3819bc1db52d27e10d64e54bb78522cd821b93138b9efdb991edc696a63ce594

Analysis

max time kernel
144s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
15/06/2024, 23:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

10KB
MD5

895d42041a1051b807262a6639a8f424
SHA1

c67ef16175395271cf8ed23c83ebd50d5a8a8889
SHA256

3819bc1db52d27e10d64e54bb78522cd821b93138b9efdb991edc696a63ce594
SHA512

8bc37c117f3a5f2b40a630378a7e455c936f18636651ca3ec88e2df0f3a7fbe2849f2148242a5034d281f1d1cf9d078676937e85806bf53b03a69d20eb7a32fc
SSDEEP

192:M9ynHDAHrH+UHETV/dS9Ooy4CUymFRBc0M/iwh9JGHAw/W6+Cup:MQH8zNHETV/dS977rx69JGHAe+Cup

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
3000	Roblox Evon Exploit V4 UWP_49468796.exe
168	setup49468796.exe
4504	setup49468796.exe
2688	OfferInstaller.exe
1940	OperaGX.exe
1428	OperaGX.exe
4116	OperaGX.exe
1380	OperaGX.exe
2472	OperaGX.exe
5812	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
5884	assistant_installer.exe
5912	assistant_installer.exe

Loads dropped DLL 64 IoCs

pid	Process
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe
4504	setup49468796.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup49468796.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup49468796.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup49468796.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup49468796.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup49468796.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup49468796.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup49468796.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup49468796.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 4 IoCs

