hxxps://www[.]vegax[.]gg/

Analysis

max time kernel
272s
max time network
273s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
05/08/2024, 22:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.vegax.gg/

Score

8^/10

defense_evasion discovery evasion spyware stealer trojan

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
2860	Vega X Windows_89637424.exe
444	setup89637424.exe
4684	setup89637424.exe
2836	OfferInstaller.exe
840	glgiqgpa.ixl.exe
1920	setup.exe
2976	setup.exe
2416	setup.exe
4748	setup.exe
1564	setup.exe
1580	Assistant_112.0.5197.30_Setup.exe_sfx.exe
904	assistant_installer.exe
3352	assistant_installer.exe
2372	RobloxPlayerInstaller.exe

Loads dropped DLL 64 IoCs

pid	Process
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe
4684	setup89637424.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup89637424.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerInstaller.exe

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
428	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Emotes\Editor\Small\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AvatarEditorImages\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\XboxController\ButtonLS.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AnimationEditor\img_key_border.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\DeveloperFramework\Votes\rating_up_yellow_darker.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\LayeredClothingEditor\AddIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\MenuBar\icon_menu.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Lobby\Buttons\glow_nine_slice.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\PlayerList\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\places\UserSafetyTest.rbxl	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\models\Thumbnails\Mannequins\R6.rbxm	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Settings\Help\UseToolGesture.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\PathEditor\Control_Point.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\MenuBar\icon_minimize.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\PlayerList\BlockedIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\TagEditor\TagEditorPluginIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\TagEditor\VisibilityOffLightTheme.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\chatBubble_white_notify_bkg.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\SelfView\SelfView_icon_camera_enabled.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\StudioUIEditor\icon_rotate7.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ManageCollaborators\closeWidget_light.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\PlatformContent\pc\textures\water\normal_02.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\ErrorPrompt\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\ScreenshotHud\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\RobotoMono.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\transformFiveDegrees.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\particles\sparkles_main.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\WarningIcon.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\InspectMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Menu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\fonts\families\LegacyArial.json	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\Debugger\Breakpoints\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\DesignSystem\ButtonR3.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Lobby\Buttons\nine_slice_button.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\sky\cloudsfb.dds	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\MenuBar\icon_minimize.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\xboxLB.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\MaterialCursor.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\TerrainTools\mtrl_water_2022.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\XboxController\ButtonSelect.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\ButtonRightDown.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Slider-Fill-Right-Cap.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\PlayStationController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\InspectMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\LegacyRbxGui\scroll.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\AnimationEditor\img_eventGroupMarker_border.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\MaterialManager\Fill.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\ExtraContent\places\RhodiumUnitTest.rbxl	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ControlsEmulator\PlayStation4_Default.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\RecordDown.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Emotes\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Scroll\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\DeveloperFramework\button_arrow_right.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\MaterialFramework\Dark\Material.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\DesignSystem\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\InGameMenu\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\StudioToolbox\AudioPreview\pause_hover.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\StudioToolbox\Voting\thumbup.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Backpack\Backpack.png	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Controls\XboxController\[email protected]	RobloxPlayerInstaller.exe
File created	C:\Program Files (x86)\Roblox\Versions\version-01a570a3cd0a46f2\content\textures\ui\Emotes\Editor\Large\Wheel.png	RobloxPlayerInstaller.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Vega X Windows_89637424.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vega X Windows_89637424.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_112.0.5197.30_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	glgiqgpa.ixl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vega X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup89637424.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxPlayerInstaller.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1000	timeout.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerInstaller.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerInstaller.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio	RobloxPlayerInstaller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0"	RobloxPlayerInstaller.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-aa7aa2777dc64b37"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1"	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Opera GXStable	Vega X Windows_89637424.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command	RobloxPlayerInstaller.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{78AC81EC-CE54-4E50-9CC9-717090A1928E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol"	RobloxPlayerInstaller.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Vega X Windows_89637424.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	Vega X Windows_89637424.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon	RobloxPlayerInstaller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell	RobloxPlayerInstaller.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Vega X Windows.txt:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Vega X Dev Mode.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 392785.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 258084.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Vega X Windows_89637424.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1452	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	msedge.exe
4876	msedge.exe
4524	msedge.exe
4524	msedge.exe
2216	msedge.exe
2216	msedge.exe
1688	identity_helper.exe
1688	identity_helper.exe
644	msedge.exe
644	msedge.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
444	setup89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	444	setup89637424.exe
Token: SeDebugPrivilege	2836	OfferInstaller.exe
Token: SeDebugPrivilege	428	tasklist.exe
Token: 33	4700	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4700	AUDIODG.EXE
Token: SeDebugPrivilege	740	Vega X.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
2860	Vega X Windows_89637424.exe
2860	Vega X Windows_89637424.exe
444	setup89637424.exe
2860	Vega X Windows_89637424.exe
840	glgiqgpa.ixl.exe
1920	setup.exe
2976	setup.exe
2416	setup.exe
4748	setup.exe
1564	setup.exe
1580	Assistant_112.0.5197.30_Setup.exe_sfx.exe
904	assistant_installer.exe
3352	assistant_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 232	4524	msedge.exe	78
PID 4524 wrote to memory of 232	4524	msedge.exe	78
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 3324	4524	msedge.exe	79
PID 4524 wrote to memory of 4876	4524	msedge.exe	80
PID 4524 wrote to memory of 4876	4524	msedge.exe	80
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81
PID 4524 wrote to memory of 3512	4524	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.vegax.gg/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8b9b23cb8,0x7ff8b9b23cc8,0x7ff8b9b23cd8
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3892 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- C:\Users\Admin\Downloads\Vega X Windows_89637424.exe
  "C:\Users\Admin\Downloads\Vega X Windows_89637424.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2860
- - C:\Users\Admin\AppData\Local\setup89637424.exe
    C:\Users\Admin\AppData\Local\setup89637424.exe hhwnd=393302 hreturntoinstaller hextras=id:964bc9f9d4b9a45-US-rvXoF
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:444
  - - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2836
    - - C:\Users\Admin\AppData\Local\Temp\glgiqgpa.ixl.exe
        
