hxxps://www[.]youtube[.]com/watch?v=49J0EkmMaYA

Analysis

max time kernel
219s
max time network
222s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 13:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/watch?v=49J0EkmMaYA

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Vega X Windows_75354638.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	setup75354638.exe

Executes dropped EXE 13 IoCs

pid	Process
976	Vega X Windows_75354638.exe
5300	setup75354638.exe
5824	setup75354638.exe
2252	OfferInstaller.exe
5496	d2wx5i2u.2h5.exe
5624	setup.exe
4004	setup.exe
5680	setup.exe
5808	setup.exe
5652	setup.exe
3632	Assistant_113.0.5230.31_Setup.exe_sfx.exe
2760	assistant_installer.exe
5068	assistant_installer.exe

Loads dropped DLL 64 IoCs

pid	Process
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe
5824	setup75354638.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks for any installed AV software in registry 1 TTPs 8 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast\Version	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVAST Software\Avast	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV\Dir	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVG\AV	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV\Dir	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\AVG\AV	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast\Version	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\AVAST Software\Avast	setup75354638.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
228	tasklist.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_113.0.5230.31_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vega X Windows_75354638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vega X.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup75354638.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2wx5i2u.2h5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup75354638.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5292	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Opera GXStable	Vega X Windows_75354638.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Opera GXStable	Vega X Windows_75354638.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	Vega X Windows_75354638.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c00000001000000040000000010000004000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup75354638.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup75354638.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup75354638.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 911585.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5248	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3288	msedge.exe
3288	msedge.exe
4332	msedge.exe
4332	msedge.exe
2168	identity_helper.exe
2168	identity_helper.exe
4232	msedge.exe
4232	msedge.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
5300	setup75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	3312	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3312	AUDIODG.EXE
Token: SeDebugPrivilege	5300	setup75354638.exe
Token: SeDebugPrivilege	2252	OfferInstaller.exe
Token: SeDebugPrivilege	228	tasklist.exe
Token: SeDebugPrivilege	4872	Vega X.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe
4332	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
976	Vega X Windows_75354638.exe
5300	setup75354638.exe
5496	d2wx5i2u.2h5.exe
5624	setup.exe
4004	setup.exe
5680	setup.exe
5808	setup.exe
5652	setup.exe
3632	Assistant_113.0.5230.31_Setup.exe_sfx.exe
2760	assistant_installer.exe
5068	assistant_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 3756	4332	msedge.exe	82
PID 4332 wrote to memory of 3756	4332	msedge.exe	82
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 4564	4332	msedge.exe	83
PID 4332 wrote to memory of 3288	4332	msedge.exe	84
PID 4332 wrote to memory of 3288	4332	msedge.exe	84
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85
PID 4332 wrote to memory of 4724	4332	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/watch?v=49J0EkmMaYA
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcc0da46f8,0x7ffcc0da4708,0x7ffcc0da4718
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2508 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3452 /prefetch:8
  2⤵
  PID:692
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6540 /prefetch:8
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1268 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4232
- C:\Users\Admin\Downloads\Vega X Windows_75354638.exe
  "C:\Users\Admin\Downloads\Vega X Windows_75354638.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:976
- - C:\Users\Admin\AppData\Local\setup75354638.exe
    C:\Users\Admin\AppData\Local\setup75354638.exe hhwnd=655930 hreturntoinstaller hextras=id:964bc9f9d4b9a45-US-W0xdq
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5300
  - - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2252
    - - C:\Users\Admin\AppData\Local\Temp\d2wx5i2u.2h5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d2wx5i2u.2h5.exe" --silent --otd="utm.medium:apb,utm.source:lavasoft,utm.campaign:lavasoftOPTOUT:ES_NA_5cc218580d987a5cb28ead66"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5496
      - C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe --silent --otd="utm.medium:apb,utm.source:lavasoft,utm.campaign:lavasoftOPTOUT:ES_NA_5cc218580d987a5cb28ead66" --server-tracking-blob=Yzg1ZDc0M2M1M2M1YTcxN2E2ODkzZDllMmQ4ZjY4MzhiOWVlYzFkOTA4OWQ5OTA3NjYxNWJiOTdjNGNhYzc0MTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUxBVkFTT0ZUJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1sYXZhc29mdE9QVE9VVCIsInRpbWVzdGFtcCI6IjE3MjY3NTM1OTguMzczOCIsInV0bSI6eyJjYW1wYWlnbiI6ImxhdmFzb2Z0T1BUT1VUIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTEFWQVNPRlQifSwidXVpZCI6ImZmMGQ2MWNiLThiYWItNDQ1My05ZDc4LWZkOGRjMTA5ZWNiMyJ9
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of SetWindowsHookEx
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x338,0x33c,0x340,0x334,0x310,0x6cdcae8c,0x6cdcae98,0x6cdcaea4
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5680
        
