpUM-Ibb5LR1l4-7-Og+g==.jsonlz4

Filesize
950B

MD5
708d579bb783ed9e58c4e87173aa5028

SHA1
54dcdeb367c15a06aa620df1559de185668992a5

SHA256
3f7fa0f3a61236b17951ef95bd63347281c40abbbcce937e8fc787d31c8faa28

SHA512
1c7f8b921e5f32d67b1150e24092ab800ca4939993832cc46f43638bdcce380da1e74b44aa2f368a74e5ae29b76ca1e3a20b837517a4f0464b7af53098772e95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
087686e7b9dfdfc0fec33efadd9cfcf5

SHA1
62561b96283fd0a47d0b117f326a79679880aab9

SHA256
7df430c6b1e71bf6c9bb49162c2a5025934e54a7f0336af42b89f03ebf6667ea

SHA512
d9901564bdef28161ee85e71378d78648c2869913cf371d89df3acc3bbc951c1ca76c242127ff7003c21fc7283bb5e098b7ce36429ad6961299db5bf4216ebe9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\7d902ad0-6fec-4041-bce0-c25ca4af9ff4

Filesize
10KB

MD5
e04a031d28540f8270264b239ddbe114

SHA1
7cd09040a74b92e9be27558dc3b0f3269e1fea0c

SHA256
022b5b07de6c8a9a5dd9988d63fdce971c8a18bdca2be089bae7909083dd9816

SHA512
f570bc1219544b2cd4b5e4227419f3cf7b450e71fb0c6b5fb434010d48a35fa62cb6c0da5587a5362b30612e64191363d8279ce074aba36ddf228bc498ba3893

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\ec5367df-e888-4bbc-a0e0-31886af1e443

Filesize
746B

MD5
a38f2065514ba481e34b0bf2f0d40d40

SHA1
c2f473b15101a856cd88ed891b9db5f31ffd69b9

SHA256
3ec08fdd2405e29b659e2dc186ed4dd2add15ee6586bba94fbd86d0091a0cab2

SHA512
91d6fa3a34f9513fe767d86c43508d32c3ee4b797d0db47b22f28313f7a6f6f8df5306579e7a875920f5dbd777b3163bfe407bb93d4cba06b8928cd051370ede

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
0adc25cd5000128ac016961cd5bb31dc

SHA1
1dd421f0489656cbae0c1a878058807b3b514085

SHA256
7eaffe44588a948605a3ca0638820149cd9021fbdb490554898abfd5f6039f55

SHA512
fbc3f7e5f4e1fa6788ed9b76924acd3ad03c887fef1598df610430d15489a4577176e6849c0a24a870c0a60ffce810810cf598a64db0e837f5387bcdf59e701c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
b74dafa425c999770d969e8bb1ea88bd

SHA1
bbaac9270347d4e070923453d897042ff7717d63

SHA256
a95220f41cb4aa1508fae70f5a9891ce83a9e47a9a20a2ce011a5286a94b3367

SHA512
a86b48656a547520a9fddf7665c96cd9b729dc399f427f9f2975b6c781e86335a2163b1d0265c52a7d05cb181c8630099866230fb47b23200a01a9ee401835c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
7KB

MD5
3b7347a94dbf1bbbd085011f3d3bcb5b

SHA1
a400d3ae6ef8f20b5efd925a770a23d2f94a7356

SHA256
8ac947e5ac2612ec4ad45e5edd6e1b1fa7aef62333bb820261c7d091e192dbae

SHA512
e4dbcf765c632c6aa20570e14215967a27aa015303f8704022826f87cfc8ab662d505b965de2e68b268b883718abbf9aa904936635b66dd805fd4ca8ea8d9892

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
d7185df64fe725baedb5e2a9a29d4fed

SHA1
d58d0b54634c7ea8fb82b80e8dcf49a879e99076

SHA256
8ea7f47eaa00c52b66649e0676158bb821281e5896e127c657360e365fda3b7f

SHA512
b10925e4cc6c5a3e0a0bb63a0570f759f97656acd8a3d356dc4b61915e3db9fe2211cb8a1d1f099c57e5cc253cae2a24ce8d329a23817fdcd17fd7841389ea39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
8ca56a3de6913adbff8b7e2a59750c50