        "C:\Users\Admin\AppData\Local\Temp\glgiqgpa.ixl.exe" --silent --otd="utm.medium:apb,utm.source:lavasoft,utm.campaign:lavasoftOPTOUT:ES_NA_5cc218580d987a5cb28ead66"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:840
      - C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe --silent --otd="utm.medium:apb,utm.source:lavasoft,utm.campaign:lavasoftOPTOUT:ES_NA_5cc218580d987a5cb28ead66" --server-tracking-blob=YzczMmFiMjM4ZGYwNDk3OTMwMWFiMDljNDdhYzlhZDJkMzU2N2RlZTQ3M2RlMzRjMzkzY2E5NmU3NTg2OWRmNzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUxBVkFTT0ZUJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1sYXZhc29mdE9QVE9VVCIsInRpbWVzdGFtcCI6IjE3MjI4OTY0MTIuNjcyOCIsInV0bSI6eyJjYW1wYWlnbiI6ImxhdmFzb2Z0T1BUT1VUIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTEFWQVNPRlQifSwidXVpZCI6IjU2N2UyMmQxLWNjNGUtNDY2Yi04NjU5LWQ0ZjY2MzZiYThiNyJ9
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.39 --initial-client-data=0x33c,0x340,0x344,0x318,0x348,0x6cd2a174,0x6cd2a180,0x6cd2a18c
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=0 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1920 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240805222013" --session-guid=e05f586d-4a53-4b50-a6a3-4d71a36afe95 --server-tracking-blob=YTdkYzYwNWFkNjQzMzFkNTkzOGFhNGQzNTBiYjRiOGQwMTU5NzRmYWU5MzQ3N2Q3NjJhYjNlNWY1NjIzNjUwNDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUxBVkFTT0ZUJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1sYXZhc29mdE9QVE9VVCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjExIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyMjg5NjQxMi42NzI4IiwidXRtIjp7ImNhbXBhaWduIjoibGF2YXNvZnRPUFRPVVQ6RVNfTkFfNWNjMjE4NTgwZDk4N2E1Y2IyOGVhZDY2IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibGF2YXNvZnQifSwidXVpZCI6IjU2N2UyMmQxLWNjNGUtNDY2Yi04NjU5LWQ0ZjY2MzZiYThiNyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=0C06000000000000
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS843B7858\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.39 --initial-client-data=0x32c,0x330,0x334,0x30c,0x338,0x6c36a174,0x6c36a180,0x6c36a18c
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408052220131\assistant\Assistant_112.0.5197.30_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408052220131\assistant\Assistant_112.0.5197.30_Setup.exe_sfx.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408052220131\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408052220131\assistant\assistant_installer.exe" --version
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408052220131\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408052220131\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector.opera.com/collector/submit --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=112.0.5197.30 --initial-client-data=0x250,0x254,0x258,0x22c,0x25c,0xe38f40,0xe38f4c,0xe38f58
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:2816
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 444" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:428
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "444"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:1000
- - C:\Users\Admin\AppData\Local\setup89637424.exe
    C:\Users\Admin\AppData\Local\setup89637424.exe hready
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4684
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:1892
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Vega X Windows.txt
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7016 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6716 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6680 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=7504 /prefetch:8
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7740 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7916 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7544 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1876,8862094308653705497,13511198284853368332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6728 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3136
- C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe
  "C:\Users\Admin\Downloads\RobloxPlayerInstaller.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1252

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004F0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2600

C:\Users\Admin\Downloads\Vega X Dev Mode\Vega X Dev Mode\Vega X.exe
"C:\Users\Admin\Downloads\Vega X Dev Mode\Vega X Dev Mode\Vega X.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

Filesize
5.5MB

MD5
24591f85e9569269a3b822d0da2e0626

SHA1
62641ade4943b93983b4e59ffd6ee4dcbd77c17e

SHA256
d29bcf294dd77568fd173adac8c705d991482d645127baccb7efca20f560a5a2

SHA512
d0bfe43ece2c598a12fe7d3f2cd12e0685b639aec0fc7a1bbdf0829b886c22208e4236500d8e6540d7faef1514769b87bbdc666602c5548649e50aa61f2077de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
812B

MD5
22e2fb11dad84eb8802c3cc94d23f0bf

SHA1
dcb1df747c20465c9d839c234ccde8b295dbd3b3

SHA256
b1e43a1a701632df73508856cd6d4670c30acee60508f507d2df0a87c8af0961

SHA512
28ec41811aa5d3b7f69feb20e5577bd3c177ba4b7a56ead54fff9f11772582aff712cb5841c6d15de497b1272896f3060e49b6714478d39ec01c230ce65aed7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
1KB