        C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=5624 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240919134644" --session-guid=842b2b60-3266-4520-a369-aa834b093539 --server-tracking-blob=NjYzNzdhNzcxMDRhMWRiMTIzZGE4ODY0ZGZkZDE3ZDg4MzNmYzQyZDVlYmEyYzU0OGFhODcwNjQ5YzkxOTk1NTp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUxBVkFTT0ZUJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1sYXZhc29mdE9QVE9VVCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyNjc1MzU5OC4zNzM4IiwidXRtIjp7ImNhbXBhaWduIjoibGF2YXNvZnRPUFRPVVQ6RVNfTkFfNWNjMjE4NTgwZDk4N2E1Y2IyOGVhZDY2IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibGF2YXNvZnQifSwidXVpZCI6ImZmMGQ2MWNiLThiYWItNDQ1My05ZDc4LWZkOGRjMTA5ZWNiMyJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=F405000000000000
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS8750AEC8\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x330,0x334,0x344,0x308,0x348,0x6c28ae8c,0x6c28ae98,0x6c28aea4
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409191346441\assistant\Assistant_113.0.5230.31_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409191346441\assistant\Assistant_113.0.5230.31_Setup.exe_sfx.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409191346441\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409191346441\assistant\assistant_installer.exe" --version
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409191346441\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409191346441\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.31 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x9e2c48,0x9e2c54,0x9e2c60
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      System Location Discovery: System Language Discovery
      PID:5168
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 5300" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:228
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "5300"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5232
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5292
- - C:\Users\Admin\AppData\Local\setup75354638.exe
    C:\Users\Admin\AppData\Local\setup75354638.exe hready
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:5824
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6860 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  PID:1288
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Vega X Windows.txt
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6140 /prefetch:2
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:6140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7192 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6772 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,9270804601054064929,18103794874200345996,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7004 /prefetch:8
  2⤵
  PID:5244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x498 0x3f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4072

C:\Users\Admin\Downloads\Vega X Dev Mode\Vega X Dev Mode\Vega X.exe
"C:\Users\Admin\Downloads\Vega X Dev Mode\Vega X Dev Mode\Vega X.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4872
- C:\Users\Admin\Downloads\Vega X Dev Mode\Vega X Dev Mode\bin\commservice\node\node.exe
  "bin\commservice\node\node.exe" bin\commservice\files\index.js
  2⤵
  PID:1040
- C:\Users\Admin\Downloads\Vega X Dev Mode\Vega X Dev Mode\bin\commservice\node\node.exe
  "bin\commservice\node\node.exe" bin\commservice\files\index.js
  2⤵
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Adaware\OfferInstaller.exe_Url_1hem3jux35iv1vzfopbi55gu03hcnxpl\7.14.2.0\user.config

Filesize
798B

MD5
f3da41e2f01ec12a28efa662df2fa963

SHA1
9760227f497132829ec34fffec6184969043bba1

SHA256
a4544f806b5637e45e2e702c7997d0b6a52b805670a72aac518d189c3004d1c2

SHA512
ae4f56f93a2386abe8891ba5ba1cc7de166a28c6a2f3913870bed2926ac43469bbbf0b4b18acf2fce7c7f120056e36b3777aabbdf9715cc12d2159403e392e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
884c8599924b5d76efd2b6d002b47ece

SHA1
d2757364b0e91872c484f828b412886a802b5727

SHA256
fe99731bf0dc8f905e3cb3d99390bc05cee08f61865a2eeca0db49226350a75b

SHA512
0b33fa29da7de2f64e76c984c2c238a48e8a4f3c92f6f22d9baf2f7bfc0f4a66366cd9c7c5391cae076a477b86510dc7d582266f321f9c859c8f9a21c959fa79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
696B