evasion

pid	Process
4436	timeout.exe
684	timeout.exe
4592	timeout.exe
5036	timeout.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
372	tasklist.exe
4260	tasklist.exe
372	tasklist.exe
3040	tasklist.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Roblox Evon Exploit V4 UWP_49468796.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	Roblox Evon Exploit V4 UWP_49468796.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Opera GXStable	Roblox Evon Exploit V4 UWP_49468796.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup49468796.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup49468796.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup49468796.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaGX.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\How To use Evon.txt:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_49468796.exe:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2380	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
168	setup49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
2688	OfferInstaller.exe
2688	OfferInstaller.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	firefox.exe
Token: SeDebugPrivilege	2116	firefox.exe
Token: SeDebugPrivilege	168	setup49468796.exe
Token: SeDebugPrivilege	2688	OfferInstaller.exe
Token: SeDebugPrivilege	372	tasklist.exe
Token: SeDebugPrivilege	4260	tasklist.exe
Token: SeDebugPrivilege	372	tasklist.exe
Token: SeDebugPrivilege	3040	tasklist.exe
Token: SeDebugPrivilege	2116	firefox.exe
Token: SeDebugPrivilege	2116	firefox.exe
Token: SeDebugPrivilege	2116	firefox.exe
Token: SeDebugPrivilege	2116	firefox.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
168	setup49468796.exe
3000	Roblox Evon Exploit V4 UWP_49468796.exe
1940	OperaGX.exe
1428	OperaGX.exe
4116	OperaGX.exe
1380	OperaGX.exe
2472	OperaGX.exe
2116	firefox.exe
2116	firefox.exe
2116	firefox.exe
5812	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
5884	assistant_installer.exe
5912	assistant_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 212 wrote to memory of 2116	212	firefox.exe	73
PID 2116 wrote to memory of 2964	2116	firefox.exe	74
PID 2116 wrote to memory of 2964	2116	firefox.exe	74
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 4512	2116	firefox.exe	75
PID 2116 wrote to memory of 5108	2116	firefox.exe	76
PID 2116 wrote to memory of 5108	2116	firefox.exe	76
PID 2116 wrote to memory of 5108	2116	firefox.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\sample.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\sample.html
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.0.934527195\1672349301" -parentBuildID 20221007134813 -prefsHandle 1712 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d61de2f-2172-47f7-bc44-edbb6ff9f79f} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 1792 1bf22ad7b58 gpu
    3⤵
    PID:2964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.1.1096996025\1786584123" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 21608 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abfaa6b8-fd92-4b72-9cb6-e2f81d10d60c} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 2164 1bf229f2858 socket
    3⤵
    PID:4512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.2.48731058\1263515128" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2908 -prefsLen 21646 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d6ca45d-29bc-423d-b0f4-99e104f1804d} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 2684 1bf26ad1858 tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.3.1807090199\962325919" -childID 2 -isForBrowser -prefsHandle 3500 -prefMapHandle 3528 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2532418-f820-4b96-b6ca-b0198bd09dcc} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 3532 1bf10862058 tab
    3⤵
    PID:5028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.4.855248365\750586454" -childID 3 -isForBrowser -prefsHandle 5056 -prefMapHandle 5072 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6be916f5-8cd1-4fed-b79b-c92804614e40} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 5080 1bf2a235e58 tab
    3⤵
    PID:2272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.5.1973103481\914564046" -childID 4 -isForBrowser -prefsHandle 5180 -prefMapHandle 5184 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {440510b8-fbb7-4c5a-bda7-f27ab16ff64d} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 5172 1bf2a235558 tab
    3⤵
    PID:1708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.6.697965613\285786981" -childID 5 -isForBrowser -prefsHandle 5380 -prefMapHandle 5388 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7633db5-3f9d-429f-a732-fb5aff39c64c} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 5372 1bf2a237358 tab
    3⤵
    PID:1824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.7.535482812\1290697570" -childID 6 -isForBrowser -prefsHandle 5776 -prefMapHandle 5772 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {86e574f0-cedb-4a4b-ba24-d9ece48cd46c} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 5800 1bf2a1c5c58 tab
    3⤵
    PID:4220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.8.271119296\1623535923" -childID 7 -isForBrowser -prefsHandle 5652 -prefMapHandle 5640 -prefsLen 26689 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2245a4f2-2146-4d75-a2db-c86a1c8787f8} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 5180 1bf10861158 tab
    3⤵
    PID:440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.9.1583014804\1861993545" -childID 8 -isForBrowser -prefsHandle 4612 -prefMapHandle 4728 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f994ba9-9b49-46f4-b5fe-8dfc705f4194} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 5780 1bf10864858 tab
    3⤵
    PID:5296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.10.1494481529\31472746" -parentBuildID 20221007134813 -prefsHandle 6544 -prefMapHandle 6464 -prefsLen 26864 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cb4860f9-8609-43c6-aab6-d23bb0933840} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 6556 1bf295fc258 rdd
    3⤵
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.11.1487410303\648994594" -childID 9 -isForBrowser -prefsHandle 6572 -prefMapHandle 6576 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d6bc943-1002-4fab-bf4f-b1e6963e7f89} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 6716 1bf2b2e2258 tab
    3⤵
    PID:5232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.12.1102005627\523844428" -childID 10 -isForBrowser -prefsHandle 7100 -prefMapHandle 6896 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {58873237-110e-4e42-9da0-63238acf0b82} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 7064 1bf2bcc5e58 tab
    3⤵
    PID:656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.13.1826197719\823712673" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 7300 -prefMapHandle 7304 -prefsLen 26864 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b68ba60-9074-4c37-8ddc-498578cd9214} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 7292 1bf2bcc7658 utility
    3⤵
    PID:5580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.14.511670858\1032974044" -childID 11 -isForBrowser -prefsHandle 7720 -prefMapHandle 7340 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d80258fd-8659-4daa-a69c-af4cd1636115} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 7748 1bf2c09f558 tab
    3⤵
    PID:5824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.15.743892142\2139076869" -childID 12 -isForBrowser -prefsHandle 7920 -prefMapHandle 11860 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {54887ec1-4e5e-4add-ad7d-81fc33e2aace} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 11252 1bf2d807058 tab
    3⤵
    PID:7624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.16.1186780506\1609237273" -childID 13 -isForBrowser -prefsHandle 5132 -prefMapHandle 5544 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e45c6ce0-d585-43dd-81ff-f52a75cabc9b} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 5448 1bf2a236158 tab
    3⤵
    PID:7360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2116.17.2063095312\1589717936" -childID 14 -isForBrowser -prefsHandle 1544 -prefMapHandle 5636 -prefsLen 26864 -prefMapSize 233444 -jsInitHandle 1100 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c36fee6-81cd-4303-b0fa-3e3611ce66a6} 2116 "\\.\pipe\gecko-crash-server-pipe.2116" 2840 1bf2d020558 tab
    3⤵
    PID:7088

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1996

C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_49468796.exe
"C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_49468796.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3000
- C:\Users\Admin\AppData\Local\setup49468796.exe
  C:\Users\Admin\AppData\Local\setup49468796.exe hhwnd=262944 hreturntoinstaller hextras=id:d8d090d10951db6-AU-8jA2z
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks for any installed AV software in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:168
- - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
    "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      PID:2288
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2688" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2688"
        5⤵
        