MD5
5b2f272d4de498ffc37b970fbf7b787b

SHA1
e7d33dea294b18275a4ee113bc110d539ec4763a

SHA256
fbf22bb6a4e26994fa73b95789dbc448e22dfe62162d5cecf1de0afd0c5cb7b7

SHA512
42bd6d8d858c6d3c5df5e3bc055ccc4a38632fcd8d836e000e3680af3412380cf532e028b41773c5153e3528de45d6445121c79597356c06574ad246292e855a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\026A86A161D256DBB33076EDF20C0E5E_86AB612B21DEDF3B8CD155ED2E4114FF

Filesize
540B

MD5
348b438614d6b04b711c2a69a0649f7c

SHA1
8c2636266f9bf6b1e32fe4bebfb116dd67ace797

SHA256
1399af2eb491bfacf1aa157ab55f1398a2c950e5020b8446f436bf5082ec5acb

SHA512
9d46b969e629e0cd34cea0933a36822cc0747939f15c5a8437b8c2e4a09c66d3053bdfbb3bc2067fd8c0933a8256380068ae5839d754577ced855268d67b73e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A37B8BA80004D3266CB4D93B2052DC10_EBDB5A7037F08CDFB408DBFC0D44B43D

Filesize
528B

MD5
7c1894ae7bba95edbc80f104651adc7d

SHA1
f4b9c142b8bd1c3add87b37a66276b330ec79a07

SHA256
79a2c83273ae46cc5de68289bba752a757e5e59fa0e16e6ae2ef198d30fdd18e

SHA512
a482fe5dd4e2fa85bb16b85e0e1c3edb59eea53e0923242d328979e11edcd3350b0a99241d0b66a56c21a8908299271b76020f1eda0418039eed029e392ca95a

Download Submit
C:\Users\Admin\AppData\Local\Adaware\OfferInstaller.exe_Url_1hem3jux35iv1vzfopbi55gu03hcnxpl\7.14.2.0\user.config

Filesize
798B

MD5
f3da41e2f01ec12a28efa662df2fa963

SHA1
9760227f497132829ec34fffec6184969043bba1

SHA256
a4544f806b5637e45e2e702c7997d0b6a52b805670a72aac518d189c3004d1c2

SHA512
ae4f56f93a2386abe8891ba5ba1cc7de166a28c6a2f3913870bed2926ac43469bbbf0b4b18acf2fce7c7f120056e36b3777aabbdf9715cc12d2159403e392e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\748f60bb-d0ca-493a-8eb7-207605a6345d.tmp

Filesize
7KB

MD5
05db9cf6350d8b8ed5033d94e5b9781a

SHA1
09b9607443e154c0c49283bd6d2c8897446598eb

SHA256
b7cccd0e03ab30f6daf10465dc4764155af81a8337e8a9318517e64753ea8d49

SHA512
69a69fbc7cc16f7d26026077b4a721c9ff62f15a2200ee6adcd59a24730657a6f9369f200b033d66ff51f1009e6b3f21ae41defc9259c52c3c76855eb55a2041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
100KB

MD5
fdf09c3c067041ffdefcc9e1bdea9718

SHA1
e31cf28187466b23af697eedc92c542589b6c148

SHA256
144754d90b3eaad27d8a11c86faadb24da4ddc251bead8e43b9ed515fafb84da

SHA512
9e32b294cfc17fd52fbdd62732571f4ee57dc0308d62af476331887d0e2446b483ceac06ba4617cfbb1c347d771c0f7ea12108bc384e93f69b180c7ca1a92268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
51KB

MD5
0a7c0eb14fb4f288d5c61cba111e3dc3

SHA1
48f6448938e1b8df723a9f7c6490a78887f240c6

SHA256
8bef2cb55b40f46f7e2fadfe280e4c41b71a657081858a8224c6fb639d910e4e

SHA512
a63a2651e36b03846d5818a4e03f7582ce95a34d9b4d4be9a5ee152ce22c305a14fec2618aa3f904495bed4c94a3256951ba75dbb0fd0386b3f570096ad4226b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000118

Filesize
51KB

MD5
588ee33c26fe83cb97ca65e3c66b2e87

SHA1
842429b803132c3e7827af42fe4dc7a66e736b37

SHA256
bbc4044fe46acd7ab69d8a4e3db46e7e3ca713b05fa8ecb096ebe9e133bba760

SHA512
6f7500b12fc7a9f57c00711af2bc8a7c62973f9a8e37012b88a0726d06063add02077420bc280e7163302d5f3a005ac8796aee97042c40954144d84c26adbd04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
384B

MD5
a2df6717ef732f41895747334fdd56e2

SHA1
08a69c8f49084f2ef9b84c0e98194379551aaf08

SHA256
3809b5ea4a8d2885e7e631ea6a3bb695165759380bca295c0502f286549fea01

SHA512
8086d253f71bd584fb81d69bf02c2039778173f6bf5973c16691516e586a4af6483b26be777ce8c3264a93e63d436936d23a0ccc892197a2a634bf6cb6dbd34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
4KB

MD5
b211eea75de4ef34ec59a079b4b195a5

SHA1
a7f730c6db726a2999b0740e6c4d5917f290f88e

SHA256
ef6845f62a087225eca8ab97d62558366552d4251a8061c61f9a4e4a0c7eaf16

SHA512
f194b698d002dca7d1aeb438b06bcd416a6a4830aa22fa7b06a5e1edc9bd0222e7b6f770d9400643745a9fc9f01f768223bfa3c1a58ed8d713c4d4cd8206d979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
7KB