MD5
59f027dd12557ccb52dae9c544435cb3

SHA1
30a1a7f30fc7c7fb2fe257013f601ddcac084db1

SHA256
bcddc0b3a4b645ef84cf79bfbc03ac2e48ef20c53cb3be3a0941033bd19fcb5c

SHA512
43e081556eadc3dc192e4ffd138cd337a2bff01a5682b7b2032cc4a88c3c2b6bcec02fe9c584149965a4d4d19a31acc3aefeaed58db992f36ac324b055d479db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
008c6d0bad62e8cbf24021860aceb0cb

SHA1
0ec56b01a9eb8c5ecdb1b58a862bc8bbb87a0e6c

SHA256
ba493fa8ab54d892822e6af6ebbfa33479cbedec9e59a94c2096c0b674c44b1b

SHA512
f1570ae67cbd2e8359771cff1a1d0222be459a95624e1ebed40927ee72019c624107e1614ff40102f16535db2c46c92204c4acb9a280dd0a636b00f7b98b633b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
955474364890545544fdaec78e7718dc

SHA1
55a3ff1efb6d6496213b869a90c08f214ad016ce

SHA256
9d48fc4d327bc77baa406fdcc387903b4b2e727e269fa5d4a8a123db3823f0b3

SHA512
c57efe904061c33cbd6cbc0c39e9cfcee3178fdda9e7aa5e03c64547297761855c10482250504e1c1f9be5542c040601f3ef8b0bffb6b6d0e672b59361176c66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c35225595fa66e08a3c9c1bffbf75623

SHA1
5f1146218ee43917bae546ad4c4cd8380ebdcd06

SHA256
6b9e47de4361acb46aa8c9aabb4373009a6d4eeb5243d16e51cc018d2a05526f

SHA512
c98a9592885a762fe26f2ba2a874e086d1585565ab41bba04e44f4669f442dfa80713139e7140857ff7cc04a03ae47835826fe4df4657d64fb2947f867b89660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
40a972750cfd0349b3648216d88cafb0

SHA1
9ff75b34e87033f15c132505ed0141cbaa9c5d20

SHA256
a834d639736e76e36482b5a5280dea3d4bfea343fb66a80a5622f0c19e968d3b

SHA512
da6223aeae2e5ba9966e2fdd1458d63893a940ccbeaa9b1277be464656a8b038ffc15e51742fcfbf6eb84490735bd6dd205f2a7929b068af8bed20f1823a6354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8b606b8836d1205c9b55c41488ad9450

SHA1
0e02bbe9fe508c170d7014844c7b7e2602ea929e

SHA256
c555b42e160b81e1df766bfb1c7c6b45fa17a12b642405d569cb895e68e14e90

SHA512
7b4b5c529c12ce5da8bcc4dad1b8d008f019460f6e7f8c35442cf9fd164bf43aa640da10b3458b43881bdea70ce296b152f7cc7a019c1f4a32391a23c8575f34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0cf9ed2b7f5ff235966f1327aade70b7

SHA1
ab2517f379896c10eb04ee3122fdf2238b11c6a6

SHA256
9a4efe1ce061c798d7785c6bd6e2b4dcf9884c3d10d58607c64868a201483c7c

SHA512
31780b3b0486c275d4e1239f61ffab392b13a6a6e110ae3fdf41a91a6b41305af0c6e45c3755fb29d78033aecaec321ba3c0ad2d8abf56ac479acd2bb85aacdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1b312330c52ec850f0dcd140c0472441

SHA1
ff1fcbf9952e9314138c7842ba1c6db79a59a7b5

SHA256
414ed63239911e4ad8ad6580e809c7cf8bfd0d327efa590c01e7eff86a4ce9a5

SHA512
0db00a03139d989d84d84aa26dc0d118192cb6fcd8329fd68373d03fdb3900be27ef9cd8b8862202175fdc8f05714c0dd6085a96b2628207ebe745810864ca86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c406240bc09ca6fb2c6053e02ec514b6

SHA1
8367732f74b15ed9be1f02c0d8c7edce39b4071a

SHA256
4310aec1325b509eb1e1bdb89446a90dee6c1a48cf50e67dbeaff1724aff33cf

SHA512
c103cc428b949315e9fa2608c34c260d20858bbbaaf61f1fa0a5fa65605d208edd59c5b95e458745c686d8303f48a6a4c90de85128bffbeaf2cc8c5b234b4995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\418dfd00-9d11-4f8e-bb29-0233fb2fa9f8\index-dir\the-real-index