SHA1
031565047cbbe5e4ccd2a4dc3d4232468333f0dd

SHA256
d983f07e977ba5fb628406f0280a0b7c587a720cd99e660bdaeaaed788d21c8d

SHA512
ceb3281277725ee002a394720d8fe84a2ca0fc57e1b43e4bddb69545e71b2769a9c96d17eafa00a477cbf63ded134298c48cf7512596793c23855a05fb7cb00d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
111KB

MD5
f37f082add739c586d881c0bbd166226

SHA1
5390451512668aeb43fab6a4036b9dfd6e68d9e3

SHA256
0b0031b29ce6424ec29df9f63a9dcfab99f831b527328837d825ca8dcd9ef3ec

SHA512
c0907ba5d6d09e247ef542ee10efdf8f223cf98532554de1e52e29cb2a4c22e78837308be9f4044a99c7c80d12144bd0026266fd769428c87abedc9f830d2816

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
7e209ff1c45d385d1c864f914ff68145

SHA1
0ea7151138c625a127f3713beb9983124ac90715

SHA256
5e1a681892e16364224d59b7cbdf245c28016bd97140275c70a5b73623521410

SHA512
cddb695c2b82405a504be3d65113a1bf72ad0bdf05ec233040593df9c6171bd07d8be54a77dd84104dde14622dd5c125901c5748aaa2583d1a9550443c43596d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6d376510eaabbe7cae0475e829f45178

SHA1
01ec67d2740a4b4536a7bd74497313f06c1d713c

SHA256
34646e461c90e2e755d3b267630b12136c3f100fc50003c37cb274b10e183513

SHA512
67c802d4e12c43b90bdb2c0edcfb41caf66af501143993a94bc1d31bd3543f561a9b3c221033abf3c99227d12be35e55a04ad33625b3f6d8cf3f79acbf89d422

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
a7bcdabbfb0a5a20de85e44000fb8905

SHA1
8798c5c0c1160458c4cf8e5f19da25cd9d8d3565

SHA256
d393bf8ab4015274e8baa02c6bdfc90176ea4d5f9abada788084eb89baddc2fd

SHA512
41cf33dd0da533170357a2f173838c1867bf03b789a8f0c3714b3f6a92a00398d1c86a22ec02d6122c6a4d835957413f9e1b6871b832a5caba974c9f06812afa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
727c8c612071cd02e8f0ebe989a9b3b3

SHA1
30919a6caf9cfea1663d63aa89d03f5014e24d47

SHA256
ac1a40a526118a07c7bf3834cda9b71deff874398ecec15f40f47423c78357f5

SHA512
f1b75113b4943805b5b9cccdb10f5169bb09525238d4b3e4f13d0ad51d894fe8c105c73946b53145a9cf5789290e70eb3489420ea58c797b149e95d05714776c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
15ef078a4858a3f1c825a0d638732e53

SHA1
33bf1c21035299e4f6ed1d241154e4f0f8a2dde2

SHA256
ca5a48dd1ed01c8987696bbbd7ad41dc7e8b47bf96d486e251a5483f2ab2e82c

SHA512
c96194328ac14eb8504f70d07a1f47702526fd3d164269a2c8c71ce4de303a348541242a461712a58fbcba0ddf8b0b43810e2b8a17a8aa3f285045177e31a444

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\targeting.snapshot.json

Filesize
3KB

MD5
2ba963ee31bde68fd5d32b63a4ebb14b

SHA1
0a047fec7dcead84f15adffd229015b8c5d26c63

SHA256
0cc6f3a6a26190324d6a1ba76bd884fbefb0ae546824951aecfdab9c3dae5f9e

SHA512
c830b4b443a6ce1c9f22a33c919ff4665412401a34e91246c7b3fe937f6e76f916b119e78b931f39215adce00d9cdd3ff5ba4d99444714fa0d9c640827aa49bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Downloads\File_001.IVHosoO4.exe.part

Filesize
5KB

MD5
1fa8b7481443e8ea5cf5fcae6b298cf3

SHA1
fa1ea38fa178ed58e3530e5e0806aacaaa9946a7

SHA256
3515e5afda9af0dd902d2c18731d4cf450ac50f1263c7f988997d80d0c386150

SHA512
c61e31bcf3e967d18d7f6f4cd4a4220b4d38baeddb58f125088aa6d3c5a67fdb43995f4b7896a93625319d7d6e4b11820e9904bf98d3b0f67e66eda76f52c2a8

