44caliber | hxxps://filedm[.]com/KA1rz

Analysis

max time kernel
1794s
max time network
1807s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 11:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filedm.com/KA1rz

Score

10^/10

44caliber discovery evasion execution spyware stealer themida trojan

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1169713279464120370/GUIw2wEmQMllUHEfRf3MNeS3DBNrZN-RuTQ9QbFfAqIZNVHtIlkj1yiD5QqgrIlv8gQi

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Downloads MZ/PE file

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup74840825.exeSolaraBootstrapper.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	setup74840825.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	SolaraBootstrapper.exe

Executes dropped EXE 14 IoCs

Processes:

setup74840825.exesetup74840825.exeOfferInstaller.exeOperaGX.exeOperaGX.exeOperaGX.exeOperaGX.exeOperaGX.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeSolaraBootstrapper.execd57e4c171d6e8f5ea8b8f824a6a7316.exeInsidious.exe

pid	process
5236	setup74840825.exe
5416	setup74840825.exe
5716	OfferInstaller.exe
5492	OperaGX.exe
5468	OperaGX.exe
5660	OperaGX.exe
4436	OperaGX.exe
5724	OperaGX.exe
5264	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
3032	assistant_installer.exe
4592	assistant_installer.exe
2856	SolaraBootstrapper.exe
3168	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
4480	Insidious.exe

Loads dropped DLL 64 IoCs

Processes:

setup74840825.exesetup74840825.exe

pid	process
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe
5416	setup74840825.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 18 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/3168-1965-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-1966-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-1967-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-1968-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2140-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2168-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2175-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2173-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2178-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2200-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2204-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2207-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2238-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2243-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2453-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2467-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-2471-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida
behavioral1/memory/3168-3365-0x0000000180000000-0x0000000180B0D000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

Processes:

setup74840825.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup74840825.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup74840825.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup74840825.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup74840825.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup74840825.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup74840825.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup74840825.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup74840825.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

OperaGX.exeOperaGX.exe

description	ioc	process
File opened (read-only)	\??\F:	OperaGX.exe
File opened (read-only)	\??\D:	OperaGX.exe
File opened (read-only)	\??\F:	OperaGX.exe
File opened (read-only)	\??\D:	OperaGX.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

Processes:

flow	ioc
541	raw.githubusercontent.com
938	raw.githubusercontent.com
294	discord.com
483	raw.githubusercontent.com
484	raw.githubusercontent.com
510	raw.githubusercontent.com
482	raw.githubusercontent.com
506	raw.githubusercontent.com
542	raw.githubusercontent.com
1246	raw.githubusercontent.com
295	discord.com
296	discord.com
494	raw.githubusercontent.com
495	raw.githubusercontent.com
540	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

498 freegeoip.app
499 freegeoip.app
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

cd57e4c171d6e8f5ea8b8f824a6a7316.exe

pid process

3168 cd57e4c171d6e8f5ea8b8f824a6a7316.exe

flow	ioc
498	freegeoip.app
499	freegeoip.app

pid	process
3168	cd57e4c171d6e8f5ea8b8f824a6a7316.exe

Drops file in Program Files directory 64 IoCs

Processes:

msedgewebview2.exe

description	ioc	process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-fr.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-und-ethi.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-de-1996.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-tk.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-hr.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1203275440\LICENSE	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\Social	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-en-us.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\LICENSE	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\Fingerprinting	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Sigma\Advertising	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_849674104\protocols.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-bg.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1203275440\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\Content	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\Entities	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-cu.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-de-1901.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-nn.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-ta.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Sigma\Entities	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-da.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\Filtering Rules-AA	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\Advertising	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-cy.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\_metadata\verified_contents.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1203275440\_metadata\verified_contents.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\Part-NL	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\Analytics	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-hi.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1744955944\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\Part-ES	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_892484982\crs.pb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_892484982\kp_pinslist.pb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-or.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Sigma\Fingerprinting	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_892484982\ct_config.pb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\Cryptomining	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Sigma\Cryptomining	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\Part-IT	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-ga.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-gu.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1626331756\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Mu\CompatExceptions	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-en-gb.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\manifest.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\Filtering Rules-CA	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-hy.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-kn.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-mn-cyrl.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1744955944\Microsoft.CognitiveServices.Speech.core.dll	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1203275440\keys.json	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-et.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-nb.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-sl.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Sigma\Other	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\adblock_snippet.js	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Sigma\Social	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1203275440\manifest.fingerprint	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\Sigma\Analytics	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-de-ch-1901.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\Part-RU	msedgewebview2.exe

Drops file in Windows directory 6 IoCs

Processes:

Ngen.exeNgen.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	Ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	Ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	Ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	Ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	Ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	Ngen.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4972 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5604 5068 WerFault.exe Delta.exe

pid	process
4972	powershell.exe

pid	pid_target	process	target process
5604	5068	WerFault.exe	Delta.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

WinStore.App.exevssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	WinStore.App.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	WinStore.App.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	WinStore.App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	WinStore.App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002b58b4804f1d39ed0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002b58b4800000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002b58b480000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2b58b480000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002b58b48000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

3804 timeout.exe
5948 timeout.exe
6112 timeout.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

5316 tasklist.exe
2460 tasklist.exe
3708 tasklist.exe

pid	process
3804	timeout.exe
5948	timeout.exe
6112	timeout.exe

pid	process
5316	tasklist.exe
2460	tasklist.exe
3708	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedgewebview2.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

msedgewebview2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133642223814643511"	msedgewebview2.exe

Modifies registry class 47 IoCs

Processes:

WinStore.App.exeWinStore.App.exemsedge.exeWinStore.App.exeWinStore.App.exeWinStore.App.exeWinStore.App.exeDelta V3.61 b_74840825.exeWinStore.App.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	WinStore.App.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3665033694-1447845302-680750983-1000\{83BCBEA7-21CC-4373-ADF7-EE5E76AC6900}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Opera GXStable	Delta V3.61 b_74840825.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\MuiCache	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	Delta V3.61 b_74840825.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheVersion = "1"	WinStore.App.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings	WinStore.App.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	WinStore.App.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Delta V3.61 b_74840825.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	WinStore.App.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windowsstore_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	WinStore.App.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

OperaGX.exesetup74840825.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 5c000000010000000400000000080000190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc36200000001000000200000007431e5f4c3c1ce4690774f0b61e05440883ba9a01ed00ba6abd7806ed3b118cf090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	OperaGX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup74840825.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup74840825.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGX.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup74840825.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	OperaGX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	OperaGX.exe

Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

5220 NOTEPAD.EXE
3440 NOTEPAD.EXE

pid	process
5220	NOTEPAD.EXE
3440	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

setup74840825.exeDelta V3.61 b_74840825.exeOfferInstaller.exe

pid	process
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5236	setup74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5716	OfferInstaller.exe
5716	OfferInstaller.exe

Suspicious behavior: LoadsDriver 6 IoCs

Processes:

pid

4
4
4
4
4
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

Processes:

msedgewebview2.exe

pid process

3112 msedgewebview2.exe

pid
4
4
4
4
4
656

pid	process
3112	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

setup74840825.exeOfferInstaller.exetasklist.exetasklist.exetasklist.exeDelta.exeSolaraBootstrapper.exeInsidious.execd57e4c171d6e8f5ea8b8f824a6a7316.exepowershell.exeWinStore.App.exesvchost.exeWinStore.App.exepowershell.exepowershell.exeWinStore.App.exevssvc.exesrtasks.exe

description	pid	process
Token: SeDebugPrivilege	5236	setup74840825.exe
Token: SeDebugPrivilege	5716	OfferInstaller.exe
Token: SeDebugPrivilege	5316	tasklist.exe
Token: SeDebugPrivilege	2460	tasklist.exe
Token: SeDebugPrivilege	3708	tasklist.exe
Token: SeDebugPrivilege	2352	Delta.exe
Token: SeDebugPrivilege	2856	SolaraBootstrapper.exe
Token: SeDebugPrivilege	4480	Insidious.exe
Token: SeDebugPrivilege	3168	cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Token: SeDebugPrivilege	5304	powershell.exe
Token: SeDebugPrivilege	7616	WinStore.App.exe
Token: SeDebugPrivilege	7616	WinStore.App.exe
Token: SeManageVolumePrivilege	8040	svchost.exe
Token: SeDebugPrivilege	6076	WinStore.App.exe
Token: SeDebugPrivilege	6076	WinStore.App.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	7144	WinStore.App.exe
Token: SeDebugPrivilege	7144	WinStore.App.exe
Token: SeBackupPrivilege	7788	vssvc.exe
Token: SeRestorePrivilege	7788	vssvc.exe
Token: SeAuditPrivilege	7788	vssvc.exe
Token: SeBackupPrivilege	4584	srtasks.exe
Token: SeRestorePrivilege	4584	srtasks.exe
Token: SeSecurityPrivilege	4584	srtasks.exe
Token: SeTakeOwnershipPrivilege	4584	srtasks.exe
Token: SeBackupPrivilege	4584	srtasks.exe
Token: SeRestorePrivilege	4584	srtasks.exe
Token: SeSecurityPrivilege	4584	srtasks.exe
Token: SeTakeOwnershipPrivilege	4584	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Delta V3.61 b_74840825.exe