        PID:1208
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:684
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2688" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:372
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2688"
        5⤵
        
        PID:4300
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 1
        5⤵
        Delays execution with timeout.exe
        
        PID:4592
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 2688" /fo csv
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "2688"
        5⤵
        
        PID:3840
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        Delays execution with timeout.exe
        
        PID:5036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "PID eq 168" /fo csv
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:372
  - - C:\Windows\SysWOW64\find.exe
      find /I "168"
      4⤵
      PID:1724
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 5
      4⤵
      Delays execution with timeout.exe
      PID:4436
- C:\Users\Admin\AppData\Local\setup49468796.exe
  C:\Users\Admin\AppData\Local\setup49468796.exe hready
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4504
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2380
- C:\Users\Admin\AppData\Local\OperaGX.exe
  C:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=0
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Modifies system certificate store
  - Suspicious use of SetWindowsHookEx
  PID:1940
- - C:\Users\Admin\AppData\Local\OperaGX.exe
    C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.130 --initial-client-data=0x2c0,0x2c4,0x2c8,0x29c,0x2cc,0x714b52b8,0x714b52c4,0x714b52d0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1428
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe" --version
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4116
- - C:\Users\Admin\AppData\Local\OperaGX.exe
    "C:\Users\Admin\AppData\Local\OperaGX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=1940 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240615233857" --session-guid=477d3f54-3572-4b7d-9e01-12f09e1fb9af --server-tracking-blob=YjRjOWFkN2ZiZTFkNThiMmU5MzdhNjYwNjhhYjk5ZTEwZTAxY2Q4NTVhYzA3ZjVmY2VmYjBkZGY5YmQ1MTY3ZDp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD0wNWMzY2QxMThkMTE0ODUyYjUxOTNiMjQ1OWE2ZTk1NCZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxODQ5NDczNS4wODQyIiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiIwNWMzY2QxMThkMTE0ODUyYjUxOTNiMjQ1OWE2ZTk1NCIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6IjE2NzU4YjhhLWNhZjctNDc2ZC05ZGQ0LTVjMDhhMzM0MzU4YSJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=B804000000000000
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of SetWindowsHookEx
    PID:1380
  - - C:\Users\Admin\AppData\Local\OperaGX.exe
      C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.130 --initial-client-data=0x2b8,0x2bc,0x2cc,0x294,0x2d0,0x707252b8,0x707252c4,0x707252d0
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2472
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406152338571\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406152338571\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5812
- - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406152338571\assistant\assistant_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406152338571\assistant\assistant_installer.exe" --version
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5884
  - - C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406152338571\assistant\assistant_installer.exe
      "C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406152338571\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x278,0x27c,0x280,0x254,0x284,0x4b4f48,0x4b4f58,0x4b4f64
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:5912

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\How To use Evon.txt
1⤵
PID:5544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\10198

Filesize
9KB

MD5
11346053c9bdbce5209787ca9eb84a70

SHA1
5c6e91fd91195ea7f291919df383f3f62df80473

SHA256
155bdf55ae30cbb8d8cf590fc13b5a9b226150181d1cdb378ce9ffe1daedea30

SHA512
2eb528810affd4bbe640dfda031c355b6f008e71e9bc3dcff63ebcef42b47b84f3660046a555d61468d250386ec8c21be358e768334732c55be0db952ef11976

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\10445

Filesize
9KB

MD5
0c0a3d16c5902a45a4cd27dc1b5a8d4d

SHA1
96baa97ae6632535886391d0c871e0d0727793c9

SHA256
b4223e0c15d8a5c7fb478be874c76b1d61f23d44205a9e7f4ff8a79b116ccf4f

SHA512
5089d72ab5ec17719db0153c4ea439c4009de6f8a6c2a037fc2188384d1e64b7989156bdbba0013cfb59085ad1f0d3937241469d049e38e66636c20e3e1413e6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\1647

Filesize
9KB

MD5
da8c35ce7ce2461b0a22b2f87e1da323

SHA1
c01465d159f3ea465582ce04fac609481e486ebc

SHA256
70071973170c765296923b68cf964b9c92d37e27e0a9ce64f1976b7e504e1049

SHA512
6d8e2d682ce1da350d1894f06b052d55733cba5568d7e7b29fe858f9a0009442b18905a9b997f117abb2dd0c7e3b4dab223f6ed609a0ec1a28d3628ec5769844