Filesize
2KB

MD5
c1dfd0fb5457433142cfa15c9205f805

SHA1
2a3132772afc23b0b2e152b53530323cc0b27a3d

SHA256
5d68d435688cc57d210c829c43c05e4ca497f6203365e1f14f11077f3cf1175f

SHA512
63480239a000ddd9e27f0c31849311f690dfa7e42896634664b030e52e368a23f534e0d2b445aafae695345f15c85e40d855fb21c9febcdb47183108f23e588b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\418dfd00-9d11-4f8e-bb29-0233fb2fa9f8\index-dir\the-real-index~RFe57ceaa.TMP

Filesize
48B

MD5
fff6a5266775494b28bf53c2c4bb0757

SHA1
1f136294d9612175fb40bd5c6b1d75dc7f90d44c

SHA256
662ee468114dbb63e4a0c395c834a8dc34a63337dc0415693bf85c1d5b039a82

SHA512
33227b8737a4976f8ab4a41220cc310a5437c8bd08bb815c7a61ea58ab9135460afe783908d4c580fcdb10d27c9d9ffc1638d6b2ce854bbe8b5a61ba19629630

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
5b20515e353ca47aac65e476aeb16b68

SHA1
b35414097179776647e9d401c8f937f261ce2986

SHA256
833c182d6434a5b1ef579053f1efff20ea8d0178586b064bd5e27b8bd4439569

SHA512
5dfbd450bf1a2175c8cf82e1f55ff7f81874c5ff49d689c3398d399140e9b98d8da5e7b9bbd306434962dbc1ad81b868ff3f82f812d3161bef6362be988ae3ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
4f585438d385c5dff9573d14a382b2d5

SHA1
235b1c8755f5ff0589a985144da5ac26a0d39aae

SHA256
039afbd33823b8efa1476bca6f505c5ee15122bcf183a084d965089f52a7504b

SHA512
4d6d1193820bb92bfc849a24b99c5f85f61b2a6f434c62546a4a20f8b7c77aed73724a6e5bc4ce25605e64f54b0daa107ddeae8aa775f4d72112ef34d224de2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt.tmp

Filesize
84B

MD5
4473a3ff9be368194db6cec2a438df92

SHA1
e94a39b9836c7cc01e425238656cc44ad30d3965

SHA256
b00e8fc9f6d7f0c034053433c3e44d65cf78e8a5b52f270825f6b6a2997b625d

SHA512
8213110c69c944eb62c77f372b7cfaa1290db320db946ee6474f3b12f9f6c7831ff52f39b905ba223a16bcd30231a81f03e90cdc677bcdf0d412693366fe3aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe576b6c.TMP

Filesize
89B

MD5
2f59948350ccae30d57a39eaf918ee72

SHA1
ac14209c71bdca0b2d0cd29eb45c20501099177e

SHA256
023fac50f4729777d34e99efb9972f6b16c33e4a721d4c8c92bfe4b0a84091ea

SHA512
bf5da3746d720f828dbab33740c14d65a2968ffbd387bfd1771149f1182be4e5958edae2b88eca556312edc3cde01db85eec9d1a3ba30af016c2420e11a2eeaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
03e7b582062daddddfb79a17a4c3eca9

SHA1
6bb7448f374b3bab61c5cc3a209a0751fe1cfb5e

SHA256
48a37ed775b7a6f36f7a486076330499b27e52fd21a5cdcbc19536395a8112e0

SHA512
62c9876c55af11cdd4c81fb51d61fa405262ade3dae14b92c0467e0a541239ca837148450b5bbacdaaef86521591d82fa502636e5b650cbf02a225fb552c19b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
b918c03ba38220c788352d8968d2b926

SHA1
300fcecc86c108a756183ba6862ad3ac682ed39c

SHA256
ae8080f06e28944163d8293978d2d1950b1fdfaa295a07e51e4261571b72bebe

SHA512
4c87650e19a7957d49068368344a6655d67e52b30fab7edc0878a16eda4d1fc1eb6decc95adede2a36a44074ac7c017d278e1b03f5d46b9004e8ae5c8433d7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ba76.TMP