pid process

5060 Delta V3.61 b_74840825.exe

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

Delta V3.61 b_74840825.exesetup74840825.exeOperaGX.exeOperaGX.exeOperaGX.exeOperaGX.exeOperaGX.exeOpera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exeassistant_installer.exeassistant_installer.exeWinStore.App.exeWinStore.App.exeWinStore.App.exeWinStore.App.exeWinStore.App.exeWinStore.App.exeWinStore.App.exe

pid	process
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5060	Delta V3.61 b_74840825.exe
5236	setup74840825.exe
5492	OperaGX.exe
5468	OperaGX.exe
5660	OperaGX.exe
4436	OperaGX.exe
5724	OperaGX.exe
5264	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
3032	assistant_installer.exe
4592	assistant_installer.exe
7616	WinStore.App.exe
6076	WinStore.App.exe
5348	WinStore.App.exe
5248	WinStore.App.exe
7888	WinStore.App.exe
7144	WinStore.App.exe
8108	WinStore.App.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Delta V3.61 b_74840825.exesetup74840825.execmd.exeOfferInstaller.execmd.exeOperaGX.exeOperaGX.exe

description	pid	process	target process
PID 5060 wrote to memory of 5236	5060	Delta V3.61 b_74840825.exe	setup74840825.exe
PID 5060 wrote to memory of 5236	5060	Delta V3.61 b_74840825.exe	setup74840825.exe
PID 5060 wrote to memory of 5236	5060	Delta V3.61 b_74840825.exe	setup74840825.exe
PID 5060 wrote to memory of 5416	5060	Delta V3.61 b_74840825.exe	setup74840825.exe
PID 5060 wrote to memory of 5416	5060	Delta V3.61 b_74840825.exe	setup74840825.exe
PID 5060 wrote to memory of 5416	5060	Delta V3.61 b_74840825.exe	setup74840825.exe
PID 5236 wrote to memory of 5716	5236	setup74840825.exe	OfferInstaller.exe
PID 5236 wrote to memory of 5716	5236	setup74840825.exe	OfferInstaller.exe
PID 5236 wrote to memory of 5716	5236	setup74840825.exe	OfferInstaller.exe
PID 5236 wrote to memory of 5812	5236	setup74840825.exe	cmd.exe
PID 5236 wrote to memory of 5812	5236	setup74840825.exe	cmd.exe
PID 5236 wrote to memory of 5812	5236	setup74840825.exe	cmd.exe
PID 5812 wrote to memory of 5316	5812	cmd.exe	tasklist.exe
PID 5812 wrote to memory of 5316	5812	cmd.exe	tasklist.exe
PID 5812 wrote to memory of 5316	5812	cmd.exe	tasklist.exe
PID 5812 wrote to memory of 5412	5812	cmd.exe	find.exe
PID 5812 wrote to memory of 5412	5812	cmd.exe	find.exe
PID 5812 wrote to memory of 5412	5812	cmd.exe	find.exe
PID 5812 wrote to memory of 5948	5812	cmd.exe	timeout.exe
PID 5812 wrote to memory of 5948	5812	cmd.exe	timeout.exe
PID 5812 wrote to memory of 5948	5812	cmd.exe	timeout.exe
PID 5716 wrote to memory of 6004	5716	OfferInstaller.exe	cmd.exe
PID 5716 wrote to memory of 6004	5716	OfferInstaller.exe	cmd.exe
PID 5716 wrote to memory of 6004	5716	OfferInstaller.exe	cmd.exe
PID 6004 wrote to memory of 2460	6004	cmd.exe	tasklist.exe
PID 6004 wrote to memory of 2460	6004	cmd.exe	tasklist.exe
PID 6004 wrote to memory of 2460	6004	cmd.exe	tasklist.exe
PID 6004 wrote to memory of 2420	6004	cmd.exe	find.exe
PID 6004 wrote to memory of 2420	6004	cmd.exe	find.exe
PID 6004 wrote to memory of 2420	6004	cmd.exe	find.exe
PID 6004 wrote to memory of 6112	6004	cmd.exe	timeout.exe
PID 6004 wrote to memory of 6112	6004	cmd.exe	timeout.exe
PID 6004 wrote to memory of 6112	6004	cmd.exe	timeout.exe
PID 6004 wrote to memory of 3708	6004	cmd.exe	tasklist.exe
PID 6004 wrote to memory of 3708	6004	cmd.exe	tasklist.exe
PID 6004 wrote to memory of 3708	6004	cmd.exe	tasklist.exe
PID 6004 wrote to memory of 2472	6004	cmd.exe	find.exe
PID 6004 wrote to memory of 2472	6004	cmd.exe	find.exe
PID 6004 wrote to memory of 2472	6004	cmd.exe	find.exe
PID 6004 wrote to memory of 3804	6004	cmd.exe	timeout.exe
PID 6004 wrote to memory of 3804	6004	cmd.exe	timeout.exe
PID 6004 wrote to memory of 3804	6004	cmd.exe	timeout.exe
PID 5060 wrote to memory of 5220	5060	Delta V3.61 b_74840825.exe	NOTEPAD.EXE
PID 5060 wrote to memory of 5220	5060	Delta V3.61 b_74840825.exe	NOTEPAD.EXE
PID 5060 wrote to memory of 5220	5060	Delta V3.61 b_74840825.exe	NOTEPAD.EXE
PID 5060 wrote to memory of 5492	5060	Delta V3.61 b_74840825.exe	OperaGX.exe
PID 5060 wrote to memory of 5492	5060	Delta V3.61 b_74840825.exe	OperaGX.exe
PID 5060 wrote to memory of 5492	5060	Delta V3.61 b_74840825.exe	OperaGX.exe
PID 5492 wrote to memory of 5468	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 5468	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 5468	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 5660	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 5660	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 5660	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 4436	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 4436	5492	OperaGX.exe	OperaGX.exe
PID 5492 wrote to memory of 4436	5492	OperaGX.exe	OperaGX.exe
PID 4436 wrote to memory of 5724	4436	OperaGX.exe	OperaGX.exe
PID 4436 wrote to memory of 5724	4436	OperaGX.exe	OperaGX.exe
PID 4436 wrote to memory of 5724	4436	OperaGX.exe	OperaGX.exe
PID 5060 wrote to memory of 3440	5060	Delta V3.61 b_74840825.exe	NOTEPAD.EXE
PID 5060 wrote to memory of 3440	5060	Delta V3.61 b_74840825.exe	NOTEPAD.EXE
PID 5060 wrote to memory of 3440	5060	Delta V3.61 b_74840825.exe	NOTEPAD.EXE
PID 5492 wrote to memory of 5264	5492	OperaGX.exe	Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://filedm.com/KA1rz
1⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=3148,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=2592 /prefetch:1
1⤵
PID:1328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4776,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=3844 /prefetch:1
1⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4832,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:1
1⤵
PID:944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=5456,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5480 /prefetch:8
1⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --field-trial-handle=5484,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:8
1⤵
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=5988,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:8
1⤵
PID:2052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5964,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:1
1⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=5956,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:1
1⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=5168,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:8
1⤵
PID:2432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6436,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6652 /prefetch:1
1⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --field-trial-handle=6912,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6816 /prefetch:8
1⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7376,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7356 /prefetch:8
1⤵
PID:2468

C:\Users\Admin\Downloads\Delta V3.61 b_74840825.exe
"C:\Users\Admin\Downloads\Delta V3.61 b_74840825.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5060

C:\Users\Admin\AppData\Local\setup74840825.exe
C:\Users\Admin\AppData\Local\setup74840825.exe hhwnd=721182 hreturntoinstaller hextras=id:d8d090d10951db6-AU-KA1rz
2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5236

C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5716

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
4⤵
- Suspicious use of WriteProcessMemory
PID:6004

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 5716" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\find.exe
find /I "5716"
5⤵
PID:2420

C:\Windows\SysWOW64\timeout.exe
timeout 1
5⤵
- Delays execution with timeout.exe
PID:6112

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 5716" /fo csv
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\SysWOW64\find.exe
find /I "5716"
5⤵
PID:2472

C:\Windows\SysWOW64\timeout.exe
timeout 5
5⤵
- Delays execution with timeout.exe
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:5812

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "PID eq 5236" /fo csv
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\SysWOW64\find.exe
find /I "5236"
4⤵
PID:5412

C:\Windows\SysWOW64\timeout.exe
timeout 5
4⤵
- Delays execution with timeout.exe
PID:5948

C:\Users\Admin\AppData\Local\setup74840825.exe
C:\Users\Admin\AppData\Local\setup74840825.exe hready
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5416

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:5220

C:\Users\Admin\AppData\Local\OperaGX.exe
C:\Users\Admin\AppData\Local\OperaGX.exe --silent --allusers=0
2⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5492