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\17666

Filesize
27KB

MD5
4dc242b2fa2d836b70705da3358090d5

SHA1
961266c7e421d599fd58c3c4b525a1ac55032cd3

SHA256
3114c371aead2e74ea3e3696f5b46345b940b6dbc36c5177574d13199d28d19b

SHA512
a549536bc0512813b31ce7c65d1a8499219eefb6368ff1af2a5c8bced6c6f57c020c50be16eda3495186874ef0f2c5f04d46bb8863ff0c1ce097bec5f4b3d76d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\23113

Filesize
9KB

MD5
38176562b811d534041ff2d875abd3bf

SHA1
62ccf7998aaeeb887d05b7ebbee6d0411cf84571

SHA256
10c818546ac2dc41ec0c3ac84b7e1f9789a15d5f5e33dc6819f60b754415307a

SHA512
4fb8c55225f30ff320b732a3e512cb55f3dfade2851e21b15ee48e3d939f2dd20b6680f7b27c59e40041c016385761d6488306df21b3cb30fbab8581765c8047

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\32619

Filesize
9KB

MD5
9f7793c1195a1441baac5dcd8d86309d

SHA1
e01e8960aa11cba77e1ff72bd9d58ff8f24c49aa

SHA256
3e7067cd0d13932412cc307c03d3a41c9623592b81f5542848daa9dd9558ae62

SHA512
07af0ba43b54d71e621e6136d4a1a6fa006176b92042e8efe605b049314801b93723ace99b142e23ba928461b01780b184f4c11be650039b38d143f64785a4d2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\4349

Filesize
19KB

MD5
5c8488de9c2792846903d5157b367e56

SHA1
c3a260fba0a77d86ab342db527593ad49f6119e2

SHA256
b9c44a913e76f085b369756cf6b57510457cb840740f1108af3444b1a5d14105

SHA512
36fa3345ab0d68eff9cab5e491e16ef28c053f7ba9896c93d6e5473d2bcff29466b5d19344adafa1226b328584e80993f638680928aff7083c2ad64ac824b045

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\602

Filesize
9KB

MD5
8df63e07fa612a7353eb805395019958

SHA1
1689c8ba7a53744a8f16c7fcaf2919b4eb90e578

SHA256
fd16de256f40901a3b348edca5e82d1502936075d1adf27d521558f0e0ac012c

SHA512
e3b88452b06e89a1aab11b40a370334ab0efbf002d8a97a97ebc9e7f1ead9faf61b5108d5540b381c706b2473ef20fc10ca6d39aa45e80d5870f14fae75750ef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\7965

Filesize
9KB

MD5
5784a5ea6e8d8065ec070dfbf05a83db

SHA1
e89bcd3300d4b5a6d42b0869deb386e2ac26628f

SHA256
9adad1af54f04219449b548c6a14f5410e5be1ac489febdfb8339d21ccb5ffac

SHA512
6527352ef5aa9662c3b95c592f112245d429a445bbbe39c96be7c380be1e4c4c085897f3055fa2a73158d8b56f53522660cc2cd31db4b19ea72ecc17e8ff2c29

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\doomed\8491

Filesize
9KB

MD5
464d73cd49924e2bf41569c3754ff7be

SHA1
467e513d1035eee6508a5c7c0069ab6845d078e2

SHA256
1a9da3fc2604a94ca3c3682080215c5fcb431d92f748949a53c694bad111633e

SHA512
a1aab5b0995bb97c13e658e8980addef9187450eb993cb7174dcee9b753ab75d88509d723b4f332c557065c61697510861e63b55224c54fcc67c36bae6146900

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\16859B6F0F284FCC705495A71CD6620E7ADE3FC0

Filesize
2KB

MD5
49062de3cff31278c5323fce05cc07c4

SHA1
8796668cd5931eaf025210d0a1a190c28f851eb0

SHA256
96b86c8298cb2941a98f381a8e40cf1434df7ce6b7f2dc86f2ba550b3feba6da

SHA512
0a0d8317d603d8d63bd9f72785ab4aca0212e287389c6a633d49e1582e859abad3b4264675d1b10155223cb450c0b22571b0d8185c37e2775333c93578cb1fff

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\34A86288DCB627826D85EB2DA402E098F7DF3D5B

