hxxps://filedm[.]com/IlpfH

Analysis

max time kernel
94s
max time network
99s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21/09/2024, 21:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://filedm.com/IlpfH

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 13 IoCs

pid	Process
2700	Scythex Exploit_95304198.exe
4052	setup95304198.exe
4456	setup95304198.exe
4264	OfferInstaller.exe
4160	2xqa5p4x.gok.exe
1924	setup.exe
1828	setup.exe
5048	setup.exe
4480	setup.exe
5080	setup.exe
2636	Assistant_113.0.5230.31_Setup.exe_sfx.exe
3528	assistant_installer.exe
4328	assistant_installer.exe

Loads dropped DLL 64 IoCs

pid	Process
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe
4456	setup95304198.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 4 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\F:	setup.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

discovery

Process Discovery

T1057

pid	Process
1768	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Scythex Exploit_95304198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup95304198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup95304198.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2xqa5p4x.gok.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OfferInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Assistant_113.0.5230.31_Setup.exe_sfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	assistant_installer.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4252	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "433766598"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{40592321-426D-4461-B77F-5315AF64B3F = "8320"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "433718013"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	Scythex Exploit_95304198.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-087602 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{338B20AC-55FE-4BEA-8A5D-DC695283ACB5} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = efec09b66a0cdb01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bbec91c96a0cdb01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{40592321-426D-4461-B77F-5315AF64B3F = 6535f0ca6a0cdb01	browser_broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{40592321-426D-4461-B77F-5315AF64B3F = "\\\\?\\Volume{38FD360B-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\Scythex Exploit_95304198.exe"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = f93a29bb6a0cdb01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = d0738fc96a0cdb01	MicrosoftEdge.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e7549030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b90f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e404000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	setup95304198.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup95304198.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	setup95304198.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	setup.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Scythex Exploit_95304198.exe.jc0rmrk.partial:Zone.Identifier	browser_broker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4992	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
4052	setup95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
4264	OfferInstaller.exe
4264	OfferInstaller.exe
4264	OfferInstaller.exe
4264	OfferInstaller.exe
4264	OfferInstaller.exe
4264	OfferInstaller.exe
4264	OfferInstaller.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3784	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3404	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5000	MicrosoftEdge.exe
Token: SeDebugPrivilege	5000	MicrosoftEdge.exe
Token: SeDebugPrivilege	4052	setup95304198.exe
Token: SeDebugPrivilege	4264	OfferInstaller.exe
Token: SeDebugPrivilege	1768	tasklist.exe
Token: SeDebugPrivilege	1924	setup.exe
Token: SeDebugPrivilege	1924	setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2700	Scythex Exploit_95304198.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
5000	MicrosoftEdge.exe
3784	MicrosoftEdgeCP.exe
3404	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
2700	Scythex Exploit_95304198.exe
4052	setup95304198.exe
4160	2xqa5p4x.gok.exe
1924	setup.exe
1828	setup.exe
5048	setup.exe
4480	setup.exe
5080	setup.exe
2636	Assistant_113.0.5230.31_Setup.exe_sfx.exe
3528	assistant_installer.exe
4328	assistant_installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 3784 wrote to memory of 4320	3784	MicrosoftEdgeCP.exe	77
