Analysis Overview
SHA256
76eee256f1223082e8396611baca498542c656edd0fac5fe903e06e6cb5677e2
Threat Level: Shows suspicious behavior
The file Vega X Windows_31929942.exe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks for any installed AV software in registry
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Delays execution with timeout.exe
NTFS ADS
Enumerates processes with tasklist
Modifies system certificate store
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies registry class
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 23:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 23:02
Reported
2024-06-13 23:05
Platform
win10-20240611-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVG\AV | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
Checks installed software on the system
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe | N/A |
Loads dropped DLL
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable | C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4 | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6 | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd67707390b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b660537f000000010000000e000000300c060a2b0601040182370a03047e000000010000000800000000c001b39667d60168000000010000000800000000409120d035d901030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1368000000010000000800000000409120d035d9017e000000010000000800000000c001b39667d6017f000000010000000e000000300c060a2b0601040182370a03041d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589100b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000006200000001000000200000000687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739090000000100000042000000304006082b06010505070302060a2b0601040182370a030c060a2b0601040182370a030406082b0601050507030406082b0601050507030106082b060105050703080f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Vega X Windows.txt:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\setup31929942.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe
"C:\Users\Admin\AppData\Local\Temp\Vega X Windows_31929942.exe"
C:\Users\Admin\AppData\Local\setup31929942.exe
C:\Users\Admin\AppData\Local\setup31929942.exe hhwnd=786550 hreturntoinstaller hextras=id:d8d090d10951db6-AU-gr7xh
C:\Users\Admin\AppData\Local\setup31929942.exe
C:\Users\Admin\AppData\Local\setup31929942.exe hready
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 2092" /fo csv
C:\Windows\SysWOW64\find.exe
find /I "2092"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 4452" /fo csv
C:\Windows\SysWOW64\find.exe
find /I "4452"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 4452" /fo csv
C:\Windows\SysWOW64\find.exe
find /I "4452"
C:\Windows\SysWOW64\timeout.exe
timeout 1
C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 4452" /fo csv
C:\Windows\SysWOW64\find.exe
find /I "4452"
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.0.995220071\1936159598" -parentBuildID 20221007134813 -prefsHandle 1720 -prefMapHandle 1712 -prefsLen 20845 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d17951b5-3ecf-4ce6-8ebb-b5092bf83f74} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 1796 1c30c8d9a58 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.1.1845226701\1046414856" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20926 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46e5e456-bd65-4632-a952-dffea765b622} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2152 1c30156b858 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.2.898989352\2010817861" -childID 1 -isForBrowser -prefsHandle 2712 -prefMapHandle 2740 -prefsLen 21029 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa206c80-ffec-4b7a-941a-91e34bb29ca5} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2768 1c30c85a358 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.3.1546994663\1897173822" -childID 2 -isForBrowser -prefsHandle 3476 -prefMapHandle 3468 -prefsLen 26214 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9117d78-37ea-4f10-a404-ed98eeecc509} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 3484 1c30f121158 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.4.1879912621\390224184" -childID 3 -isForBrowser -prefsHandle 3800 -prefMapHandle 3796 -prefsLen 26349 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a9d36eb-ab54-4bae-a467-d8b2c4670804} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 3808 1c311dcb258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.5.1172377067\2057117567" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 4952 