Filesize
472KB

MD5
f94bece28eeedffd77eb35572980c134

SHA1
f4c8b8cc7810c9758770fd2bc2dce3cdafcc3fc8

SHA256
5658a99a1c9cc739c3e523fd42f13ce4678112358af4e9f140d2002750fdc1fc

SHA512
b8da3e25333034f91dfa4dc89c94d1b787b3a2479bc6dec87f68750b8002bce0922811b7972ffa66de5b767b8293a3496671a35a0a03ffa0d1dfc3f972865822

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\c5nsco79.default-release\cache2\entries\D104979C4606833DAA039684269EB9057EEDEFF2

Filesize
9KB

MD5
7c3e140fc2c43a65180eb4da18eb3bd0

SHA1
4855f3b9007662dec2cd7601e6edf8744cb1bd14

SHA256
1b276022025c7412107336afe37ff7312f7fd0aed75fb4aae775bc8927f6f140

SHA512
ff1324a88ccf3406260297cf6f70caa849f6a9fa8a5cf2d02cb963779b44ae453ecfe0415f389d9920173d1c5e856d0928d066c0f521ea321f3b8c4390ecc480

Download Submit
C:\Users\Admin\AppData\Local\OperaGX.exe

Filesize
6.3MB

MD5
9eb69588d43f4cb6eb467aee87ea95f2

SHA1
5cbbde190aae75e75d98faf149dcb09f7c83aeb9

SHA256
831636fbac5978688c7463eb846256c0c8353d05285a59d27f6a775881a5b0f9

SHA512
ce42f820fc8db4d344aafecf709a1155d2e83507cf8d4146b5329a0cdc85822a547b13f7e67d1a880d2dbb88587c02682322c95b955362df85e35f0bdf27b08b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406152338571\additional_file0.tmp

Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2406152338577731428.dll

Filesize
5.8MB

MD5
b8cb63ab220ef642bd8c3825d5d04590

SHA1
b5bf9236698d3e87aafbfdad54d1db8695c7c604

SHA256
9c2baaceedc7375fc773e68538b91bfcf61117a43adb3c6c75984faa7a5a5150

SHA512
f270932fa3a4c4c93834b85d7d0eabc080480fba1a7f53ee83707c786567a91469215738e74de2677a336a78308f9dd09fee44bb884fe324400164cd0aacd1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\setup49468796.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
76832c8e10f338187cfdbea5f3b40e7f

SHA1
3fabb2ba69a4db92fe602a5bf5adfef8d30083e9

SHA256
0615b4925fe6ce447040ffa2e3aae00b4cc886a13e3d6738504f9fc7120858f9

SHA512
30dcbf5fd9bd3bc7d6a2d169310c55e9ac092b2bfea91f293c7412c888c99d47a0406ab2a3abba05fcf96779e88d8ab148a9216e84ece5867ec7d0931209d0b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\51a5f3d2-ede7-4be2-b7a3-6a040868a89b

Filesize
746B

MD5
a171263b2e9be2b0ef7ae46e4b248838

SHA1
ed378f7efccf5c6c51d42f69aceeb00c15798db1

SHA256
1da2df2e62dc9dba71ac0a7fbb90230e5b7839489f91e7eabb14641110aae162

SHA512
a5b1e272d4d60d2f91990b486ff9033c4b8737cddebd8495ef5df62a2ec5b4d90f47200451fd1b567d853cf2f0724faf1d3bb63c4a7761ff45f9fe62f0aae63b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\datareporting\glean\pending_pings\563be721-9aa6-4a11-9018-795dd57ef017

Filesize
10KB

MD5
dd7181e6410a04750e7de33803d17298

SHA1
59b1c6b46e578fc9066fd4aa816de8dd9f31a517

SHA256
515d530822de2d68a4f91d8e76bf95e07f2102a35e2d844646df319351e32ed5

SHA512
1996d19b5df387f1f5989a7acac02f82fd5f40ee1796aaa82dd85d2f5cddc9e77baf0ff0755d49b264cbfb85fa1c2005ad02dbcd2653686a5827ef5fa9104a4f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
0f5385f1582a9cbb6ce6147937bd2a0d

SHA1
556dd7b68c2ab763b8ba44c7c1cdf1847f26ccae

SHA256
8c8fbb66c1a26992f987f65fb99a8d4cc033909a82b181715a5a7626c9a52538

SHA512
f76ec52d4b34ae9ca9dbd933fbd24e7d115987c62b8fbc4deca41c2f9a753cedef5d268a3beaf89d34f4f7346db1206d3f4827ce49027e42a1ece94ca49f591b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
f5e4ab0166fb3f863e08c3e6dd934916