MD5
de3da98491e2bca338d936fd145606bb

SHA1
cdd9733432f57c2917b7f7469832154803dd15cf

SHA256
733ee4e948f550fcd9bfb5be35984a451b43685a72aa9fa6b858d81d09c77478

SHA512
7fee20129ec2e05653133d7079a0dbba1e2af6efaeff3b6aa74a96538e2a9ad82df0af0b17ed76a0e1fd59fe2408c129c8850d366cd1147442a228ec26631bbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
ae9fedc0916023748366297245504f3c

SHA1
2e785b3ae3ff9ab5c9dbbdecb0df932da70c5507

SHA256
5ae6e79d023c945ec1eeb0cf86ef89248ea141fff2b60629af7ab963bcc2546e

SHA512
9bfa31759d91557eae87f60b9685e2219b588a96d43086dbf4bc5288d7c89722cb3645ac0f786e4efeff41e3f354badf3ec01c35004b6e0f222158ed6fef2bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9b1d58788b4e46c4ea47796e5103ca05

SHA1
94c8d33b3f4c3ccbb2cd664fe620721c3b4c715e

SHA256
51288caf042bc6b734799a0413faade7eb732b424c09ae9ef6ff986eadf0f735

SHA512
10720f4a075235e942467a1e77607c430b26bbf841174ddd1d3eadf48215304fdaedbe7cfc4365017b8104130b5a3cc1b8b6360c334a815d3223b3e6ac587319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\000005.ldb

Filesize
1KB

MD5
40b79e8c50a445af619231137ab72924

SHA1
39a0c1393b885d60419069b72b89965687f687c0

SHA256
30af791e3fb2d723a90fe9108a5aded4f13593db0be82be457aef63b07f09584

SHA512
c2ece3e21b636895cd0ab60107dc035cceb7f0cca30146e672eb526d101bb2925f7d22c6b61efcd41b934aa210c7d099e82ff2356013f866e4444e7470d8705e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
743B

MD5
e0b9adca2d545f1daa4ecade254bf064

SHA1
df74094eb34c7a4790abba3ea06b1c870a8ed590

SHA256
213c9df42191767dd13a70ad7124c42c35fa111e8da3aab2859cadd60a67b764

SHA512
5b269a1ce306575c55da0a0578253ca8d17ece26e046cba98f9304a0ae2293af769aa4418b3025e8c36217c42356af78ef693d704e2691a5772f7f8e393132a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old

Filesize
745B

MD5
0900a4f49c0f076b3d6648ea0480c604

SHA1
4a42cbfd010560c1cbad64ace517a6b6325450e8

SHA256
7373faac3f0adc5ac610b57a749665cdc4763bed6081d97d87afb3d42db29eb0

SHA512
52fa0ca5e3cf6ed9e18fc8526608afe022c4703b2af1c2148039b44301cc472670c8ae7a5699bff64f03a9c5a1a6b3c24f976318e7425f52b4551f25262bac0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.roblox.com_0.indexeddb.leveldb\LOG.old~RFe5af09b.TMP

Filesize
770B

MD5
bca88dd43b48b10f46466a3531c51176

SHA1
afee54177e8fdbf50eb1170e0c3a90ff9d31e3da

SHA256
446c869b280959dbe048742fbb2459ffc948ba0feb96fecebabb58d9b3c193b5

SHA512
9a73bf944d20e5aac5d6434d4b7f3fc83d2a18432466b0aa17b400fe03347ca998677a435e70692c7112f71babb8c310de724b1d09942ede28947c501513f603

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube-nocookie.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
89a97b7146740f141e27939a8dc4dfe6

SHA1
5144097047a45f4da83ee218124b83e00bdd260a

SHA256
db2f6d7ba3d5b49038d2f33ce579b68bff84cf8ce2f4a53030b6b09f826dc2bc

SHA512
d2f8c206e73be3f1df488064dfa820424b1b3cbb6daee49b910fa4ab07fb9cb2c6e7dcd31bda20e55baea5dd2817cdcb523a25a0e1f257189c058aef305c9375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
d3f6ea33071ce4bed2f5ee9c31a19294

SHA1
bee7ea4bcb8fd53145641b70c5ae974dc2df92e9

SHA256
125389182406467c48320b3f52934a8d68721a9f25408ef53ff06243281b571b

SHA512
fbe7b8160f85e985dd7feb25bcea3ab4e0935da96f86a919a913c27e4ef02963e02c8b52de188862f303dcf7b87fc56726f1a7d460c5f745e40fc9eb97ce7daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
071aa9a40b9a3d4495e7ca3238d3fb22

SHA1
6b56c1ed47bcdc4a367b5ca95bff1805042c55e0

SHA256
3a96d7e1c20bd19074f8a7b902c1fe8845b03d71ce58b7b96d232bf0c182bf89

SHA512
8b016855b75584f39ba976c74c4cc54dfc0b56d8e3edd7004b76c21f991c869e8ce2d4a4c0f5617a07b84d5b024c896bc1d310a3f35a31fad957cbf3929ffc94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2c16d7caf8425e26f1855775de81cd4f

SHA1
5a36c836f3f13583e3f541f6505c92c9c6503e64

SHA256
20ccb250cd5171f1ab1a5df20deb15c4b255d991f053103a3bdbe04d62a1b13c

SHA512
8b624c0caaa68faabaf64ea0fefd1f2895f2d86d892402bf084ca14b4cb541fd4d40f3b7cd36bc40a69ba0ac678aa0faa3dc5f49d0c033c3a7cd35d2dfe83222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e374ea3a0811cdadcf80e7426dcedb42