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {de655a1a-c86f-433c-81ef-f66a1ccfda6f} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 4968 1c3109dab58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.6.1873200668\1538495021" -childID 5 -isForBrowser -prefsHandle 4988 -prefMapHandle 4984 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5fc36436-53a2-46fd-b022-1af898dd0e9e} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 5112 1c312e78258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.7.1373939822\1176576150" -childID 6 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26433 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72061f33-5621-4490-b2e6-8443b1b1dade} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 5292 1c312e75558 tab
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Vega X Windows.txt
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2196.8.1512390733\555791121" -childID 7 -isForBrowser -prefsHandle 3524 -prefMapHandle 4408 -prefsLen 26913 -prefMapSize 233444 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {83fb9f95-cdb1-4be9-8eed-ab7c31338b76} 2196 "\\.\pipe\gecko-crash-server-pipe.2196" 2644 1c314ba0958 tab
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dlsft.com | udp |
| US | 35.190.60.70:443 | www.dlsft.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 172.217.169.67:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.169.67:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 70.60.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dlsft.com | udp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 35.190.60.70:443 | dlsft.com | tcp |
| US | 8.8.8.8:53 | filedm.com | udp |
| US | 104.21.60.113:443 | filedm.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 104.90.25.32:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 113.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.25.90.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.26.90.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | flow.lavasoft.com | udp |
| US | 104.16.149.130:443 | flow.lavasoft.com | tcp |
| US | 8.8.8.8:53 | sos.adaware.com | udp |
| US | 104.16.212.94:443 | sos.adaware.com | tcp |
| US | 8.8.8.8:53 | 130.149.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 94.212.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | package.avira.com | udp |
| GB | 2.21.189.166:443 | package.avira.com | tcp |
| US | 8.8.8.8:53 | webcf.quickdriverupdater.com | udp |
| US | 104.16.212.94:443 | sos.adaware.com | tcp |
| US | 3.165.113.21:443 | webcf.quickdriverupdater.com | tcp |
| US | 8.8.8.8:53 | download2021.pdf-suite.com | udp |
| US | 172.67.158.191:443 | download2021.pdf-suite.com | tcp |
| US | 8.8.8.8:53 | 166.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.113.165.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | download20.pdf-suite.com | udp |
| CA | 198.72.111.246:443 | download20.pdf-suite.com | tcp |
| US | 8.8.8.8:53 | www.freevpn.win | udp |
| US | 8.8.8.8:53 | 191.158.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.111.72.198.in-addr.arpa | udp |
| US | 172.67.141.75:443 | www.freevpn.win | tcp |
| US | 8.8.8.8:53 | download.enigmasoftware.com | udp |
| US | 18.245.175.120:443 | download.enigmasoftware.com | tcp |
| US | 8.8.8.8:53 | spyhunter-download-v2.b-cdn.net | udp |
| GB | 143.244.38.136:443 | spyhunter-download-v2.b-cdn.net | tcp |
| US | 8.8.8.8:53 | net.geo.opera.com | udp |
| NL | 185.26.182.112:443 | net.geo.opera.com | tcp |
| US | 8.8.8.8:53 | 75.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 120.175.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.38.244.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.182.26.185.in-addr.arpa | udp |
| US | 104.16.149.130:443 | flow.lavasoft.com | tcp |
| N/A | 127.0.0.1:50108 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | spocs.getpocket.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 34.117.188.166:443 | spocs.getpocket.com | tcp |
| US | 44.237.65.238:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | prod.ads.prod.webservices.mozgcp.net | udp |
| US | 34.149.100.209:443 | prod.remote-settings.prod.webservices.mozgcp.net | tcp |
| US | 8.8.8.8:53 | getpocket.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | firefox-settings-attachments.cdn.mozilla.net | udp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.120.5.221:443 | prod.pocket.prod.cloudops.mozgcp.net | tcp |
| US | 8.8.8.8:53 | prod.pocket.prod.cloudops.mozgcp.net | udp |
| US | 34.117.121.53:443 | firefox-settings-attachments.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | attachments.prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 238.65.237.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.121.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.directfiledl.com | udp |