Filesize
48B

MD5
3e0ad7f65d6c1391cdf0f37df5d91a73

SHA1
36764319f62224c6b4c6071733703af1de5b1b2d

SHA256
02b3691c51aca709942ad88e663e867476d2499776ed6de648289d2988783146

SHA512
a1872949c61d66d3eddd485efbe7f252532b89c4f5d1c1012ae3fbc4d88e266035ddacf5c0dce2c5cfdf58e26802afe44da6c9a104cb052e708892d2ad610601

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
694B

MD5
b2c8a0ea8da50bc6181eb516ec4b7c0e

SHA1
fc636617a0a8ebf3907a13049db79d5629493b17

SHA256
ef105038d3755a1f466d9f4feebb7b3fef2cb15eee88d50378d69a1570da2aaf

SHA512
b117226bb08deeccfd07abeca9009ce78d642755b5cb2ecd44e50d39696a0323319a95ec752c4fbb5d4c0179b283a9e0cc7aee4f2e3f7984e9621c6f0ebc4b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
855B

MD5
f7e52ef7c922b0c15f183d2450d15d5d

SHA1
27036d5aef93f88a43bd7b327d2694773296ca4e

SHA256
8fbd0f3a5bb862408079a33a172557f51542184784fdd411884d0da5869cba01

SHA512
a1ebb950ee43e66a45ef7bee3568657c73f7ae16675d7c6afed12f3d1082d0a2d02eb7c85d268123e0441883699f7328b7e5a9395527d56780e04ec7c20e8664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1022B

MD5
3756cc3355eca055e9fb7070684f811f

SHA1
82ed2c5987caae03c1647c106c71b4a88474308d

SHA256
70029da93267cd2fe4483670191da7099fcd5b860faf35ad658d38d5ec673ed5

SHA512
6443186ba4cf7cb4a52ab3e81f221383ae2222ea4a9254caf8bcbcf5557264ebf2d1fbc9a87e09d049b544d4c32f9e2783ed4c8ad556ec527f0f931784e782fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57b47b.TMP

Filesize
706B

MD5
17eabb5c6c59faf72b422e7792b25d60

SHA1
2096678f73076a0e15871ef6e04474edf86a7cb5

SHA256
76d0ac8ddbd455ef63b2e5b7e5f68458380aab427b5dd04859eea21b0b98b7bc

SHA512
cbab416b31dfdd646eb3fe42f823d00c441c0da0953e7203372cad834f804d70e0b05e12ab2a08bd4df501c9a3d802666a480c2da1be463fa55d3d6d7b2166ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cd99d275a8cd082305c3ffcc166c02ec

SHA1
3d3345567fb1cb842df08d9b7734e739a6951512

SHA256
da9f14a406d26eeb84ac89eb7207b83ecb05ca4b11983cfd97e44da14d152dec

SHA512
47fa59e63ac8115eb0f0f26b06b853ea9bd490d807194e61805b384e65a80805aaa454cb36cdac9568776021c981ddf19b83d0f5375470496333a4d8a340b9e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
90be2b06f91e17fb4166c64238f1e6d6

SHA1
e4e17e7645f77115a1b9c248b8f45ea28e34af5e

SHA256
597d02f8425a3ba622af8b5c275aff77ff0932a1712f99e69909b6f39a9688d5

SHA512
8cceaf8d301069718bb7ff18fad75231af9932c2835474e8d81f2c66daad00dfea7e4e8f253fc7e61719c56eab6e14e36c17122b87a6f657a8069360782a8d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
562ce17e34fad3d10f2ee9f894ce47bf

SHA1
89bac3233caf646fc9e0f8a2a11e8e2316071dea

SHA256
adb4f6557a2c8e072e1e2ac7af3f97e01ff04e314ff90e79ff24b968ee7cf601

SHA512
434d418e18b14ba387944ddbeeb847b1533587789821477726f87f9f1c20554facaab02576fb8ff920f150227272fce4289d644bdee40ac334da2dc349561165

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c627c7eff8be8d3aff98cc2ae36da61

SHA1
a336f62eba18934f2ba588caaceb95c8870df7a3

SHA256
545ec067ebc226d629ed92fb5bffbcb35ce0a7586db0b5eea1ff04e03a487876

SHA512
641fb3a5348fbc1a6096cd0c3b35e3e52a03c84532547b0ffb02434878628930925c0025dcb4552837d7d76b57ab4f47ec65a85b926de1d0882b33a5f608f92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409191346441\additional_file0.tmp