SHA1
a66c1728eb7dceb9214fe8c42b529f041b5eec9f

SHA256
9e47029fe63d4eed9ca7981de2a969b54b69fb314ff01f1b84dc64e3d36bdc9a

SHA512
323e7984cdad0b64b36aea63ebf74199459b7087a682f30f569aba3f8283ee72716606d4d6d99c25bcb5127cd501e099b5078680d23436395885842e0918a382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8fc9f1c35d9990a496993d22a8e82f69

SHA1
2dbede251ef8ec0eadaf0dcc268c895d2f742fb2

SHA256
b5cdeb7dbe3cf65b72dd81ca91e8faabe56f6055cb72a7d5e2e66e3e1ef3cce8

SHA512
4708581134029bd0038cc01adc8645c6d15dcc1ba409a8988f2dbde587422a247e3c7d17d67008c113f25faaeb762d21132c73dcc5e1d8805713408e98b8c0ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29a40f0dad2610a567cae2041f33eaee

SHA1
c6d25a5f528814152df5c17681b41272f594b2b2

SHA256
de29f07b69adba884d9e955a5e5cf623fec7f7ae8ad384d8c54c34c435e609fb

SHA512
1f71fcd8d3657955f8307e8d4f344f974ecb6324aa557fb881d83b9feef6bae99cbf3856385c45339b7b6f632a5f24b799233984feffc2670704255c9f1daa62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cd8edcfe1d10f6abaa63899ebced80d5

SHA1
8808cee41c6930ed78cdc77c1d035172bbced93a

SHA256
454067b119576449e89dbd943df85b0b652196f870c5e98b9096b98c18e749f7

SHA512
bf1eecbcf205bafd8feffd8ce3fe25ea8f326d796eddf4005b47b5822b8d6d47d784fb35204a905a36fa445491d90673a362f482097a345c755de041e5300d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c165a631af86ea11bf042eeb7b4d6d13

SHA1
76c7442b04613ad9700e5c83b51790e695875a67

SHA256
c5842e974320782d56cd0fab31a8859312c4ab1152ff851713d401a564879654

SHA512
ac22c1804f484232178402ff0586155275f1277ee19f84da37206963c15286dc7de6112aa1972b2d900ea3b1343ff021b01b31fce00d1f49c06bdaa06f94bc99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
19a608a5457d3d2e1333272e4508d9d7

SHA1
94e96cc6fc16e56d26679520338258eff49a9886

SHA256
e7b806313a17f4573b5096fcdd7be3ac63c0a8a0e06c041c107801c84292ff31

SHA512
cfb4f6c17c7758074f7d5a09ca835aa340e9ece318fdffbf8b712a0bb8e6317300b56fc663c0be7c02eb3aa4f2de6044bd6a326df2cabb6e1cbd39a72305990d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt

Filesize
35B

MD5
343859b4ad03856a60d076c8cd8f22c3

SHA1
7954a27de3329b4c5eefd4bdcb8450823881aad6

SHA256
8c79b653c087618aa7395d5e75198da7d3b04c08654c39e56b1027f9ef269c2f

SHA512
58014a4e7f2b4b0d446fae3570196b8fb95d0d1b70bdab0dd34a74d6c62cd8d7ca494a486f19c1a829988a3af83a08d401f18d1769ce1799a02ee09807234254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\32cadb2b6d359d069dd3f3d132c212a43d223701\index.txt~RFe5b0a9b.TMP

Filesize
99B

MD5
dc4826684107a4977939138b6a276977

SHA1
d4e1a4378c46a2bde34dc37ce1a3e2a81faa5c37

SHA256
436d8701ea682320bdcda395ece6f9a3cfaa42bebf06417efe30b06a4d17852b

SHA512
b3825948bbe0f0dcf5bf824ebe6f60b2ebe2823bfb32fe7668faadab43feb71c6b06218e2379cd50a729975dc818ab0f063f4115840eaddd8398bc0b01904ccf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
38c9ca4b8fe9e80eb0767364eddb209e

SHA1
e592ad70f24e3b8a32f4b8f997a1827aba4aff29

SHA256
cfdcb6f003d5620dcb08aaaedd6b049c2fd7f6bb5771e8281aae6b17cafc88b1

SHA512
c217f71e1972cebcf3ca44c58675670a1551bada8b036f325139326b740596568df0d918bb4e88ee3fcaef795ee78c7bf5b8e7499442b912049254f17fe22f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58f632.TMP

Filesize
48B

MD5
9358a01f78eb21f5064ada9dac8a54c2

SHA1
1d9468eb0db8411fad8b85111159186f628ba0e5

SHA256
6b24b701bf86fe56540e08f2effad07b11fdf9b9e96d7b351add1437d91933ed

SHA512
7e49277c206b825df203aa2d931e5051988f7450b39f6e85c5375265e7213ded065a7864a8d0bfccb1cdf4c5ed3c9ac9d024776a7e83c54b018611ae01ce0cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4c0ec60d814d61b3b5cd0660eb5bd657

SHA1
0d6426c609306d2ced9b11d48cbab1629f830e57

SHA256
7dae2b3dee0379b862496958c3db26eb6b986b5a2c4ec1ac961002f08987a4a5

SHA512
bd617e5f74adf4fd92ad3d4133eb6a1334f0120ea2ec78fdc2abbb68ac610dcd515e874b2ed49dafa5ef55e574a17980e60dec9f48dd5bee8a2a8e5d3de40a1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e18d13103a69c56383fd0f3dbea60782