| DE | 167.235.218.62:80 | a.directfiledl.com | tcp |
| DE | 167.235.218.62:80 | a.directfiledl.com | tcp |
| US | 8.8.8.8:53 | a.directfiledl.com | udp |
| US | 8.8.8.8:53 | a.directfiledl.com | udp |
| US | 8.8.8.8:53 | 62.218.235.167.in-addr.arpa | udp |
| N/A | 127.0.0.1:50115 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | udp |
Files
C:\Users\Admin\AppData\Local\setup31929942.exe
| MD5 | 29d3a70cec060614e1691e64162a6c1e |
| SHA1 | ce4daf2b1d39a1a881635b393450e435bfb7f7d1 |
| SHA256 | cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72 |
| SHA512 | 69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b |
memory/2092-17-0x0000000071ACE000-0x0000000071ACF000-memory.dmp
memory/2092-18-0x00000000005E0000-0x00000000009B8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll
| MD5 | 72990c7e32ee6c811ea3d2ea64523234 |
| SHA1 | a7fcbf83ec6eefb2235d40f51d0d6172d364b822 |
| SHA256 | e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3 |
| SHA512 | 2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682 |
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll
| MD5 | 1a84957b6e681fca057160cd04e26b27 |
| SHA1 | 8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe |
| SHA256 | 9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5 |
| SHA512 | 5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa |
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll
| MD5 | 8ff1898897f3f4391803c7253366a87b |
| SHA1 | 9bdbeed8f75a892b6b630ef9e634667f4c620fa0 |
| SHA256 | 51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad |
| SHA512 | cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03 |
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll
| MD5 | 6e001f8d0ee4f09a6673a9e8168836b6 |
| SHA1 | 334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38 |
| SHA256 | 6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859 |
| SHA512 | 0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6 |
memory/2092-37-0x00000000051C0000-0x00000000051D4000-memory.dmp
memory/2092-40-0x0000000071AC0000-0x00000000721AE000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
| MD5 | 08112f27dcd8f1d779231a7a3e944cb1 |
| SHA1 | 39a98a95feb1b6295ad762e22aa47854f57c226f |
| SHA256 | 11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa |
| SHA512 | afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb |
memory/2092-46-0x0000000005210000-0x0000000005234000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
| MD5 | 105a9e404f7ac841c46380063cc27f50 |
| SHA1 | ec27d9e1c3b546848324096283797a8644516ee3 |
| SHA256 | 69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b |
| SHA512 | 6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940 |
memory/2092-54-0x0000000005360000-0x0000000005388000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
| MD5 | 6df226bda27d26ce4523b80dbf57a9ea |
| SHA1 | 615f9aba84856026460dc54b581711dad63da469 |
| SHA256 | 17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc |
| SHA512 | 988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5 |
memory/2092-62-0x0000000005390000-0x00000000053BE000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
| MD5 | 8db691813a26e7d0f1db5e2f4d0d05e3 |
| SHA1 | 7c7a33553dd0b50b78bf0ca6974c77088da253eb |
| SHA256 | 3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701 |
| SHA512 | d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f |
memory/2092-70-0x00000000053F0000-0x0000000005418000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
| MD5 | b199dcd6824a02522a4d29a69ab65058 |
| SHA1 | f9c7f8c5c6543b80fa6f1940402430b37fa8dce4 |
| SHA256 | 9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4 |
| SHA512 | 1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1 |
memory/2092-78-0x0000000005460000-0x0000000005492000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
| MD5 | c06ac6dcfa7780cd781fc9af269e33c0 |
| SHA1 | f6b69337b369df50427f6d5968eb75b6283c199d |
| SHA256 | b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d |
| SHA512 | ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3 |
memory/2092-86-0x0000000005420000-0x000000000543A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
| MD5 | 9d2c520bfa294a6aa0c5cbc6d87caeec |
| SHA1 | 20b390db533153e4bf84f3d17225384b924b391f |
| SHA256 | 669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89 |
| SHA512 | 7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15 |
memory/2092-94-0x00000000054D0000-0x00000000054F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll
| MD5 | 422be1a0c08185b107050fcf32f8fa40 |
| SHA1 | c8746a8dad7b4bf18380207b0c7c848362567a92 |