SHA1
1e812e1f93f4f8dda0f5c47719b0679f7f949886

SHA256
d34c2a3cfaf49f34f6829d18d66b18d32c8c5fc95513c14ae613b144089fd7d6

SHA512
107473cdb11826c1fa362d37034f9beb0ef8bf2d4de34cafa2c3120e3fc136e42b47cef11bec68deca90311ae529c63c3413e4e9c0ca66568be56345dc9757be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\prefs-1.js

Filesize
6KB

MD5
66d36cf934b9f57d25414ecabd1770e0

SHA1
8c08c0c5e3b1841148951bf92cd22b957ff95155

SHA256
2524093f76578de185f20ecf9868d433991eeb934d92a114a22d0e35482203d9

SHA512
580265da63b95b66b071bfbffe6e1278a418ed4a3566f70484e1e9f129cfb4c1959ce13d2105f4cddd6d5622546d47a0ae6820d2bda4774a62a3ea31da189b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\serviceworker.txt

Filesize
165B

MD5
1b70163a62382bad878e178e8e78411a

SHA1
09bed94c9385748953550bd090718cdd92be7306

SHA256
49f86d08083b114c520748c608feb74e7b2d53fc25060a649edd44705bdcc644

SHA512
8b6d340262f7de87c1cb8bb47f688b14d6f5008555c6826a23ce99c57cd5644b079f00bb33333e3f5916382fe7859f480abe366bf1cc4f9244160e0b1b17fda4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
873ce3fef33fedfdb760f4f6df928b75

SHA1
1242ef11473a1df96007459fbbe55026f2ac6ff7

SHA256
99e8a881dd1454b6b9b92328655fda098b1cdfd9fa07a849d2fd5056931a25af

SHA512
bcfbf98e26eed1b30b458c5e32e89f72ceacacf36333949f71fffe4cde40384a1f49d232cf443137118b405f4aafcf76201c41d97b8a4822169301dadd2bab62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
bc0b8925eb7ca9c91ad15cc99fe8d835

SHA1
18c7f5f40e79ce71d58f7dd853fece73475f2e0a

SHA256
636288bb64393068ac1a878e4f341cd3ab80da21c1d5f052091db9df1f739632

SHA512
3b39523ff01a5996d25c0d7af578035b31e4bd75a089e23ce3cfd7b4bc11865eecbe878f2eecd8e7332cb0daa702418b6a20e1b11c5316c050092fe8453263ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
5dc7d02e4649f7a3a177dba82b159836

SHA1
9af3ef6172d733c23076615a9c7650d14a5170c8

SHA256
08dee5d4db2eec05fb3b5cac5b5afccfbed92898840b97198b7a76b360bd5e24

SHA512
099052842590061573b4d1267c8f4a37df67c09de702e9cbbc4e5d48caa9db123f1be64477c73fce54108186a08704d14c5729e348f62e5f290edfee70083bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
57c9928c406897da6fe7f066618cccb5

SHA1
3130700a7e115066ee69a95cbec77eec035d3652

SHA256
4a5111c143c365be02f9ee35d495c5b508517fbf364886a8d4f16aa0a197ea1d

SHA512
006d002244e630d40837e8786ff340e8bc6f55aba5d13d6fc8a4ed32f5839d99cd19bd772633e135538f7c92acc799d4c70c245c19793ef6f49ae99d284cfd17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
b7a4bd36dd98fc5fccc961a416680042

SHA1
9b317946e43b74a32bde7bfc88f3681304579a68

SHA256
3526ad2f7a616e40efa334bf3d24267662bcf2735ce97e44014b7dd353038c4a

SHA512
e4dc26c6f506ab7b02b2ea3960d264137d864673d3befc7cbd0dc8a59383dc0c4e152f56fc44122e3efb3fe4e0199cd13a65cf11e53dfd550405be02e1d7ca5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
987B

MD5
9a0961e888d2bc382769451bae03a6bb

SHA1
f41a3f878ab4b5faedf7fd421f5317e20346b72a

SHA256
ddc38cb295dc0d82fb8905c0c54e79ca710ab86641a2fddded2bb24d1afd8000

SHA512
ddd83592cc6d218779620baea7014032cefa55eddb653cb2104e9e673bdc1e9c5f015169217ff380fb4d973ea8af77f7aa6bbe241f44724da97111ae9102e017