Filesize
2.6MB

MD5
0995a010e2f8b866c6abca90fa49130f

SHA1
f282871f9d6333f5bcc738062613c44567a58dc0

SHA256
74d4c26b0ee35a7431944e51aaf5ec4ab3338b6776bf44bdfdbc1e201b4fea76

SHA512
b98e4bd252a9bdb11a7f15c795910daabdbe8e0ba0fa86a5ee6f8167ff66a9b67790c51f700666239781ad46241926590588b6831d16e5057dcbfebe37c3ae6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
5.1MB

MD5
c3ad19d69141fa707540087edc297679

SHA1
0bba92b6e3371770989ef3597a9192d16b4feae2

SHA256
ff7ac32388dbd9ad3ef945b0e71518c2d869b9d9cc8fbbd14d3b0665850b0933

SHA512
28648a5c8c44def983cbdc4f6b48dc97d5fbda2a2f8ac3d93f85476f3492bc18986be97a5954e27fff1206779736b0ed90df1a04c35f30e1c182b6435cf33f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409191346440244004.dll

Filesize
4.6MB

MD5
af4d7038964957d0316e5cc585dcc65b

SHA1
5adf3de24387ba6aa548787586cca5c6186fddfa

SHA256
bac6f2f2f872837ceecf54e7ab04e620e5e0a951029e93920977bac0a2b0fe03

SHA512
b76b889e3ef159a363a85b0db84a67d478a04b1737b14582877622dc07fd12fb5dd20171d0f178bad1c7d9b77aebe76edee59ca9e5b8c75d983384e6dab33fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe

Filesize
26KB

MD5
cef027c3341afbcdb83c72080df7f002

SHA1
e538f1dd4aee8544d888a616a6ebe4aeecaf1661

SHA256
e87db511aa5b8144905cd24d9b425f0d9a7037fface3ca7824b7e23cfddbbbb7

SHA512
71ba423c761064937569922f1d1381bd11d23d1d2ed207fc0fead19e9111c1970f2a69b66e0d8a74497277ffc36e0fc119db146b5fd068f4a6b794dc54c5d4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\OfferPage.html

Filesize
1KB

MD5
9ba0a91b564e22c876e58a8a5921b528

SHA1
8eb23cab5effc0d0df63120a4dbad3cffcac6f1e

SHA256
2ad742b544e72c245f4e9c2e69f989486222477c7eb06e85d28492bd93040941

SHA512
38b5fb0f12887a619facce82779cb66e2592e5922d883b9dc4d5f9d2cb12e0f84324422cd881c948f430575febd510e948a22cd291595e3a0ba0307fce73bec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
C:\Users\Admin\AppData\Local\setup75354638.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
C:\Users\Admin\Downloads\Vega X Dev Mode.zip

Filesize
42.9MB

MD5
e6ee01480cf9daf82e34d03f840581d6

SHA1
dc1330733028c6c3151fb6f08d2b3c2c64d47238

SHA256
992057e88c9e6bab5cfa15460ba7a8dfaedb56f25f32887820bdc38ec4e314bd

SHA512
9accec551e191b23f9e23ce117ed01fb5687e7cbe038424e53ec59df0ff2b27e39a566c2a4014e0e4d8abe387673f96826a1a76b09c4a4014f276337ea6b4b29

Download Submit
C:\Users\Admin\Downloads\Vega X Windows.txt

Filesize
986B

MD5
e2dba5cd1c8456af3490e6e2ba4c2ef1

SHA1
2ae56d2992eb5d8410392b8e7e79c6def9878b12

SHA256
31e1ccbc7cfe31d68c90623c79b13401272ccd2739e0e06f18d679e7a0c8fee1

SHA512
60aa30b6316590416b358e57bb5aa032132a5f8ed22e2e955f9c0b636f2400fff7dcb59877979f8ce4cfd020e663f163eb8c585bbeda264cc843afabe2eaa467

Download Submit
C:\Users\Admin\Downloads\Vega X Windows_75354638.exe

Filesize
9.5MB

MD5
fe199f51da36542219eeea6f2cc3cb8d

SHA1
ffe0276d59a60475cafc48b7cb2f2278aea19128

SHA256
16bb6d0fae77ee99a00727114cc9e6717905df018271d8cbcb7e642db7f90330

SHA512
4881f0304934701b1e7220714f42ca05362b7ded751583a7dbc8176811e2dcc161d06ee5ed7393d6ae459569ae3952580225d87b0678b9fc4d124055b93d0d9a