| SHA256 | 723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528 |
| SHA512 | dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599 |
memory/2092-102-0x00000000053E0000-0x00000000053EA000-memory.dmp
memory/2092-110-0x0000000005500000-0x0000000005508000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll
| MD5 | be4c2b0862d2fc399c393fca163094df |
| SHA1 | 7c03c84b2871c27fa0f1914825e504a090c2a550 |
| SHA256 | c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a |
| SHA512 | d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799 |
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
| MD5 | 17220f65bd242b6a491423d5bb7940c1 |
| SHA1 | a33fabf2b788e80f0f7f84524fe3ed9b797be7ad |
| SHA256 | 23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f |
| SHA512 | bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e |
memory/2092-118-0x0000000005550000-0x000000000557C000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
| MD5 | 83d37fb4f754c7f4e41605ec3c8608ea |
| SHA1 | 70401de8ce89f809c6e601834d48768c0d65159f |
| SHA256 | 56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020 |
| SHA512 | f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f |
memory/2092-128-0x00000000054B0000-0x00000000054CD000-memory.dmp
memory/2092-147-0x0000000005BC0000-0x0000000005BD2000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll
| MD5 | f931e960cc4ed0d2f392376525ff44db |
| SHA1 | 1895aaa8f5b8314d8a4c5938d1405775d3837109 |
| SHA256 | 1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870 |
| SHA512 | 7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0 |
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
| MD5 | 9de86cdf74a30602d6baa7affc8c4a0f |
| SHA1 | 9c79b6fbf85b8b87dd781b20fc38ba2ac0664143 |
| SHA256 | 56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583 |
| SHA512 | dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641 |
memory/2092-173-0x00000000063F0000-0x000000000647C000-memory.dmp
memory/2092-178-0x0000000006370000-0x000000000637A000-memory.dmp
memory/2092-179-0x0000000006480000-0x00000000064A2000-memory.dmp
memory/2092-180-0x00000000064B0000-0x0000000006800000-memory.dmp
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
| MD5 | 554c3e1d68c8b5d04ca7a2264ca44e71 |
| SHA1 | ef749e325f52179e6875e9b2dd397bee2ca41bb4 |
| SHA256 | 1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e |
| SHA512 | 58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6 |
memory/2092-187-0x0000000006B80000-0x0000000006B8C000-memory.dmp
memory/2092-196-0x00000000070A0000-0x000000000759E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
| MD5 | 38cc1b5c2a4c510b8d4930a3821d7e0b |
| SHA1 | f06d1d695012ace0aef7a45e340b70981ca023ba |
| SHA256 | c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2 |
| SHA512 | 99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298 |
memory/2092-232-0x0000000006DC0000-0x0000000006E52000-memory.dmp
memory/2092-221-0x0000000007B60000-0x0000000008114000-memory.dmp
memory/2092-246-0x00000000092D0000-0x00000000092FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll
| MD5 | 28f1996059e79df241388bd9f89cf0b1 |
| SHA1 | 6ad6f7cde374686a42d9c0fcebadaf00adf21c76 |
| SHA256 | c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce |
| SHA512 | 9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html
| MD5 | 9ba0a91b564e22c876e58a8a5921b528 |
| SHA1 | 8eb23cab5effc0d0df63120a4dbad3cffcac6f1e |
| SHA256 | 2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941 |
| SHA512 | 38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis
| MD5 | bf5328e51e8ab1211c509b5a65ab9972 |
| SHA1 | 480dfb920e926d81bce67113576781815fbd1ea4 |
| SHA256 | 98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b |
| SHA512 | 92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928 |
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico
| MD5 | 4003efa6e7d44e2cbd3d7486e2e0451a |
| SHA1 | a2a9ab4a88cd4732647faa37bbdf726fd885ea1e |
| SHA256 | effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508 |
| SHA512 | 86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198 |
memory/4452-285-0x0000000000650000-0x000000000065C000-memory.dmp
memory/2092-288-0x0000000071AC0000-0x00000000721AE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\f1ff019a-161c-4336-a90f-2caa8cc9ab47
| MD5 | d7094ab8e0df392efe373f1b143b1fd6 |
| SHA1 | cea9e494e4c89cd2524821b41777db2f12686062 |
| SHA256 | e5478679724354c99a82b3c0e492e22df4cb49736ac45a39ceadd4457cfce043 |
| SHA512 | 9b62880b2e814158a110f3c21fdb6d85a51d707e40f71153c0c87c22dacf47ee6d250719b8537f782e563602a80afea850afd5c2261a489bef6838f2437b279a |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\ca53487b-e95c-4db3-9422-bdd0f54de90d