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
4a700ae34a47bb357d2cf10d123cf27d

SHA1
6bafd86961365a43bbe6b774df5699b3f37cf9c5

SHA256
1c1a927546902de33dc9e0de92919f469f38bd37d949c5fa80cde99b47a7ccef

SHA512
1d67a306b07570ee8577cf178cd99c8f9195275ce3795fee11733e924f3d8ea188a2c7ae0044dfc86094e95c7ccae940719dce582011634b47ca03b948ea755e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
5021a4fe9a2c1ad9a6e6fe8fcb8def98

SHA1
14b00106345e73e4311beffb47378fae3f65b0cb

SHA256
d65a9ddd04369716b37233db4f02c33ca6d1444287d4e422f85297325b08eac8

SHA512
8efde0a05e0d321bb543d8662afa689bd5c8e014e6bc73e76d553c7ee272588504fc21f85005bfd4ec4222b55db25d2daa62f3ec441fdc31cb7ad60e4d812889

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++www.youtube.com\cache\morgue\136\{5d92ddfc-267c-4b3a-ab3d-04a25aeecb88}.final

Filesize
4KB

MD5
10c0d73c561be2d3dab3797a74b74fba

SHA1
1ada7a80f4d7aeea612e3e19db1c6fff1308eff3

SHA256
edf2af07e8bd705d69f9706fa21978c11e96708c97c0a960ab7c6dabfbec9c7f

SHA512
04febf4945c835d21293f9eec0424e00eb4582ba4daae385c6e3001e1bb1149fea2722bedc2f559fa3dfcd2455b63d809d583ba3b0b1c919d2dcc6cba3280d45

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++www.youtube.com\cache\morgue\210\{25fd98df-4728-4882-b7e9-3f68b472a6d2}.final

Filesize
4KB

MD5
59b5db1c354040e3365f5022b6ab7328

SHA1
cffaf8752ee21b7745a309381c06c1b86bbf7b41

SHA256
c213eac2e8c10bd5d4d319a70b5d803e4eeb2d1bfe3919062a080b564da0f507

SHA512
634e17b6483447d9786498b72d763f4dac8d0c380fff118b2fb34d5ca1fb4a75b142c8c85b5572e6dd99b87633f0ccbbbd2f9c546aad0e6c083abe64c75e65d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++www.youtube.com\cache\morgue\37\{a2751384-e769-4968-bfc2-df23c5f18d25}.final

Filesize
78KB

MD5
aee23d6075f7ccf0bccce95c3b370569

SHA1
db578d7a14719e82cdfbb2bb203e2c63e1f76d2c

SHA256
8d8355994824442b0af64dba9f94dad96d8153617a46f0020a0b6a8176eb8c02

SHA512
3f19f5f222111c2406812595566cfc760e29b78e9d0fbd55bc0a5e85ddad96db00fcc319e96be158dcbc348e4f61c6a435e2540d68d433d39dafc3017f641b59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++www.youtube.com\idb\3211250388sbwdpsunsohintoatciif.sqlite-wal

Filesize
40KB

MD5
6ef189da0d1dd8a21548b725a21a6e62

SHA1
0d16d06806fd8e52c8f21a8f893442145c77b39b

SHA256
a03d441d9870500e20044daa662019a5be87d35121561c08cee2c239ebe3f0f6

SHA512
0a17863dec9aa499bba6865841c30613bbb9f95298eb19d6fdafd186d80c893c16d55bcdb044bc9441bbf792f127e5b491cbf6cd5c3a1df291af91d112d91da5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\default\https+++www.youtube.com\idb\3814443497yCt7-%iCd7b%-bpbr1eef.sqlite

Filesize
48KB

MD5
c3b42a6568e4f802fe7cea96bbfb43f5

SHA1
72bed6dc0859b36433a9faaeb76f8cd60fd81e8c

SHA256
9cb05df97b878111b85198300158f03b4f3b3266d52402bd7117f2f2af881832

SHA512
30f7baebdffc7bcc86fb6184810b925561e08187dd7ecf6552f051578b4fd04d6210a6472d84d8c8f9ea98d73bef6017904750e18fbfb9b7ede7c44ad6739d99

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\c5nsco79.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
f72c2c8a738f1bdd4a5e24326ff248df