C:\Users\Admin\AppData\Local\OperaGX.exe
C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.142 --initial-client-data=0x2c4,0x2c8,0x2cc,0x2a4,0x2d0,0x715f52b8,0x715f52c4,0x715f52d0
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5468

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\OperaGX.exe" --version
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5660

C:\Users\Admin\AppData\Local\OperaGX.exe
"C:\Users\Admin\AppData\Local\OperaGX.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --vought_browser=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera GX" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --server-tracking-data=server_tracking_data --initial-pid=5492 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_20240630115411" --session-guid=b225f86a-0009-45ae-ad71-9c4a02b9d567 --server-tracking-blob=NmI3NjgwNWFkMzdjMjBkMWExYTYyMDkxZGNmMzY3MTlmNjgzNzA5MGI1OWQyZmZiYTJiZWQ0ZjY5MDUwNDQ4Nzp7ImNvdW50cnkiOiJHQiIsImVkaXRpb24iOiJzdGQtMiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFHWFNldHVwLmV4ZSIsInByb2R1Y3QiOnsibmFtZSI6Im9wZXJhX2d4In0sInF1ZXJ5IjoiL29wZXJhX2d4L3N0YWJsZS9lZGl0aW9uL3N0ZC0yP3V0bV9zb3VyY2U9UFdOZ2FtZXMmdXRtX21lZGl1bT1wYSZ1dG1fY2FtcGFpZ249UFdOX0dCX1BCNV8zNTc1JnV0bV9pZD1jYjQ5MjE3MTM0OWY0N2RkYmRhNzU5MGMwZDE5YzJkNSZ1dG1fY29udGVudD0zNTc1X0ZpbGVETSIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcxOTc0ODQ0Ny4wMjA5IiwidXNlcmFnZW50IjoiTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNy4wOyBXaW5kb3dzIE5UIDYuMjsgV09XNjQ7IFRyaWRlbnQvNy4wOyAuTkVUNC4wQzsgLk5FVDQuMEU7IC5ORVQgQ0xSIDIuMC41MDcyNzsgLk5FVCBDTFIgMy4wLjMwNzI5OyAuTkVUIENMUiAzLjUuMzA3MjkpIiwidXRtIjp7ImNhbXBhaWduIjoiUFdOX0dCX1BCNV8zNTc1IiwiY29udGVudCI6IjM1NzVfRmlsZURNIiwiaWQiOiJjYjQ5MjE3MTM0OWY0N2RkYmRhNzU5MGMwZDE5YzJkNSIsIm1lZGl1bSI6InBhIiwic291cmNlIjoiUFdOZ2FtZXMifSwidXVpZCI6ImVjYmY5NGMwLTM1OGYtNGM5MS1hODVlLWMzNzc4NWFiNTJjNiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=A805000000000000
3⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\OperaGX.exe
C:\Users\Admin\AppData\Local\OperaGX.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=109.0.5097.142 --initial-client-data=0x2b4,0x2b8,0x2bc,0x290,0x2c0,0x708452b8,0x708452c4,0x708452d0
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5724

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406301154111\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406301154111\assistant\Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5264

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406301154111\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406301154111\assistant\assistant_installer.exe" --version
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406301154111\assistant\assistant_installer.exe
"C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406301154111\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktopGX --annotation=ver=73.0.3856.382 --initial-client-data=0x288,0x28c,0x290,0x268,0x294,0xfd4f48,0xfd4f58,0xfd4f64
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --field-trial-handle=6820,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6856 /prefetch:8
1⤵
PID:5720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=5148,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6352 /prefetch:1
1⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=6592,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:1
1⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --field-trial-handle=6868,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:1
1⤵
PID:5664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7908,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7992 /prefetch:1
1⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=6332,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8100 /prefetch:1
1⤵
PID:5636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8188,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8080 /prefetch:8
1⤵
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=7856,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:8
1⤵
PID:5896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\Temp1_Delta V3.61.zip\Delta V3.61\Delta.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Delta V3.61.zip\Delta V3.61\Delta.exe"
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 1316
2⤵
- Program crash
PID:5604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5068 -ip 5068
1⤵
PID:5876

C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe
"C:\Users\Admin\Downloads\Delta V3.61\Delta V3.61\Delta.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/4TfpR6wUUu
2⤵
PID:3092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --field-trial-handle=5492,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:1
1⤵
PID:5188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --field-trial-handle=5764,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7964 /prefetch:1
1⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --field-trial-handle=5544,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8140 /prefetch:8
1⤵
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --field-trial-handle=5592,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8008 /prefetch:8
1⤵
- Modifies registry class
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --field-trial-handle=8080,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7508 /prefetch:1
1⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --field-trial-handle=8164,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7860 /prefetch:1
1⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --field-trial-handle=8044,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6644 /prefetch:1
1⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=6800,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7952 /prefetch:8
1⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --field-trial-handle=7484,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7960 /prefetch:1
1⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --field-trial-handle=5740,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5136 /prefetch:1
1⤵
PID:2364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --field-trial-handle=6700,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8036 /prefetch:1
1⤵
PID:2860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --field-trial-handle=7508,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:1
1⤵
PID:5612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --field-trial-handle=7912,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5176 /prefetch:1
1⤵
PID:5180

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x324
1⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --field-trial-handle=8292,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5848 /prefetch:1
1⤵
PID:2296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --field-trial-handle=6572,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:1
1⤵
PID:5576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --field-trial-handle=8284,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:1
1⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=8320,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8
1⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=8588,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=4160 /prefetch:8
1⤵
PID:460

C:\Users\Admin\Downloads\Solara\Solara\SolaraB\SolaraBootstrapper.exe
"C:\Users\Admin\Downloads\Solara\Solara\SolaraB\SolaraBootstrapper.exe"
1⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2856

C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
"C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe"
3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3168.6052.16853716004999222878
4⤵
- Drops file in Program Files directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:3112

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=125.0.6422.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=125.0.2535.92 --initial-client-data=0x178,0x17c,0x180,0x154,0x188,0x7ffeccab4ef8,0x7ffeccab4f04,0x7ffeccab4f10
5⤵
PID:5220

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1732,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1840 /prefetch:2
5⤵
PID:872

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2064,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=2072 /prefetch:3
5⤵
PID:424

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2344,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=2320 /prefetch:8
5⤵
PID:920

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3712,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:1
5⤵
PID:4112

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2208,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:8
5⤵
PID:5444

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2136,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:8
5⤵
PID:6184

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4684,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
5⤵
PID:6304

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4480,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4584 /prefetch:8
5⤵
PID:5400

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=1608,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:8
5⤵
PID:5820

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4704,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:8
5⤵
PID:3848

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=2284,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:8
5⤵
PID:6252

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4456,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4752 /prefetch:8
5⤵
PID:3528

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4728,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=1336 /prefetch:8
5⤵
PID:4976

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\125.0.2535.92\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView" --webview-exe-name=cd57e4c171d6e8f5ea8b8f824a6a7316.exe --webview-exe-version=1.0.0.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --field-trial-handle=4804,i,14152538028268155045,8950985779494564558,262144 --enable-features=MojoIpcz --variations-seed-version --mojo-platform-channel-handle=4660 /prefetch:8
5⤵
PID:5244

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=8484,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=5712 /prefetch:8
1⤵
PID:4668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --field-trial-handle=8736,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8664 /prefetch:1
1⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --field-trial-handle=8820,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8828 /prefetch:1
1⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --field-trial-handle=8672,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8428 /prefetch:1
1⤵
PID:5428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --field-trial-handle=8440,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8312 /prefetch:1
1⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --field-trial-handle=8816,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8756 /prefetch:1
1⤵
PID:5864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --field-trial-handle=8536,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8744 /prefetch:1
1⤵
PID:5444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --field-trial-handle=5712,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=7560 /prefetch:1
1⤵
PID:5956

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --field-trial-handle=8972,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8708 /prefetch:1
1⤵
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --field-trial-handle=8424,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9144 /prefetch:1
1⤵
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --field-trial-handle=9364,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9328 /prefetch:1
1⤵
PID:5400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --field-trial-handle=9316,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8784 /prefetch:1
1⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --field-trial-handle=9556,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8692 /prefetch:1
1⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --field-trial-handle=9380,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9000 /prefetch:1
1⤵
PID:752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --field-trial-handle=9652,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9516 /prefetch:1
1⤵
PID:6440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --field-trial-handle=7964,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8684 /prefetch:1
1⤵
PID:6504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --field-trial-handle=9776,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9780 /prefetch:1
1⤵
PID:6756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --field-trial-handle=9724,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8400 /prefetch:8
1⤵
PID:5600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --field-trial-handle=10232,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10052 /prefetch:8
1⤵
PID:6216