Download Submit
C:\Users\Admin\Downloads\File_001.exe

Filesize
9.5MB

MD5
1198daaa23f0af650c7cd4555fbef9e8

SHA1
783f86460785027a41a84e41b42a05b4d4a1a462

SHA256
25c846183e10bd2a146325effecddbabf0f390717fd11d597012a033e6daf600

SHA512
1a67d52794c2047936fc4814b70dd6474837b90df7a8b5653eb8a09cf98d4df2c93fb07451a29254e2e161e9e3f0c3f87e9f5e1252a2c89f2b7f95537e80227d

Download Submit
C:\Users\Admin\Downloads\Steam.exe

Filesize
2.3MB

MD5
b1f4bc644f535c745341de0303631d9c

SHA1
8d66e30416004cc2e98334a276c181ae1e67be55

SHA256
5d8d697707c89466cfe203bde7e242680d020646bd5e49edaabd67fc6a7d6321

SHA512
e3fc8eed9061dd8c555a26c29436c7c5218c6409096e37d11b34edcab448d5c3e9f7dff5e5c5ab2a0e3ee96da666b3be7f2b3f028fc122f35f74c51518aa0d44

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/2184-500-0x0000000000110000-0x000000000011C000-memory.dmp

Filesize
48KB

Download
memory/3584-264-0x0000000005990000-0x00000000059B8000-memory.dmp

Filesize
160KB

Download
memory/3584-425-0x0000000008710000-0x000000000873E000-memory.dmp

Filesize
184KB

Download
memory/3584-412-0x0000000007230000-0x00000000072C2000-memory.dmp

Filesize
584KB

Download
memory/3584-396-0x0000000007FB0000-0x0000000008564000-memory.dmp

Filesize
5.7MB

Download
memory/3584-390-0x00000000074F0000-0x00000000079EE000-memory.dmp

Filesize
5.0MB

Download
memory/3584-387-0x0000000006FD0000-0x0000000006FDC000-memory.dmp

Filesize
48KB

Download
memory/3584-381-0x0000000006B00000-0x0000000006E50000-memory.dmp

Filesize
3.3MB

Download
memory/3584-380-0x0000000006AD0000-0x0000000006AF2000-memory.dmp

Filesize
136KB

Download
memory/3584-379-0x00000000069C0000-0x00000000069CA000-memory.dmp

Filesize
40KB

Download
memory/3584-374-0x0000000006A40000-0x0000000006ACC000-memory.dmp

Filesize
560KB

Download
memory/3584-355-0x0000000006210000-0x0000000006222000-memory.dmp

Filesize
72KB

Download
memory/3584-338-0x0000000005B30000-0x0000000005B4D000-memory.dmp

Filesize
116KB

Download
memory/3584-288-0x0000000005A90000-0x0000000005AC2000-memory.dmp

Filesize
200KB

Download
memory/3584-304-0x0000000005B00000-0x0000000005B24000-memory.dmp

Filesize
144KB

Download
memory/3584-328-0x0000000005BA0000-0x0000000005BCC000-memory.dmp

Filesize
176KB

Download
memory/3584-320-0x0000000005B50000-0x0000000005B58000-memory.dmp

Filesize
32KB

Download
memory/3584-312-0x0000000005A80000-0x0000000005A8A000-memory.dmp

Filesize
40KB

Download
memory/3584-296-0x0000000005A50000-0x0000000005A6A000-memory.dmp

Filesize
104KB

Download
memory/3584-280-0x0000000005A20000-0x0000000005A48000-memory.dmp

Filesize
160KB

Download
memory/3584-272-0x00000000059C0000-0x00000000059EE000-memory.dmp

Filesize
184KB

Download
memory/3584-256-0x0000000005960000-0x0000000005984000-memory.dmp

Filesize
144KB

Download
memory/3584-248-0x0000000005810000-0x0000000005824000-memory.dmp

Filesize
80KB

Download
memory/3584-226-0x0000000000AF0000-0x0000000000EC8000-memory.dmp

Filesize
3.8MB

Download