SHA1
d60277881f6b36509d709948fcf7ed3ec3da74a6

SHA256
06575a0a693c9e0f265fcf03ee5b6ced4dd922ac999f5d767a9a7d92fb199082

SHA512
7fa2cc3e4f6e6f9c77fc12e188a0ef4e5dfd9079e1ddd2d689669513bd2e512136ac4485b34aa0ed8587c8cd519572d31eb2496b4091e229b6c339bf25c27d6a

Download Submit
C:\Users\Admin\Downloads\Roblox Evon Exploit V4 UWP_49468796.j1JeaEOw.exe.part

Filesize
9.5MB

MD5
3d50042e3e3991be509f56a2951a2183

SHA1
f027790afe9d7ce2ddf17973f0778fb9e983ded1

SHA256
76eee256f1223082e8396611baca498542c656edd0fac5fe903e06e6cb5677e2

SHA512
120c6a7778bd9f65f469d3335987b780e736bd895ed944d0988372f891b48f9ba09b50ed9dcffd0bf1fa23a12e215ed1f1ffe75d11c925ff4c08d3e48259a873

Download Submit
C:\Users\Admin\Downloads\wtkSNKrY.txt.part

Filesize
205B

MD5
f9f39abb0e0a9c8953aef46733b24a23

SHA1
533799df62153dc93d3c3e48c20e00b4d8a1c65c

SHA256
e630fc474a3d55666a3757c84d9ac06d23d824d290e48b8cc369d032ccaeda51

SHA512
02bf96316f7181bfb1c23da73ea833134719d8c07000fbd8baeb2633979e9f7f44fafb092b24924227d31fb6f90b88365bce436ddf04ecd0f4b4b22a5a7d9ad8

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/168-415-0x0000000006120000-0x0000000006142000-memory.dmp

Filesize
136KB

Download
memory/168-355-0x00000000052A0000-0x00000000052CC000-memory.dmp

Filesize
176KB

Download
memory/168-401-0x0000000006150000-0x00000000061DC000-memory.dmp

Filesize
560KB

Download
memory/168-275-0x0000000004F20000-0x0000000004F34000-memory.dmp

Filesize
80KB

Download
memory/168-425-0x0000000006BF0000-0x00000000070EE000-memory.dmp

Filesize
5.0MB

Download
memory/168-382-0x0000000005920000-0x0000000005932000-memory.dmp

Filesize
72KB

Download
memory/168-422-0x00000000066D0000-0x00000000066DC000-memory.dmp

Filesize
48KB

Download
memory/168-307-0x0000000005100000-0x0000000005128000-memory.dmp

Filesize
160KB

Download
memory/168-365-0x0000000005230000-0x000000000524D000-memory.dmp

Filesize
116KB

Download
memory/168-416-0x00000000061E0000-0x0000000006530000-memory.dmp

Filesize
3.3MB

Download
memory/168-464-0x0000000009000000-0x000000000902E000-memory.dmp

Filesize
184KB

Download
memory/168-414-0x00000000060C0000-0x00000000060CA000-memory.dmp

Filesize
40KB

Download
memory/168-253-0x0000000000330000-0x0000000000708000-memory.dmp

Filesize
3.8MB

Download
memory/168-283-0x0000000005070000-0x0000000005094000-memory.dmp

Filesize
144KB

Download
memory/168-331-0x00000000051E0000-0x0000000005204000-memory.dmp

Filesize
144KB

Download
memory/168-438-0x0000000006930000-0x00000000069C2000-memory.dmp

Filesize
584KB

Download
memory/168-347-0x0000000005250000-0x0000000005258000-memory.dmp

Filesize
32KB

Download
memory/168-339-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/168-291-0x00000000050A0000-0x00000000050C8000-memory.dmp

Filesize
160KB

Download
memory/168-299-0x00000000050D0000-0x00000000050FE000-memory.dmp

Filesize
184KB

Download
memory/168-323-0x0000000005150000-0x000000000516A000-memory.dmp

Filesize
104KB

Download
memory/168-431-0x00000000076B0000-0x0000000007C64000-memory.dmp

Filesize
5.7MB

Download
memory/168-315-0x0000000005170000-0x00000000051A2000-memory.dmp

Filesize
200KB

Download
memory/2688-540-0x0000000000A70000-0x0000000000A7C000-memory.dmp

Filesize
48KB

Download