C:\Users\Admin\Downloads\Krnl-main\Krnl-main\krnl.exe
"C:\Users\Admin\Downloads\Krnl-main\Krnl-main\krnl.exe"
1⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --field-trial-handle=9744,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10156 /prefetch:1
1⤵
PID:6864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --field-trial-handle=9964,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9828 /prefetch:1
1⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --field-trial-handle=9648,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9592 /prefetch:1
1⤵
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --field-trial-handle=10156,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9820 /prefetch:1
1⤵
PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --field-trial-handle=7996,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9764 /prefetch:1
1⤵
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --field-trial-handle=10372,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10384 /prefetch:8
1⤵
PID:1068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --field-trial-handle=9756,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10612 /prefetch:8
1⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --field-trial-handle=10144,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10572 /prefetch:1
1⤵
PID:6984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --field-trial-handle=11012,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11028 /prefetch:1
1⤵
PID:6936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --field-trial-handle=10668,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10952 /prefetch:1
1⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --field-trial-handle=11196,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11380 /prefetch:1
1⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --field-trial-handle=11224,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11604 /prefetch:1
1⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --field-trial-handle=11104,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11728 /prefetch:1
1⤵
PID:3832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --field-trial-handle=10560,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11092 /prefetch:1
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --field-trial-handle=11608,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11628 /prefetch:1
1⤵
PID:4156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --field-trial-handle=7560,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10060 /prefetch:1
1⤵
PID:6992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --field-trial-handle=10656,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11728 /prefetch:1
1⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --field-trial-handle=9988,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9680 /prefetch:1
1⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --field-trial-handle=11688,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11204 /prefetch:1
1⤵
PID:6652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --field-trial-handle=9496,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10016 /prefetch:1
1⤵
PID:3228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --field-trial-handle=10676,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10796 /prefetch:1
1⤵
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --field-trial-handle=10760,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10932 /prefetch:1
1⤵
PID:5996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --field-trial-handle=10764,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10980 /prefetch:1
1⤵
PID:6200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --field-trial-handle=11192,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10344 /prefetch:1
1⤵
PID:6540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --field-trial-handle=10300,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10880 /prefetch:1
1⤵
PID:6280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --field-trial-handle=11812,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10980 /prefetch:1
1⤵
PID:7008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --field-trial-handle=11140,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11180 /prefetch:1
1⤵
PID:5440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --field-trial-handle=11720,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10624 /prefetch:1
1⤵
PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --field-trial-handle=6664,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10608 /prefetch:1
1⤵
PID:7068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --field-trial-handle=10512,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9664 /prefetch:1
1⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --field-trial-handle=11384,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9828 /prefetch:1
1⤵
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=103 --field-trial-handle=12004,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11900 /prefetch:1
1⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --field-trial-handle=11892,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11748 /prefetch:1
1⤵
PID:6224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=105 --field-trial-handle=8728,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10736 /prefetch:1
1⤵
PID:6312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --field-trial-handle=10828,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10364 /prefetch:1
1⤵
PID:7036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --field-trial-handle=8784,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10356 /prefetch:1
1⤵
PID:6152

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5304

C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7616

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.NET.Native.Runtime.2.2_8wekyb3d8bbwe
1⤵
PID:6520

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:8040

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.NET.Native.Framework.2.2_8wekyb3d8bbwe
1⤵
PID:7436

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6076

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --field-trial-handle=4864,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=9600 /prefetch:1
1⤵
PID:5216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --field-trial-handle=9400,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10900 /prefetch:1
1⤵
PID:7588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --field-trial-handle=9740,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11956 /prefetch:1
1⤵
PID:5424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --field-trial-handle=10160,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11612 /prefetch:1
1⤵
PID:7668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --field-trial-handle=11340,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11932 /prefetch:1
1⤵
PID:8084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --field-trial-handle=10852,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8448 /prefetch:1
1⤵
PID:5940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --field-trial-handle=11448,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=8432 /prefetch:1
1⤵
PID:7912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=115 --field-trial-handle=9640,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=10652 /prefetch:1
1⤵
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=116 --field-trial-handle=11044,i,15316930299780304231,7592852768794498680,262144 --variations-seed-version --mojo-platform-channel-handle=11296 /prefetch:1
1⤵
PID:2968

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell -ExecutionPolicy Unrestricted -Command "& {$manifest = (Get-AppxPackage *WindowsStore*).InstallLocation + '\AppxManifest.xml' ; Add-AppxPackage -DisableDevelopmentMode -Register $manifest}"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault93ccce34h0bd5h4ed6h9455h2f60b7a8ee02
1⤵
PID:6688

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.WindowsStore_8wekyb3d8bbwe
1⤵
PID:7564

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:7144

C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe
"C:\Program Files\WindowsApps\Microsoft.WindowsStore_22405.1401.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe" -ServerName:App.AppXc75wvwned5vhz4xyxxecvgdjhdkgsdza.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta0cb24bbh8097h48d8h8f51hee25bae9275b
1⤵
PID:7664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6b7eb764hdf09h4ef4h87efheff7d846087b
1⤵
PID:3644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4a146083hfb6eh405bhb141hf95a577966aa
1⤵
PID:4584

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId 033c3073-7250-4659-b62b-c320d1bb6356 /RunHandlerComServer
1⤵
PID:4952

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:7788

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Ngen.exe Update /Queue /Delay
1⤵
- Drops file in Windows directory
PID:6964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Ngen.exe Update /Queue /Delay
1⤵
- Drops file in Windows directory
PID:7160

C:\Windows\system32\wuauclt.exe
"C:\Windows\system32\wuauclt.exe" /UpdateDeploymentProvider UpdateDeploymentProvider.dll /ClassId b4dfe1dd-ab04-48d7-8f33-faade2a05c95 /RunHandlerComServer
1⤵
PID:6012

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Software Discovery

T1518

Security Software Discovery

T1518.001

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1120534535\manifest.json
Filesize
132B

MD5
e2e0e30a5061d2e813d389d776cd8ffd

SHA1
90913c06260b62534b42c0e28bac3082cdacd19c

SHA256
7f8c92b4e9da2afa5a089e37797036d18e61e4f02a4885b7887c0b98d464259f

SHA512
000727f5052c846e39c62ae90032db500708e5fec5af24b8cc1f3a9d4102bc7b9be025176f01722a7c72b5e8bf85b0084cab0ebeb00fde03928c4e22869c98cd

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1203275440\manifest.json
Filesize
79B

MD5
7a74e28cea0b1a8f1969ff4ef4430047

SHA1
11cbf0dd7060e36283dea377fdfb1105068eddda

SHA256
8fd032d30c7b9340e45428cfef8aa409a5df1f5a89be46ec0ab92e7ac53cc2ca

SHA512
f5cb2e55c0ef4e56fa12bfffe78829109214aa213c193da2e75a51d6bbf5bcaef1e74bb40e091abfded7bdb076b2c266212abeb05aaa87f4cfda804f581c2b0f

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1626331756\manifest.json
Filesize
43B

MD5
55cf847309615667a4165f3796268958

SHA1
097d7d123cb0658c6de187e42c653ad7d5bbf527

SHA256
54f5c87c918f69861d93ed21544aac7d38645d10a890fc5b903730eb16d9a877

SHA512
53c71b860711561015c09c5000804f3713651ba2db57ccf434aebee07c56e5a162bdf317ce8de55926e34899812b42c994c3ce50870487bfa1803033db9452b7

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1735337063\manifest.json
Filesize
116B

MD5
1b8cb66d14eda680a0916ab039676df7

SHA1
128affd74315d1efd26563efbfbaca2ac1c18143

SHA256
348c0228163b6c9137b2d3f77f9d302bb790241e1216e44d0f8a1cd46d44863c

SHA512
ab2250a93b8ec1110bcb7f45009d5715c5a3a39459d6deead2fbc7d1477e03e2383c37741772e4a6f8c6133f8a79fbabc5759ff9f44585af6659f9bb46fbe5d6

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_1744955944\manifest.json
Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-hi.hyb
Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\hyph-nb.hyb
Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_666758366\manifest.json
Filesize
179B

MD5
273755bb7d5cc315c91f47cab6d88db9

SHA1
c933c95cc07b91294c65016d76b5fa0fa25b323b

SHA256
0e22719a850c49b3fba3f23f69c8ff785ce3dee233030ed1ad6e6563c75a9902

SHA512
0e375846a5b10cc29b7846b20a5a9193ea55ff802f668336519ff275fb3d179d8d6654fe1d410764992b85a309a3e001cede2f4acdec697957eb71bdeb234bd8

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_701845298\manifest.json
Filesize
113B

MD5
b6911958067e8d96526537faed1bb9ef

SHA1
a47b5be4fe5bc13948f891d8f92917e3a11ebb6e

SHA256
341b28d49c6b736574539180dd6de17c20831995fe29e7bc986449fbc5caa648

SHA512
62802f6f6481acb8b99a21631365c50a58eaf8ffdf7d9287d492a7b815c837d6a6377342e24350805fb8a01b7e67816c333ec98dcd16854894aeb7271ea39062

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_849674104\manifest.json
Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3112_892484982\manifest.json
Filesize
102B

MD5
8062e1b9705b274fd46fcd2dd53efc81

SHA1
61912082d21780e22403555a43408c9a6cafc59a

SHA256
2f0e67d8b541936adc77ac9766c15a98e9b5de67477905b38624765e447fcd35

SHA512
98609cf9b126c7c2ad29a6ec92f617659d35251d5f6e226fff78fd9f660f7984e4c188e890495ab05ae6cf3fbe9bf712c81d814fbd94d9f62cf4ff13bbd9521a