| MD5 | c7fdf22980600b5072152892fc12092c |
| SHA1 | e6fc1ecae2648bf0370811c45a5df14e2424cc7b |
| SHA256 | df7cd416a39e5c1e3e7032aaca54786529a327b209a62d7e850206787588ae3d |
| SHA512 | b757b5377b6f52f06f258f42e64a68f07f6c3761e508e1c4893f9f9ded9ffae0711f9e12acde1564353dbd8dbd170df0fed57268f272bc0263f1bdea07bd5cef |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin
| MD5 | b4465c24a48c093f50e17b011a8ff5e6 |
| SHA1 | 6871cde78ba283c74161259a87c9e0be12735730 |
| SHA256 | f4e985e2e50bfdb41d8be6d378c7f26f00e0b8a01959110b9699ddc49a2011e0 |
| SHA512 | 782dca434334d1aa0b58f34b8494bbcd3792b23b980e14762ef45946e253c16183d09b364adb66d8b97985f4bc16117b461cb5ae9123bbd87e6ab7e01eb98a8a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 044da838ea63fa10d563fca03fcbc22c |
| SHA1 | c5e51b8d3a04981678ebf0c985ceda144134c8b9 |
| SHA256 | 141e9abfc419e69f5fb4b51e7ebcf79b9e0c8dfe269d421f7361fc874414a525 |
| SHA512 | 2cc7aa3db412bf2d560a4a776f2d71e26f77a84e0503c5ddb71a6024e6b0dac78948fa08968d479b3f500adde8bc39c820f8f79c6c132b63642daddd7a2a3b32 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js
| MD5 | e77a7fbc489fbee48af42f060213fe7b |
| SHA1 | d1189b2ef8da10ed4afe728631b97b232f0dfeb5 |
| SHA256 | b06e9b4a536d65da8db0cbff9d51859fd44bb43e55b7c50f5b26bb1716fad9d0 |
| SHA512 | cdcb7c15b2173a9b85cf27ee0f7a416a8b598bfaa455a471a456763ac0108286372ae55319f744ae428b5c1a20d43cf3b74b3c5fb0793c607592204a15e13f12 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
| MD5 | c460716b62456449360b23cf5663f275 |
| SHA1 | 06573a83d88286153066bae7062cc9300e567d92 |
| SHA256 | 0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0 |
| SHA512 | 476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30 |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp
| MD5 | 81c48a03b269e87392a324cec9035712 |
| SHA1 | fbe397ba52babd61a52bcaa9982dccec2f68676a |
| SHA256 | 4454733f5e2db78f4ff4b703e88448f218a57a0d7bd77a077f8b732bb8f502c5 |
| SHA512 | 488afb403e118120ba26d20ff467cf6486599f21636b9d794d59833d735b1e3c8b252b48615dfc46df7c10c5742d8c0e7a656db329033519336039650159918e |
C:\Users\Admin\Downloads\bwVOoMj1.txt.part
| MD5 | 9942d886ee589cada7de535150367f8c |
| SHA1 | ea27feaf844d6af9a85891aff1cfa0a6ba1c4ceb |
| SHA256 | 82dc56b42658cb082d489d758447d17df53796cbcfea7ba0578ac575fa69f102 |
| SHA512 | d7e6cd017e648ccda2bb0d52216333b11d1a54c624c9d4d61131fd46fb469e0907b382260921846af4fb4f436febab62f579b1a381e42bdbdd5a3feb89a2a598 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 6465124d63d494c68110a82bd932d874 |
| SHA1 | 1e0604c001cc65834dde2797dcf46d8bfdbb06e8 |
| SHA256 | 125fb4cb4995570c6ab94a23c7b79afc6b75034480aefe0b699125525739bc2b |
| SHA512 | bfd9914c9ab7576e58b5373ae27869081df23cf9916040bcc991e5ae14bc68bbecfea2ec2df808966a592955112db7e95ffb5b8c0455cac89fb6fcf25afdd8d1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js
| MD5 | ae3ea18265b14c56164a364c5c711746 |
| SHA1 | a837414cd82563b65ff3aed1f72b1f60261111bd |
| SHA256 | 1c2404d899870a6e966de0211e356d20bbda45955ad2e054a2e546bc0b856875 |
| SHA512 | cb80f4a0b10e348d20e856c486fc04c72ebeb5b3d60b251d4cc7d2b3b33e0219ebe341d5cefcceb7aaf2f8a4f6b79e130a7a30a221873547078b5a495ae8334d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | cef0b048f96867afc99fbd9260c7ed79 |
| SHA1 | 64584c5cb88c3a56c993b41dc074c058cfb11887 |
| SHA256 | 73f12f9d38ae77b05c0927ea6819e750714486e34e40934ed749d835accd4112 |
| SHA512 | 6bc39ec0b1e57c90a1d9b9ec55be86b8e389b37604c6b8e08383ab1c86eb1dee5d0a2bb4f680beaa643191c0240e6899a2a7797d523007a4248f9499b37e3329 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | 736d36f7180e2cf9b4e9e6f0cd62766f |
| SHA1 | ed2d5da45157aabffe406d5c483e8de9bc81a8cb |
| SHA256 | fbc64c41dcf6d2e1b3c256b4e4977c4bb788eb6aa9af864f5c1c9de0084ac962 |
| SHA512 | 3938ae5b063da1267028df1ac9000eb834163bb65f9f2bb6dc9189ed72699c19a240b5ce7d6569bc7b552774dd1be27cdc170006716fe3c1db1117b3ea8fcc7a |
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\cache2\doomed\7411
| MD5 | f3e87db5035b3241df62f180ed3f19a6 |
| SHA1 | fa2d7c2077cf1be7c5365040598d401d4db12c72 |
| SHA256 | b4f1e06c7393723aea1c3c700f027d86b6f69173f0838ec1b85cf69cf7e3a8a8 |
| SHA512 | 48280ee5881eb1098cbcc9e6e2bb509132b49d026736336a1695e54603c7ef283c881c4cfa14bc6cb63881516b832d55ebe7c9c91106096b84d3efd970455085 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4
| MD5 | ace219a58ea2a0169b0f43df80f7c493 |
| SHA1 | 5fbb1cb30650e83d28372be4c705e2cea2159ead |
| SHA256 | 56757c4b3f8264346827666adf6ad1387c2fd3a826fd0bc6e99d2581e589ebdd |
| SHA512 | 7edb857c86be58c9b74b8f3bc66418536a7069ab88c2630ac5680d0014ee2065d68b8b0aef018356853e11e46c489615ddd61c8073e5d199ffae87ccd9db9ff7 |