Download Submit
memory/2252-783-0x00000000067C0000-0x00000000067CA000-memory.dmp

Filesize
40KB

Download
memory/2252-773-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/4872-1119-0x000000000A500000-0x000000000A508000-memory.dmp

Filesize
32KB

Download
memory/4872-1121-0x000000000A510000-0x000000000A51E000-memory.dmp

Filesize
56KB

Download
memory/4872-1120-0x000000000A550000-0x000000000A588000-memory.dmp

Filesize
224KB

Download
memory/4872-1125-0x00000000069C0000-0x0000000006A72000-memory.dmp

Filesize
712KB

Download
memory/4872-1126-0x0000000006140000-0x0000000006150000-memory.dmp

Filesize
64KB

Download
memory/4872-1118-0x0000000009CC0000-0x0000000009D5E000-memory.dmp

Filesize
632KB

Download
memory/4872-1127-0x0000000006AF0000-0x0000000006B66000-memory.dmp

Filesize
472KB

Download
memory/4872-1117-0x00000000091B0000-0x000000000926A000-memory.dmp

Filesize
744KB

Download
memory/4872-1116-0x00000000081D0000-0x0000000008AFC000-memory.dmp

Filesize
9.2MB

Download
memory/4872-1128-0x0000000005F30000-0x0000000005F4E000-memory.dmp

Filesize
120KB

Download
memory/4872-1115-0x0000000000CB0000-0x00000000013F0000-memory.dmp

Filesize
7.2MB

Download
memory/4872-1129-0x0000000007AF0000-0x0000000007C76000-memory.dmp

Filesize
1.5MB

Download
memory/5300-536-0x0000000005130000-0x0000000005154000-memory.dmp

Filesize
144KB

Download
memory/5300-560-0x00000000051F0000-0x000000000521C000-memory.dmp

Filesize
176KB

Download
memory/5300-480-0x0000000004F60000-0x0000000004F74000-memory.dmp

Filesize
80KB

Download
memory/5300-612-0x0000000006140000-0x0000000006162000-memory.dmp

Filesize
136KB

Download
memory/5300-611-0x0000000005ED0000-0x0000000005EDA000-memory.dmp

Filesize
40KB

Download
memory/5300-606-0x0000000005F50000-0x0000000005FDC000-memory.dmp

Filesize
560KB

Download
memory/5300-458-0x0000000000310000-0x00000000006E8000-memory.dmp

Filesize
3.8MB

Download
memory/5300-587-0x0000000005860000-0x0000000005872000-memory.dmp

Filesize
72KB

Download
memory/5300-613-0x0000000006370000-0x00000000066C4000-memory.dmp

Filesize
3.3MB

Download
memory/5300-496-0x0000000004FE0000-0x0000000005008000-memory.dmp

Filesize
160KB

Download
memory/5300-570-0x0000000005180000-0x000000000519D000-memory.dmp

Filesize
116KB

Download
memory/5300-488-0x0000000004FB0000-0x0000000004FD4000-memory.dmp

Filesize
144KB

Download
memory/5300-552-0x00000000051A0000-0x00000000051A8000-memory.dmp

Filesize
32KB

Download
memory/5300-544-0x0000000005110000-0x000000000511A000-memory.dmp

Filesize
40KB

Download
memory/5300-642-0x0000000006A80000-0x0000000006B12000-memory.dmp

Filesize
584KB

Download
memory/5300-504-0x0000000005010000-0x000000000503E000-memory.dmp

Filesize
184KB

Download
memory/5300-619-0x0000000006830000-0x000000000683C000-memory.dmp

Filesize
48KB

Download
memory/5300-622-0x0000000006E10000-0x00000000073B4000-memory.dmp

Filesize
5.6MB

Download
memory/5300-528-0x0000000005090000-0x00000000050AA000-memory.dmp

Filesize
104KB

Download
memory/5300-512-0x0000000005040000-0x0000000005068000-memory.dmp

Filesize
160KB

Download
memory/5300-632-0x0000000007980000-0x0000000007F34000-memory.dmp

Filesize
5.7MB

Download
memory/5300-520-0x00000000050C0000-0x00000000050F2000-memory.dmp

Filesize
200KB

Download
memory/5300-664-0x0000000008070000-0x000000000809E000-memory.dmp

Filesize
184KB

Download