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
140e2579c521014e18427b6b631f7ff4

SHA1
6301f2a90760e57988412b08375f7cacdd1f38e1

SHA256
4002e8aac538af80674df4d6a0983fc6902776e8267f05f8d008cb8d39aebe7a

SHA512
676540a9ea4676b363fdbd6f2d3d1695408c0676ef155913ddbb8f88b7ad4bd4704d9b16fc7ef875be328d86468173db04e381f2bb814068ceaaa89fa33db13c

Download Submit
C:\Users\Admin\AppData\Local\OperaGX.exe
Filesize
6.3MB

MD5
cec65de89166089d553a58df927320e5

SHA1
a9932f73e965bec17f58e86315729790423a7056

SHA256
d38dfd0a13823f09febac83dd8a77e346e36ad73b1e7f6c5bb8da49302370a56

SHA512
b66f02d8a441a553e63256f8d2cdbcfef65bd7dbb8248d20ab95d163996d5e386c3e842cf513e272d2a9b6ac6815b909566d2c5d21d4d6bc5325da3dc5b9d7b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe\LocalCache\perUserCache_0\index
Filesize
6KB

MD5
6e19ab252dc58c5dc0b1ff14a5e636ff

SHA1
e4e703cfadc25f3c518400795aa0bbbc3e966f8e

SHA256
1a7252777c1306b48d02013c22e4a22ae36fe2073f535b58b1f08270a22e7c52

SHA512
0bee35742470ae7e0c5ebbedd05dc883cc49ee5ce138035036a8f2f1fb17e91da9007a46c530dce82e11be1a86a0f31d3efbd4cb92f4149be442d47d9cc20934

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera GX Installer Temp\opera_package_202406301154111\additional_file0.tmp
Filesize
1.4MB

MD5
e9a2209b61f4be34f25069a6e54affea

SHA1
6368b0a81608c701b06b97aeff194ce88fd0e3c0

SHA256
e950f17f4181009eeafa9f5306e8a9dfd26d88ca63b1838f44ff0efc738e7d1f

SHA512
59e46277ca79a43ed8b0a25b24eff013e251a75f90587e013b9c12851e5dd7283b6172f7d48583982f6a32069457778ee440025c1c754bf7bb6ce8ae1d2c3fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2406301154110525468.dll
Filesize
5.8MB

MD5
1a4fdbb85e2b99ec1f3ca6e4716ddf62

SHA1
fb4698270b8664980407b932d76a99907ce1033a

SHA256
e9ead6307f9461d7cadf9a37cae959082e08d9d8d98374e4f7ea15ddd5d53b2a

SHA512
a7da63f9d7f95c0984f120f12df31a7051624fc0825a658cc54676b2835ecffc8f549e37d777158925901b520642d0adf1c3e3046302e24a70514266acf04cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Insidious.exe
Filesize
303KB

MD5
cf6fbbd85d69ed42107a937576028fc9

SHA1
d8f2ca741a8f0beb8e89a68407241c5332759303

SHA256
644455284cd1e2188564dcea09cc0d09448423c9bfdeb9d05a834600d593ec1a

SHA512
562f8004f6d406ed596ff2ad7487f616f1abb98d415d70d87c18f11f364b35a40b959800085966b1680737e6bc7e3793d3b8c60046ea680dc87a673badeab94e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SolaraBootstrapper.exe
Filesize
13KB

MD5
6557bd5240397f026e675afb78544a26

SHA1
839e683bf68703d373b6eac246f19386bb181713

SHA256
a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

SHA512
f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\get-intrinsic\.nycrc
Filesize
139B

MD5
d0104f79f0b4f03bbcd3b287fa04cf8c

SHA1
54f9d7adf8943cb07f821435bb269eb4ba40ccc2

SHA256
997785c50b0773e5e18bf15550fbf57823c634fefe623cd37b3c83696402ad0a

SHA512
daf9b5445cfc02397f398adfa0258f2489b70699dfec6ca7e5b85afe5671fdcabe59edee332f718f5e5778feb1e301778dffe93bb28c1c0914f669659bad39c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\has-proto\.eslintrc
Filesize
43B

MD5
c28b0fe9be6e306cc2ad30fe00e3db10

SHA1
af79c81bd61c9a937fca18425dd84cdf8317c8b9

SHA256
0694050195fc694c5846b0a2a66b437ac775da988f0a779c55fb892597f7f641

SHA512
e3eca17804522ffa4f41e836e76e397a310a20e8261a38115b67e8b644444153039d04198fb470f45be2997d2c7a72b15bd4771a02c741b3cbc072ea6ef432e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\hasown\.nycrc
Filesize
216B

MD5
c2ab942102236f987048d0d84d73d960

SHA1
95462172699187ac02eaec6074024b26e6d71cff

SHA256
948366fea3b423a46366326d0bb2e54b08abd1cf0b243678ba6625740c40da5a

SHA512
e36b20c16ceeb090750f3865efc8d7fd983ae4e8b41c30cc3865d2fd4925bf5902627e1f1ed46c0ff2453f076ef9de34be899ef57754b29cd158440071318479

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\Monaco\fileaccess\node_modules\vary\LICENSE
Filesize
1KB

MD5
13babc4f212ce635d68da544339c962b

SHA1
4881ad2ec8eb2470a7049421047c6d076f48f1de

SHA256
bd47ce7b88c7759630d1e2b9fcfa170a0f1fde522be09e13fb1581a79d090400

SHA512
40e30174433408e0e2ed46d24373b12def47f545d9183b7bce28d4ddd8c8bb528075c7f20e118f37661db9f1bba358999d81a14425eb3e0a4a20865dfcb53182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe
Filesize
90KB

MD5
d84e7f79f4f0d7074802d2d6e6f3579e

SHA1
494937256229ef022ff05855c3d410ac3e7df721

SHA256
dcfc2b4fa3185df415855ec54395d9c36612f68100d046d8c69659da01f7d227

SHA512
ed7b0ac098c8184b611b83158eaa86619001e74dba079d398b34ac694ce404ba133c2baf43051840132d6a3a089a375550072543b9fab2549d57320d13502260

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json
Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\CertificateRevocation\6498.2023.8.1\crl-set
Filesize
21KB

MD5
d246e8dc614619ad838c649e09969503

SHA1
70b7cf937136e17d8cf325b7212f58cba5975b53

SHA256
9dd9fba7c78050b841643e8d12e58ba9cca9084c98039f1ebff13245655652e1

SHA512
736933316ee05520e7839db46da466ef94e5624ba61b414452b818b47d18dcd80d3404b750269da04912dde8f23118f6dfc9752c7bdf1afc5e07016d9c055fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Crashpad\settings.dat
Filesize
280B

MD5
5fb3f64824e003378ce625bd81d681c9

SHA1
3aa1251cac229d253db58387245b97580a047e9c

SHA256
153c53ae5fff1907e6629aa15b4afe30767139594278c677ac136e40a9eab0c7

SHA512
b27a0230c855db769f5a6e89025f931d2d45d84408c5e441d6306145679c1a4981798c531bfeb03ac02178fbee7f9ee652cec7a9fdbced16d08021618cfca613

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\DawnGraphiteCache\data_1
Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_0
Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2
Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_3
Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Extension Rules\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network\Network Persistent State
Filesize
1KB

MD5
6e4d8b3e6f65830254eedad36c5a4a9d

SHA1
36af04754488460f866ec36231036a350c7b51e3

SHA256
47865dc8950d07ee1f7211d1d9c4626d8fe16b525720eb52cd4f024e8a3cb404

SHA512
fa62d79d45587f9512335f1475e360f131a3b7c199fb1802588556841372712fd351a1f490bb0b2f9596810785b4baae2a414c2c1cac5b0dc0f037746c3a8622

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network\Network Persistent State~RFe5e90c4.TMP
Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Preferences
Filesize
6KB

MD5
266ff3db4cd88e7939c4d6ed8b8223ba

SHA1
c31db1327949f7c6cf99fe357ed5214e8ea29ff7

SHA256
6d64441e569d6bc553630b91ab0f10a008b6d76a3da418bb992851befc4a205a

SHA512
be9f8bd325ac6b0432614ae113df7ed4d2d784c76e40b99fd29b45549a3875f280d044c6b92e5c1ac87ba9de410268059f666bdd6fdf3445d5ac04e406b8573e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Preferences
Filesize
6KB

MD5
89e3485701cd91b490d736c9d36c4309

SHA1
e1aecacfea8df4e6bd366e0c7f5ce0886541291c

SHA256
76d41be69cf5c2eadeab240a88cc7c0be1012d10f73dd6c64199bee23262b4a6

SHA512
e22f57fd1b9a77910bdce93eb916f7e2cc09eac467e509874e4f0e8fa4f3b9b43daeb1ebac0b7e093166e706b1bb24342099ddeb316f1635049a01463180fa30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\Site Characteristics Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Default\bbbfb664-fdbc-4891-8976-9782b36d58f2.tmp
Filesize
6KB