SHA1
c36153b933b4ad911256ffceacc4c7dca2d82974

SHA256
a36bdcb35ca090fbaca490b5f7c0279b6f156784985fa98fa824decf35183843

SHA512
885204c2f088d41ee8518a5753bae448215e574bac6ec62507b09abd4cd18da9afd1c9ee99b61bf715764c828b11a6cfeeee725e4cc2629908208e1ba7bee013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a2850e06974672192c531bcbbeb27593

SHA1
a4ff6b1a732aa160ce38273189f05f5abd029bc2

SHA256
7fb369171346455abc28128b4d884197895acfd2f5967428f9de0395d5825282

SHA512
1a7e91229ae49b8e7b1527f02a5fab854c37dcbbafc7143c5eef64295b5f8bcdb96e40bd9f5a3c7ef37edf6a2a2aa4f50e612dcba688e792262cd62da8321846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6a71b4763b43dc06d3b35a828e0fdddb

SHA1
6450e5eec17cb535a56991dd76c50a695e49845c

SHA256
ca8f7e318177c06007465e338fdd10317418be392a5fe3ea9c706d611c68b0a7

SHA512
38da532f53d4871051325fe1684c13e2e247c4d8540835fa558e73c22d5676142cb2c5430d7f46002b00412f21b881f233a8af058e88e31a78da16183948a0c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bc40797a40d636a35817cad4316e2bbc

SHA1
9088d9fb033843526996c8c1782ccc39672b74dd

SHA256
37d114804577a7ea6f0ca0688cea70f63137ff1ef7692882eec962ea83b0f331

SHA512
d752104c031e73a2ce5ec308617b369200963b2b17c7b54ca68cac500ef578bb9f4abc39c8186eff464417ddd61727bcfcb76c87b4b530c60a04d728cea676b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
00afae1bda1efd3bacd80ce31d244ab1

SHA1
f6dc573100a70794f3a78cb4ff74a0b7b632b65e

SHA256
7f8da6d59938425adc3635b7bf89325cbba7b67874e30b5ec9467a568ee3481a

SHA512
379fb8710d15b2994cc934eed6dd544f67aadfb9837d92a3443ac4ea3cb67a4a3f8d0432c9326f4caea9303da622dbd44ca3a91872356e7b69ebba6c65f333f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f3d2f2370a02537c2067a542bd6654be

SHA1
1593dcc52abf4c2070cdf0aeeac318c1ee25f2cc

SHA256
6dd71a0834c1065d1eeb2890d8f3b25457dc120ca4eea425f17c60c3c4706641

SHA512
d46127906452527298dc6b2f9799f17c255cd1b8f993f3d1c384f5d79cee95adaa6baaf520773d389eb767c5a5019eccc1224cb492bac51d521d2c4551b9b4bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
337197d154ac12483a840b13f6219388

SHA1
27a2db122c788ee65f39c3ca4037ff31be9a2ac3

SHA256
69254d0f20b1170bcaf7c9ab2d9579794c4652fa91aeac27d635812c7e9de8d6

SHA512
f27a8acc77a6311b7308afd78ba0f9d046be0697c343478b714f17e46de1637efe3b6adb02102ba6bc2101502ca3de5e58391e780ae3eb7a81023ab494fc6daf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
620258c2b17d03d72af87ecb2f9bb23f

SHA1
a5f10503f07c2afd76df1e46346996db372bf497

SHA256
8fcffe56fae9c802af94e76fcf1c929458310646f5892f9e215fdb3e2f9d25ff

SHA512
ea968c20cc1e9548042b750bc29f77d918281dd4ff4be387287c904d057bba18e1eaa239ea1955685183f299f034fbf0d4e350fc6762a644ec7eabb48cca7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d43f426522d2da8527b1ec1b5d1d2c13

SHA1
cc0af447de77516be67b1cd4f2fb16523231b71e

SHA256
d6b565426a6e39230f18d49bfa8171c92343bb8c5f51909747e49f742f67bcbf

SHA512
837c21378cbbe5e40ac1cc5cc133352ad0f3c3a10b69abfc8103d4035e54a137e1991d2e10e6be092b328bbd8939adea1e317ea643cfd1fb4bb602c88f4258ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
ff98e204c1363d478c34a676661ecb5b

SHA1
9847298ba25affa68f6f7c33bd4bd764fc03c29a

SHA256
8ce891236937910b2f746264bac399abfe5bf64c1e1f9bd85a350d12aebb0e82

SHA512
d1bd944d74f85cb9f0ade7f06405a25037896eb4ec2df0f0e86ef7f2d45e18421374dcd915f8a0a30d5c1cbd918bfd5907426b1f380e9b490242aea9d3b53604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e865897a7fdd16d65506b103e0cb5f2f

SHA1
d37f9de28e8b06bd9b37267e7046f324aca69b27

SHA256
f032700ed2972a360f5dec68ffe4549293890b73bcb1fa3d56e878e73df42bb6

SHA512
771c1dc753d6831c299d0499da1142d39ffcac75fcb31a2d89953fc25b6a113530f666bbd33dbae4affc4bfc996dcba20fb1f873471d745c4397e3c1aa2679ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
b02e837bd3ec7b22996a04f75c586872

SHA1
f4700b8c6eabb353c0bdee2ba823c69e372ac340

SHA256
8d26d5a4dc99abc4a9d113f2afb08ed58d10550df247bfd18e38bcf666cd52de

SHA512
f147b624c51ae579cd5b329cd05b82ec6be73e764d0ee7bbd971bab92b47383492a2d01c642d7a027935cc35577bb0e99285396a5ade4a11c4983db3e6451d80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
29b544efd30c0855ea2828fbbd85d069