MD5
39f809e1d3201c61a909ec423dde0c21

SHA1
b9075b70ab62fb8cf0900dba5f1fab9c7e9b1808

SHA256
0702eda2d0e0d5da4786bb2c3b2dbfe5ed1ad3330b050f2e6236bc161594d3ac

SHA512
83012292931a59c6924dc8f9ebc4ecbaded626d3d9adb55818ca27179099be8fca7eda1ff175bd0b6a0c3a21fe0caa46be8400c06cdf3d4b8a49425465fab598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State
Filesize
1KB

MD5
4adbcd72107541260e0c88974656d6ce

SHA1
cbe16ff78d883718c3bbff3eafe470349bf4b3aa

SHA256
26334fa47714841d4d4532d055aacf710a2fe880d33b7edfd6abfea05e7f9b8f

SHA512
880a826050feb70f4f750292ee9ee28a0eef50a3e14639cf1caef0894494ff1e74c110eebb5b082e3bccdb7018acc8ed97d4f618a1bd3233440dc9429a8291af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State
Filesize
2KB

MD5
949fb6fca3655b4101567d1d0b153370

SHA1
8ccc66e984f75cdee0c90581b56df7a69c401a5a

SHA256
26d7814cc5c1342db257ef90c9f70413cf0bdbf106009fc50d5fc75689382996

SHA512
78a0fb09ee39e813c19650b7facfba537a0f51bb03aa9f6cc3326ae3b70b7ae2e99d364e8d0b168c3cd81eed290b6b5474cbb5e4135f057c8c4996aa7f06894e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State
Filesize
3KB

MD5
aad34aadc23ec6943d8a6cdedc0ef00b

SHA1
ee41a18ad81518a295b8365482e302862a4ce64e

SHA256
24c74f4d45b3c174741efd095a8f0c0c1580b8a0b9e4ca01b09367e8d137884b

SHA512
2763bafce92d9a0d0397b0624b7c9334ad46b8f8d4c2afda7f90b46e5bf63584f7d914f9edfe9c7f9a942f59f5d005ebd030a3cd455ff205bd9f159920e47ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State
Filesize
16KB

MD5
172b375f4e18584ea58ddaa9767e2ff1

SHA1
c138b64e1febbdd5111944587028e85c86be1771

SHA256
d97998d10fb0ab7dbd49406e59a7229aeb2025232ccf981d867bb5de63506152

SHA512
922811afacfa15ab8db8ca5e0bc4946e6d926f7b2cff9a167bf9cfb8e0deb1fa597f111008fd0ca841edb2928ea41e65768440e29a7ea5e4dc1e95efc955050d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State
Filesize
18KB

MD5
44bfb483231610097447f6be64aa42c9

SHA1
a0c7b1ae51a14ae9753d17db797efd9367e7fc4f

SHA256
3854cdde2353e3cd81b5263c7099630c8499d84c18a463da70511b00961f37a9

SHA512
b06b04e2b572f6bbdc7772420b61cf5118168bfad9dc1a9cc7e7bec0ac8265b4ef25993c2d58746dbbf558badc80ea79f549b96fd3c2f00357b2ca6f12dbe87f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Local State~RFe5d766b.TMP
Filesize
1KB

MD5
2975aaa88ff70c6117df980b58ece002

SHA1
42f30026653ddd28c173e69a9fceb5b06924cccd

SHA256
ede8584e8bd542851ff5aa887d21b2c33625f73a66888751f03cebf3474afcb5

SHA512
cfc0143a3eb1b4325dff14306c0c331473d9566d23f9f44ae34d9e00c1bde157f590abb9ac19ae9a1d0175c1ab642b645be0e1a38f6af20197dd623f00f27081

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\PKIMetadata\13.0.0.0\crs.pb
Filesize
278KB

MD5
981a9155cad975103b6a26acef33a866

SHA1
1965290a94d172c4def1ac7199736c26dccca33e

SHA256
971393390616fbe53c63865274a40a0b4a8e731c529664275bdc764f09a28e2d

SHA512
2d75ce25cb3a78f69f90fbd23f6e5c9f1a6ed92025f83ce0ab3e0320b64130d586fc2cd960f763e1ab2c82d35ef9650ebd7ff2a42a928a293e0e7428cc669119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\PKIMetadata\13.0.0.0\kp_pinslist.pb
Filesize
11KB

MD5
d43d041e531dc757a69a90cb657ef437

SHA1
09138b427565bc276cfd3ba9f59b0c8bad78e91d

SHA256
9431360a5534ad2f8eddde157cce39704b99da035fcb6d2cca11220700b11ccb

SHA512
476a98122059b9cc19492b7ae557c61381842c8c347f85c686e0a493bfd0e8707ce3491b690e7978b3fb7d7d2a4daa2767e4a590398a50562519bf32e8d12ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.54\Filtering Rules
Filesize
1.8MB

MD5
a97ea939d1b6d363d1a41c4ab55b9ecb

SHA1
3669e6477eddf2521e874269769b69b042620332

SHA256
97115a369f33b66a7ffcfb3d67c935c1e7a24fc723bb8380ad01971c447cfa9f

SHA512
399cb37e5790effcd4d62b9b09f706c4fb19eb2ab220f1089698f1e1c6f1efdd2f55d9f4c6d58ddbcc64d7a7cf689ab0dbbfae52ce96d5baa53c43775e018279

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.54\LICENSE
Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Advertising
Filesize
24KB

MD5
131857baba78228374284295fcab3d66

SHA1
180e53e0f9f08745f28207d1f7b394455cf41543

SHA256
b1666e1b3d0b31e147dc047e0e1c528939a53b419c6be4c8278ee30a0a2dbd49

SHA512
c84c3794af8a3a80bb8415f18d003db502e8cb1d04b555f1a7eef8977c9f24e188ae28fc4d3223b52eab4046342b2f8fd0d7461130f3636609214a7b57f49cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Analytics
Filesize
4KB

MD5
da298eacf42b8fd3bf54b5030976159b

SHA1
a976f4f5e2d81f80dc0e8a10595190f35e9d324b

SHA256
3abd2e1010e8824f200878942e0850d6e2620a2f0f15b87d32e2451fdda962ec

SHA512
5bf24c2df7cc12c91d1fb47802dbac283244c1010baa68bfae9eb5eb8ee25758156bb1e21f6cc3f55e7d71e5c330888ffd41469b2630eb86237c9970d7ede75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\CompatExceptions
Filesize
689B

MD5
108de320dc5348d3b6af1f06a4374407

SHA1
90aa226d3c9d50cf4435ecdd2b8b0086d8edeb8b

SHA256
5b462316a51c918d0bae95959bf827cb9c72bbd84ffb0e43b750aa91fbf3ba53

SHA512
70f30c45e20b7cddd0cba6476af9338975cec8e40b8b19603af5fa859a34c6eb2138957daaa263633fe65213e2186402d05d9d29ad53e8f311335555116314c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Content
Filesize
6KB

MD5
97ea4c3bfaadcb4b176e18f536d8b925

SHA1
61f2eae05bf91d437da7a46a85cbaa13d5a7c7af

SHA256
72ec1479e9cc7f90cf969178451717966c844889b715dff05d745915904b9554

SHA512
5a82729fd2dce487d5f6ac0c34c077228bee5db55bf871d300fcbbd2333b1ee988d5f20ef4d8915d601bd9774e6fa782c8580edca24a100363c0cdce06e5503f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Cryptomining
Filesize
1KB

MD5
16779f9f388a6dbefdcaa33c25db08f6

SHA1
d0bfd4788f04251f4f2ac42be198fb717e0046ae

SHA256
75ad2a4d85c1314632e3ac0679169ba92ef0a0f612f73a80fdd0bc186095b639

SHA512
abd55eff87b4445694b3119176007f71cf71c277f20ea6c4dcadfb027fdce78f7afbcf7a397bd61bd2fa4bc452e03087a9e0e8b9cc5092ec2a631c1ebb00ee25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Entities
Filesize
68KB

MD5
571c13809cc4efaff6e0b650858b9744

SHA1
83e82a841f1565ad3c395cbc83cb5b0a1e83e132

SHA256
ab204851f39da725b5a73b040519c2e6aaf52cb7a537c75802cb25248d02ec1b

SHA512
93ff4625866abf7cd96324528df2f56ecb358235ff7e63438ac37460aeb406a5fb97084e104610bb1d7c2e8693cabedc6239b95449e9abb90252a353038cb2a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Fingerprinting
Filesize
1KB

MD5
b46196ad79c9ef6ddacc36b790350ca9

SHA1
3df9069231c232fe8571a4772eb832fbbe376c23

SHA256
a918dd0015bcd511782ea6f00eed35f77456944981de7fd268471f1d62c7eaa3

SHA512
61d6da8ee2ca07edc5d230bdcbc5302a2c6e3a9823e95ccfd3896d2e09a0027fece76f2c1ea54e8a8c4fa0e3cf885b35f3ff2e6208bf1d2a2757f2cbcdf01039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\LICENSE
Filesize
34KB

MD5
d32239bcb673463ab874e80d47fae504

SHA1
8624bcdae55baeef00cd11d5dfcfa60f68710a02

SHA256
8ceb4b9ee5adedde47b31e975c1d90c73ad27b6b165a1dcd80c7c545eb65b903

SHA512
7633623b66b5e686bb94dd96a7cdb5a7e5ee00e87004fab416a5610d59c62badaf512a2e26e34e2455b7ed6b76690d2cd47464836d7d85d78b51d50f7e933d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Other
Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\Social
Filesize
355B

MD5
4c817c4cb035841975c6738aa05742d9

SHA1
1d89da38b339cd9a1aadfc824ed8667018817d4e

SHA256
4358939a5a0b4d51335bf8f4adb43de2114b54f3596f9e9aacbdb3e52bef67e6

SHA512
fa8e1e8aa00bf83f16643bf6a22c63649402efe70f13cd289f51a6c1172f504fedd7b63fc595fb867ecb9d235b8a0ea032b03d861ebb145f0f6a7d5629df8486

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Mu\TransparentAdvertisers
Filesize
105B

MD5
57d5a3548911886de2f3bd3172e808ed

SHA1
ca932af3b25f245ce931fbc6cf10299e5fbe35a7

SHA256
d2cd0bef5f45daf490c53e705d6f67dfe12390c72a00efa6f5117432bd8edb8c

SHA512
933194509d305b2a60b38c149ba1d74e142ef15647242b287844d263006d33ffa38b6ea263c89cb821a9277d41f0cfda95a0eda830f3a5ef8df5ba80d3bbc818

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Advertising
Filesize
2KB

MD5
326ddffc1f869b14073a979c0a34d34d

SHA1
df08e9d94ad0fad7cc7d2d815ee7d8b82ec26e63

SHA256
d4201efd37aec4552e7aa560a943b4a8d10d08af19895e6a70991577609146fb

SHA512
3822e64ca9cf23e50484afcc2222594b4b2c7cd8c4e411f557abea851ae7cbd57f10424c0c9d8b0b6a5435d6f28f3b124c5bc457a239f0a2f0caf433b01da83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Analytics
Filesize
432B

MD5
01f1f3c305218510ccd9aaa42aee9850

SHA1
fbf3e681409d9fb4d36cba1f865b5995de79118c

SHA256
62d7286cd7f74bdfda830ee5a48bce735ee3661bda8ceac9903b5627cbd0b620

SHA512
e5b665e981f702a4a211d0569bb0bc42e3c29b76b3f75aaf8dc173f16f18f7c443f5cf0ccf1550df3aa2b151e607969c2c90ab1a6e7a910dfeb83854cea4e690

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Content
Filesize
48B

MD5
7b0b4a9aafc18cf64f4d4daf365d2d8d

SHA1
e9ed1ecbec6cccfefe00f9718c93db3d66851494

SHA256
0b55eb3f97535752d3c1ef6cebe614b9b67dddfcfd3c709b84c6ecad6d105d43

SHA512
a579069b026ed2aaef0bd18c3573c77bfb5e0e989c37c64243b12ee4e59635aaa9d9c9746f82dcc16ca85f091ec4372c63e294c25e48dfffbed299567149c4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Cryptomining
Filesize
32B

MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Entities
Filesize
42KB

MD5
f446eb7054a356d9e803420c8ec41256

SHA1
98a1606a2ba882106177307ae11ec76cfb1a07ee

SHA256
4dc67d4b882621a93ffdb21a198a48a0bc491148c91208cf440af5f0de3ef640

SHA512
3cc3a521b297e4f48ed4ba29866a5ade380c9f0c06d85bea4140e24b05c6762d645df3d03d0a7058383b559baa3ae34ad3ed2b06017e91a061632862911a823b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Fingerprinting
Filesize
172B

MD5
3852430540e0356d1ba68f31be011533

SHA1
d3f622450bcf0ced36d9d9c0aad630ebccfcb7ff

SHA256
f1f413704c32a28a31a646f60cad36cc2da793e143f70eee72ae56f736df8054

SHA512
7a4faa493c141ea88d6cd933dfc0b50ef6d25983323db2b931c7512e039859d60c4935e56b771264ca72b45c035b1962ad8680d616eaaf04fbc5a6e0b674e435

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\LICENSE
Filesize
66B

MD5
5b7baf861a48c045d997992424b5877b

SHA1
2b2bd9a13afe49748abf39faf9eb29ed658f066e

SHA256
44071e0fcffb9a9a32e8fa7010bb18dbc41afd0b176f81bf700b15b638a88a51

SHA512
4820b41aa5ff4d934a583e1f0b93b1512631102bb2dfdb74792a2f0dcf9907da7680c02a5ddd2492a1e6d58cdada3453d9e38bb8deab6ce831ff36a7f8de016c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Other
Filesize
91B

MD5
09cedaa60eab8c7d7644d81cf792fe76

SHA1
e68e199c88ea96fcb94b720f300f7098b65d1858

SHA256
c8505ea2fe1b8f81a1225e4214ad07d8d310705be26b3000d7df8234e0d1f975

SHA512
564f8e5c85208adabb4b10763084b800022bb6d6d74874102e2f49cc8f17899ce18570af1f462aa592a911e49086a2d1c2d750b601eedd2f61d1731689a0a403

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Social
Filesize
3KB

MD5
318801ce3611c0d25c65b809dd9b5b3c

SHA1
b9d07f2aa9da1d83180dc24459093e20fe9cf1d8

SHA256
2458da5d79b393459520e1319937cfc39caadbc2294f175659fae5df804e1d03

SHA512
7daff0253da90f35bf00141b53d39c7cadacf451a7ecf1667c4ca6e8aed59a0c4a6b44ddc2afffa690e12c2134eddb9f46f72e4317ce99c307d9e524a5fd1103

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\Sigma\Staging
Filesize
16KB

MD5
39bdf35ac4557a2d2a4efdeeb038723e

SHA1
9703ca8af3432b851cb5054036de32f8ba7b083f

SHA256
04441a10b0b1deee7996e298949ac3b029bd7c24257faf910fe14f9996ba12ae

SHA512
732337f7b955e6acaf1e3aaa3395bc44c80197d204bd3cbb3e201b6177af6153cc9d7b22ad0e90b36796f92b0022806c32ac763eaec733b234503890900bf284

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\Trust Protection Lists\1.0.0.26\manifest.fingerprint
Filesize
66B

MD5
fc8af1e27127535b4eea55c8c2285865

SHA1
dc9fb2a8fe358f84f4f2749460ef15507e7ecb07

SHA256
c76f988dee6149c0c21f7f657688a7fcaa20b0dc83881efe14d58d9be3f5236b

SHA512
ec847bd27383c37cd67d9204e5dc55256ca0303c0d7696558de650b569ef8f9eb747603180ae6561f884bbe6eb519a23c18fa4a646c43d58799f01744c2b9de3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\TrustTokenKeyCommitments\2024.6.20.1\keys.json
Filesize
6KB

MD5
595a80c921652ccf09afd0b196fe3a94

SHA1
e4ae3f8b880e57b64c6e899505a4ad1ec99d6d6b

SHA256
7d9965e3d4c47a32fa6d7b290704f22382b70b80e414ce091eb0b0964dc509a3

SHA512
0dec0a48f2d13100e07a114dd288370a4449cc347162d6febc8b9b1dc66dccacec6bee79b7d42123c12c7500881e31f30cab5ef3f77029493546cf262de583cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Solara.Dir\cd57e4c171d6e8f5ea8b8f824a6a7316.exe.WebView2\EBWebView\hyphen-data\101.0.4906.0\hyph-as.hyb
Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_co3z1wqj.ou5.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll
Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll
Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll
Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll
Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll
Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll
Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll
Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll
Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll
Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll
Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll
Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll
Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll
Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll
Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
Filesize
26KB

MD5
cef027c3341afbcdb83c72080df7f002

SHA1
e538f1dd4aee8544d888a616a6ebe4aeecaf1661

SHA256
e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7

SHA512
71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll
Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html
Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis
Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll
Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll
Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll
Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico
Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll
Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll
Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll
Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\link.txt
Filesize
57B

MD5
6451f65baccc4a25701f3237444d6fe8

SHA1
61b9032ad5d1169f25c9a4c70be92740495589de

SHA256
8b47bcbe751afe96009ad5653fd3ef1bccdf94574ae8afebb810998f1088046b

SHA512
2501943f9da53830050c55d5419bbe6adffd805df4a2688592fc54f8068f8d15f1342574e116ee05340e50f72dc84ea29bb9d1792f37459dc56eeb289fe7c988

Download Submit
C:\Users\Admin\AppData\Local\setup74840825.exe
Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
5KB

MD5
626715c6b19ab780a731ab4248457841

SHA1
f89a34971103ee94118b729ca723805076ecd15d

SHA256
3ed60854147012245357ba257790236ef0e65b371ed7bce5f4e0b306e71d62b7

SHA512
d5594edc827998577c5b1fe1c6d1615d788d1a2ff53a26181431023ac1b60fcc01f3638481ff566c161c968545a2e430551ba826e5fe6dae411f165afb8ab0e3