SHA1
a39f9b56541dcf250a6e5b96d3ab3646bc6a60a1

SHA256
9ad08e35e476caa4307f6fe8ecb888a5485e7ea276f366810c5e7a02b8c836d9

SHA512
8e45415094a550d09717ba9b9791e748db7fa3bd30ca3712357cfd8f934140f2c3f14ba124f03dc5df2bb4dc03c2b3c90387262a3ac60fd508599e2558dc8829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0f67c27b17a2d217fde6e10b3b160093

SHA1
2974b4b61724cc65d4d3a65bffedde38d49a5a6f

SHA256
9c24ef6f7155a678edbca9141925efa693ab4ddf480a159e1a0d9b0b6ac642ae

SHA512
3da7bb4c43b72fbaa5764123ec31c97a4cb26615c10d9fdd5d2b959aefcd909803c42d30b4b2e2e6e27c03e7d6ad072f03e2c7215ac0c6066046f543d817f888

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588bff.TMP

Filesize
539B

MD5
31dbf7f2a212fecaa60792ecd684d985

SHA1
a128c79b69bf23c86a07d0e753c0d093564a3dc1

SHA256
a6f323398712a8b88e75932379ec003ddf80c92c86f11659aa10ae1e72bfc335

SHA512
d6d543e12e845999b5e97b93f5a78a58e43185428b9078d841f0e6691e7717c912e27948b7c19c1524ba794af19706943f55df5da1d2155fdeb2d88df16574ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d3d741a0e4a77feb5a3f1846dc2d7711

SHA1
af675778d658489cc6a373a76b048f9cbdde85d2

SHA256
7ad1f7988aeb676d359a4d8873565716f97fad430535c60e46e36edd71d3e2ce

SHA512
a6e36043a5fe944b41c5418f14bae1b59760b30e66b14c45e5bead5f5a5d83e457f89a21f4cfcf3a2029b30629400c3bb88ad4bde637c54e1434f0b662077afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8de6623dfd24bd24c0a7ef246684e73a

SHA1
11fe61c6292fbaf14629248808f90fb47e94f6bc

SHA256
50a6b5a41c176d44c2952fc1cff95b5627323bdc90a0d786fbe980b821794447

SHA512
65e9cf852c4468487d2657672c1def4f0596cd61d5277ae192f2cf93aa1a59511b25c0d0eced0975abedaa7533dc5f14dda2c276f1b93c2483ad1bdf48db3743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
16b18026096d82050c86345bb48459ac

SHA1
a208ce6dea41713fea0697cbcc46127f7a5da375

SHA256
c2d9fe94a42e7b521d1c264235bf8bf50c493ce8b02caef83c4e6ca7f40141df

SHA512
3283aa0404188252f7d116957a6a5547e022363d869f6ef757d3aced34715ef69b0b157a1f7208a97d99b0a0afd0868271a81c63c3ca785b745977cf8ed605f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dabd1a04e3ff2601786d82515e52e694

SHA1
90be646ab9a6c8086cac85a8381e1a8894168b84

SHA256
b9a3e15f400d166b8216fb453a0ccef376ffbc15bc2c10d9c36ecd0477ca7f05

SHA512
1a4d8d5bda7146d1dbc947a3039e604e204827b5f8688bdef76777c57ea2957034c2dd7ba46e64d249ffb88ca7b972825e7f1400ceb3c01871d7352d0ce02fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6f0da193e1dad5ac169cd17e8f5e841c

SHA1
63b74eae732c8e4e12151622639a388230a2b6f4

SHA256
070b80bc50cf9ddc9547a7690d47d32d97e32be372c3166435ad551907f28b67

SHA512
0a905745e183cc1d54a73f543d9981575db4eb8ac0df379c980a3cb1768547246a6568bbe2e5fe3fc73da07a96c46aa8b33ab92fbe3e3fa46432a90d56b14aff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2ec0d3cfa87f71a5a5ccc63620951ef4

SHA1
9d31be266a19e5f18c1eb952bda4c27ee6d40b14

SHA256
9271324d5c58823a70fe3e86d990733cad964de9fd7c98f8e50bf7b0f8b0acd4

SHA512
bd48a4e7f3829b0babfa217363fd134c8dbd38b61689775e575c06d9dbc5b68a707eaa34e1467a678af2263b8dd95cfaea98d4fb65737fb10940d1c59d8cf349

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202408052220131\assistant\Assistant_112.0.5197.30_Setup.exe_sfx.exe

Filesize
2.6MB

MD5
1bf64fd766bd850bcf8e0ffa9093484b

SHA1
01524bb2c88b7066391da291ee474004a4904891

SHA256
58794b1bf4d84bd7566ee89fd8a8a4157dc70c598d229ec5101959f30b6f3491

SHA512
cdf2830edc5d4f30beae41591f3a1bcff820f75444d70338a4c6d36e10df43475f383a9f291b619a008452c53e0dddf65547f217386389000535d6d264854e7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
5.2MB

MD5
f234c4f296e58a704363ba1b6547d2e1

SHA1
c7d18136a216d13684be54596f6e4d1a2e86f088

SHA256
f6e43c32e89ced0b6c0d88e620e23b80a4cc440a838a733ae880b078dd62458e

SHA512
64f1a44807f428c004b2e752b39aeb0e8b4310b713fbf90e31dbe16ef40c31866bdc5aa25e3bb6ecaa6523da4b412265cf74e149d20a2ef37d8addc816d14c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2408052220128342976.dll