Download Submit
memory/872-2165-0x000001CB62C60000-0x000001CB62CFB000-memory.dmp

Filesize
620KB

Download
memory/872-1997-0x00007FFEF4EC0000-0x00007FFEF4EC1000-memory.dmp

Filesize
4KB

Download
memory/920-2050-0x00007FFEF4200000-0x00007FFEF4201000-memory.dmp

Filesize
4KB

Download
memory/920-2049-0x00007FFEF41C0000-0x00007FFEF41C1000-memory.dmp

Filesize
4KB

Download
memory/2352-401-0x0000000006E70000-0x0000000006F20000-memory.dmp

Filesize
704KB

Download
memory/2352-405-0x0000000007360000-0x000000000737E000-memory.dmp

Filesize
120KB

Download
memory/2352-402-0x00000000072E0000-0x0000000007356000-memory.dmp

Filesize
472KB

Download
memory/2352-406-0x0000000007810000-0x0000000007B64000-memory.dmp

Filesize
3.3MB

Download
memory/2352-407-0x0000000007C80000-0x0000000007D1C000-memory.dmp

Filesize
624KB

Download
memory/2352-408-0x000000000CBA0000-0x000000000CBA8000-memory.dmp

Filesize
32KB

Download
memory/2352-413-0x00000000101D0000-0x0000000010356000-memory.dmp

Filesize
1.5MB

Download
memory/2856-467-0x00000000055C0000-0x00000000055D2000-memory.dmp

Filesize
72KB

Download
memory/2856-464-0x0000000000220000-0x000000000022A000-memory.dmp

Filesize
40KB

Download
memory/2856-465-0x00000000024C0000-0x00000000024CA000-memory.dmp

Filesize
40KB

Download
memory/3168-1959-0x0000020E43240000-0x0000020E4377C000-memory.dmp

Filesize
5.2MB

Download
memory/3168-2453-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2178-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2175-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2200-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2204-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2207-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-1971-0x0000020E46C40000-0x0000020E46C78000-memory.dmp

Filesize
224KB

Download
memory/3168-2168-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2238-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2243-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-1923-0x0000020E285B0000-0x0000020E285CA000-memory.dmp

Filesize
104KB

Download
memory/3168-2140-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2141-0x00007FFEE6320000-0x00007FFEE6344000-memory.dmp

Filesize
144KB

Download
memory/3168-1970-0x0000020E42CC0000-0x0000020E42CC8000-memory.dmp

Filesize
32KB

Download
memory/3168-1967-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2467-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-2471-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-1960-0x0000020E42DF0000-0x0000020E42EAA000-memory.dmp

Filesize
744KB

Download
memory/3168-2173-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-1961-0x0000020E42EB0000-0x0000020E42F62000-memory.dmp

Filesize
712KB

Download
memory/3168-3365-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-1962-0x0000020E42C20000-0x0000020E42C42000-memory.dmp

Filesize
136KB

Download
memory/3168-1963-0x0000020E2A430000-0x0000020E2A43E000-memory.dmp

Filesize
56KB

Download
memory/3168-1964-0x0000020E431B0000-0x0000020E4322E000-memory.dmp

Filesize
504KB

Download
memory/3168-1965-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-1972-0x0000020E46C00000-0x0000020E46C0E000-memory.dmp

Filesize
56KB

Download
memory/3168-1966-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/3168-1968-0x0000000180000000-0x0000000180B0D000-memory.dmp

Filesize
11.1MB

Download
memory/4112-2114-0x00007FFEF4EC0000-0x00007FFEF4EC1000-memory.dmp

Filesize
4KB

Download
memory/4112-2170-0x000001F751570000-0x000001F75160B000-memory.dmp

Filesize
620KB

Download
memory/4480-1932-0x00000292DD330000-0x00000292DD382000-memory.dmp

Filesize
328KB

Download
memory/4820-2574-0x00000000008E0000-0x0000000000A16000-memory.dmp

Filesize
1.2MB

Download
memory/5068-399-0x0000000006330000-0x0000000006368000-memory.dmp

Filesize
224KB

Download
memory/5068-398-0x0000000005F00000-0x0000000005F08000-memory.dmp

Filesize
32KB

Download
memory/5068-397-0x00000000005E0000-0x00000000016E6000-memory.dmp

Filesize
17.0MB

Download
memory/5068-400-0x0000000005F10000-0x0000000005F1E000-memory.dmp

Filesize
56KB

Download
memory/5236-62-0x00000000054E0000-0x000000000550E000-memory.dmp

Filesize
184KB

Download
memory/5236-103-0x00000000055F0000-0x00000000055FA000-memory.dmp

Filesize
40KB

Download
memory/5236-15-0x000000007185E000-0x000000007185F000-memory.dmp

Filesize
4KB

Download
memory/5236-197-0x0000000006C30000-0x0000000006CC2000-memory.dmp

Filesize
584KB

Download
memory/5236-190-0x0000000007B20000-0x00000000080D4000-memory.dmp

Filesize
5.7MB

Download
memory/5236-180-0x0000000006FB0000-0x0000000007554000-memory.dmp

Filesize
5.6MB

Download
memory/5236-175-0x00000000069D0000-0x00000000069DC000-memory.dmp

Filesize
48KB

Download
memory/5236-166-0x0000000006500000-0x0000000006854000-memory.dmp

Filesize
3.3MB

Download
memory/5236-165-0x00000000064D0000-0x00000000064F2000-memory.dmp

Filesize
136KB

Download
memory/5236-164-0x00000000063C0000-0x00000000063CA000-memory.dmp

Filesize
40KB

Download
memory/5236-159-0x0000000006440000-0x00000000064CC000-memory.dmp

Filesize
560KB

Download
memory/5236-146-0x0000000005D40000-0x0000000005D52000-memory.dmp

Filesize
72KB

Download
memory/5236-54-0x00000000054B0000-0x00000000054D8000-memory.dmp

Filesize
160KB

Download
memory/5236-291-0x0000000071850000-0x0000000072000000-memory.dmp

Filesize
7.7MB

Download
memory/5236-16-0x00000000006B0000-0x0000000000A88000-memory.dmp

Filesize
3.8MB

Download
memory/5236-65-0x0000000071850000-0x0000000072000000-memory.dmp

Filesize
7.7MB

Download
memory/5236-79-0x00000000055A0000-0x00000000055D2000-memory.dmp

Filesize
200KB

Download
memory/5236-87-0x0000000005540000-0x000000000555A000-memory.dmp

Filesize
104KB

Download
memory/5236-95-0x0000000005610000-0x0000000005634000-memory.dmp

Filesize
144KB

Download
memory/5236-220-0x0000000006990000-0x00000000069BE000-memory.dmp

Filesize
184KB

Download
memory/5236-111-0x0000000005680000-0x0000000005688000-memory.dmp

Filesize
32KB

Download
memory/5236-119-0x00000000056D0000-0x00000000056FC000-memory.dmp

Filesize
176KB

Download
memory/5236-129-0x0000000005660000-0x000000000567D000-memory.dmp

Filesize
116KB

Download
memory/5236-38-0x0000000005430000-0x0000000005444000-memory.dmp

Filesize
80KB

Download
memory/5236-71-0x0000000005570000-0x0000000005598000-memory.dmp

Filesize
160KB

Download
memory/5236-46-0x0000000005480000-0x00000000054A4000-memory.dmp

Filesize
144KB

Download
memory/5304-3116-0x00000272E7060000-0x00000272E706A000-memory.dmp

Filesize
40KB

Download
memory/5304-3108-0x00000272E6FF0000-0x00000272E7034000-memory.dmp

Filesize
272KB

Download
memory/5304-3109-0x00000272E70C0000-0x00000272E7136000-memory.dmp

Filesize
472KB

Download
memory/5304-3115-0x00000272E7040000-0x00000272E7056000-memory.dmp

Filesize
88KB

Download
memory/5304-3117-0x00000272E7170000-0x00000272E7196000-memory.dmp

Filesize
152KB

Download
memory/5716-288-0x00000000009F0000-0x00000000009FC000-memory.dmp

Filesize
48KB

Download
memory/6304-2502-0x0000023285080000-0x0000023285081000-memory.dmp

Filesize
4KB

Download
memory/6304-2503-0x0000023285080000-0x0000023285081000-memory.dmp

Filesize
4KB

Download
memory/6304-2501-0x0000023285080000-0x0000023285081000-memory.dmp

Filesize
4KB

Download
memory/6304-2494-0x0000023285080000-0x0000023285081000-memory.dmp

Filesize
4KB

Download
memory/6304-2500-0x0000023285080000-0x0000023285081000-memory.dmp

Filesize
4KB

Download
memory/6304-2495-0x0000023285080000-0x0000023285081000-memory.dmp

Filesize
4KB

Download
memory/6304-2496-0x0000023285080000-0x0000023285081000-memory.dmp

Filesize
4KB

Download