Filesize
4.7MB

MD5
c422732ce5268fcdaa68ecc576c3fd38

SHA1
7fb88aa9641d9a70ec88da22b25f55914e6f958b

SHA256
a8c8fe6990398fdb6fef6c64d4b7648282580a14b923b2a7b3677a81300d793a

SHA512
8b8337b1137810936c1ff5a7e6a59ef0c9a60bb0928547aa6d70cb1a42ee554b1efe92177879e0ebc9b80f92c43c3f45848d1ac7a644203bca3bc8d04441c9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

Filesize
26KB

MD5
cef027c3341afbcdb83c72080df7f002

SHA1
e538f1dd4aee8544d888a616a6ebe4aeecaf1661

SHA256
e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7

SHA512
71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\setup89637424.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Vega X Windows_89637424.exe

Filesize
9.5MB

MD5
3d50042e3e3991be509f56a2951a2183

SHA1
f027790afe9d7ce2ddf17973f0778fb9e983ded1

SHA256
76eee256f1223082e8396611baca498542c656edd0fac5fe903e06e6cb5677e2

SHA512
120c6a7778bd9f65f469d3335987b780e736bd895ed944d0988372f891b48f9ba09b50ed9dcffd0bf1fa23a12e215ed1f1ffe75d11c925ff4c08d3e48259a873

Download Submit
C:\Users\Admin\Downloads\Vega X Windows_89637424.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/444-258-0x00000000051A0000-0x00000000051C8000-memory.dmp

Filesize
160KB

Download
memory/444-217-0x00000000050C0000-0x00000000050D4000-memory.dmp

Filesize
80KB

Download
memory/444-405-0x0000000009310000-0x000000000933E000-memory.dmp

Filesize
184KB

Download
memory/444-389-0x00000000069D0000-0x0000000006A62000-memory.dmp

Filesize
584KB

Download
memory/444-372-0x00000000078D0000-0x0000000007E84000-memory.dmp

Filesize
5.7MB

Download
memory/444-195-0x0000000000260000-0x0000000000638000-memory.dmp

Filesize
3.8MB

Download
memory/444-366-0x0000000006D60000-0x0000000007306000-memory.dmp

Filesize
5.6MB

Download
memory/444-363-0x0000000006780000-0x000000000678C000-memory.dmp

Filesize
48KB

Download
memory/444-357-0x00000000062C0000-0x0000000006617000-memory.dmp

Filesize
3.3MB

Download
memory/444-350-0x00000000060B0000-0x000000000613C000-memory.dmp

Filesize
560KB

Download
memory/444-242-0x0000000005140000-0x0000000005168000-memory.dmp

Filesize
160KB

Download
memory/444-250-0x0000000005170000-0x000000000519E000-memory.dmp

Filesize
184KB

Download
memory/444-234-0x0000000005110000-0x0000000005134000-memory.dmp

Filesize
144KB

Download
memory/444-355-0x0000000006030000-0x000000000603A000-memory.dmp

Filesize
40KB

Download
memory/444-333-0x00000000059B0000-0x00000000059C2000-memory.dmp

Filesize
72KB

Download
memory/444-316-0x00000000052D0000-0x00000000052ED000-memory.dmp

Filesize
116KB

Download
memory/444-356-0x0000000006290000-0x00000000062B2000-memory.dmp

Filesize
136KB

Download
memory/444-306-0x0000000005340000-0x000000000536C000-memory.dmp

Filesize
176KB

Download
memory/444-298-0x00000000052F0000-0x00000000052F8000-memory.dmp

Filesize
32KB

Download
memory/444-290-0x0000000005260000-0x000000000526A000-memory.dmp

Filesize
40KB

Download
memory/444-282-0x0000000005280000-0x00000000052A4000-memory.dmp

Filesize
144KB

Download
memory/444-274-0x00000000051F0000-0x000000000520A000-memory.dmp

Filesize
104KB

Download
memory/444-266-0x0000000005210000-0x0000000005242000-memory.dmp

Filesize
200KB

Download
memory/740-1467-0x0000000009E20000-0x0000000009E30000-memory.dmp

Filesize
64KB

Download
memory/740-1458-0x00000000081C0000-0x0000000008AEC000-memory.dmp

Filesize
9.2MB

Download
memory/740-1470-0x0000000006C60000-0x0000000006C7E000-memory.dmp

Filesize
120KB

Download
memory/740-1469-0x0000000006040000-0x00000000060B6000-memory.dmp

Filesize
472KB

Download
memory/740-1468-0x0000000005E40000-0x0000000005EF2000-memory.dmp

Filesize
712KB

Download
memory/740-1457-0x0000000000BC0000-0x0000000001300000-memory.dmp

Filesize
7.2MB

Download
memory/740-1462-0x000000000A340000-0x000000000A378000-memory.dmp

Filesize
224KB

Download
memory/740-1480-0x0000000007100000-0x0000000007288000-memory.dmp

Filesize
1.5MB

Download
memory/740-1463-0x000000000A300000-0x000000000A30E000-memory.dmp

Filesize
56KB

Download
memory/740-1461-0x000000000A2F0000-0x000000000A2F8000-memory.dmp

Filesize
32KB

Download
memory/740-1460-0x0000000009CB0000-0x0000000009D4E000-memory.dmp

Filesize
632KB

Download
memory/740-1459-0x00000000091A0000-0x000000000925A000-memory.dmp

Filesize
744KB

Download
memory/2836-478-0x0000000006F80000-0x0000000006F8A000-memory.dmp

Filesize
40KB

Download
memory/2836-469-0x0000000000C40000-0x0000000000C4C000-memory.dmp

Filesize
48KB

Download