PID 520 wrote to memory of 2700	520	browser_broker.exe	79
PID 520 wrote to memory of 2700	520	browser_broker.exe	79
PID 520 wrote to memory of 2700	520	browser_broker.exe	79
PID 2700 wrote to memory of 4052	2700	Scythex Exploit_95304198.exe	81
PID 2700 wrote to memory of 4052	2700	Scythex Exploit_95304198.exe	81
PID 2700 wrote to memory of 4052	2700	Scythex Exploit_95304198.exe	81
PID 2700 wrote to memory of 4456	2700	Scythex Exploit_95304198.exe	82
PID 2700 wrote to memory of 4456	2700	Scythex Exploit_95304198.exe	82
PID 2700 wrote to memory of 4456	2700	Scythex Exploit_95304198.exe	82
PID 4052 wrote to memory of 4264	4052	setup95304198.exe	83
PID 4052 wrote to memory of 4264	4052	setup95304198.exe	83
PID 4052 wrote to memory of 4264	4052	setup95304198.exe	83
PID 4052 wrote to memory of 5076	4052	setup95304198.exe	84
PID 4052 wrote to memory of 5076	4052	setup95304198.exe	84
PID 4052 wrote to memory of 5076	4052	setup95304198.exe	84
PID 5076 wrote to memory of 1768	5076	cmd.exe	86
PID 5076 wrote to memory of 1768	5076	cmd.exe	86
PID 5076 wrote to memory of 1768	5076	cmd.exe	86
PID 5076 wrote to memory of 5108	5076	cmd.exe	87
PID 5076 wrote to memory of 5108	5076	cmd.exe	87
PID 5076 wrote to memory of 5108	5076	cmd.exe	87
PID 5076 wrote to memory of 4252	5076	cmd.exe	89
PID 5076 wrote to memory of 4252	5076	cmd.exe	89
PID 5076 wrote to memory of 4252	5076	cmd.exe	89
PID 4264 wrote to memory of 4160	4264	OfferInstaller.exe	90
PID 4264 wrote to memory of 4160	4264	OfferInstaller.exe	90
PID 4264 wrote to memory of 4160	4264	OfferInstaller.exe	90
PID 4160 wrote to memory of 1924	4160	2xqa5p4x.gok.exe	91
PID 4160 wrote to memory of 1924	4160	2xqa5p4x.gok.exe	91
PID 4160 wrote to memory of 1924	4160	2xqa5p4x.gok.exe	91
PID 1924 wrote to memory of 1828	1924	setup.exe	92
PID 1924 wrote to memory of 1828	1924	setup.exe	92
PID 1924 wrote to memory of 1828	1924	setup.exe	92
PID 1924 wrote to memory of 5048	1924	setup.exe	93
PID 1924 wrote to memory of 5048	1924	setup.exe	93
PID 1924 wrote to memory of 5048	1924	setup.exe	93
PID 1924 wrote to memory of 4480	1924	setup.exe	94
PID 1924 wrote to memory of 4480	1924	setup.exe	94
PID 1924 wrote to memory of 4480	1924	setup.exe	94
PID 4480 wrote to memory of 5080	4480	setup.exe	95
PID 4480 wrote to memory of 5080	4480	setup.exe	95
PID 4480 wrote to memory of 5080	4480	setup.exe	95
PID 2700 wrote to memory of 4992	2700	Scythex Exploit_95304198.exe	96
PID 2700 wrote to memory of 4992	2700	Scythex Exploit_95304198.exe	96
PID 2700 wrote to memory of 4992	2700	Scythex Exploit_95304198.exe	96
PID 1924 wrote to memory of 2636	1924	setup.exe	97
PID 1924 wrote to memory of 2636	1924	setup.exe	97
PID 1924 wrote to memory of 2636	1924	setup.exe	97
PID 1924 wrote to memory of 3528	1924	setup.exe	98
PID 1924 wrote to memory of 3528	1924	setup.exe	98
PID 1924 wrote to memory of 3528	1924	setup.exe	98
PID 3528 wrote to memory of 4328	3528	assistant_installer.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://filedm.com/IlpfH"
1⤵
PID:3152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:520
- C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Scythex Exploit_95304198.exe
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Scythex Exploit_95304198.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\setup95304198.exe
    C:\Users\Admin\AppData\Local\setup95304198.exe hhwnd=131736 hreturntoinstaller hextras=id:964bc9f9d4b9a45-US-IlpfH
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4052
  - - C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferInstaller.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\2xqa5p4x.gok.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2xqa5p4x.gok.exe" --silent --otd="utm.medium:apb,utm.source:lavasoft,utm.campaign:lavasoftOPTOUT:ES_NA_63053a73342f17647bd2cec5"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4160
      - C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe --silent --otd="utm.medium:apb,utm.source:lavasoft,utm.campaign:lavasoftOPTOUT:ES_NA_63053a73342f17647bd2cec5" --server-tracking-blob=YjNlYWY1NzI3MjE4MzhlNDBkZjQ4ZGU5NTVlZGE4ZTQ4YTk4YTY2MmJkMDdkMmQzMTFhNjFlMDIyNmUxMzczZDp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijoib3BlcmEiLCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUxBVkFTT0ZUJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1sYXZhc29mdE9QVE9VVCIsInRpbWVzdGFtcCI6IjE3MjY5NTMwOTcuNTgzMiIsInV0bSI6eyJjYW1wYWlnbiI6ImxhdmFzb2Z0T1BUT1VUIiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoiTEFWQVNPRlQifSwidXVpZCI6Ijk4YTI4ODgwLTBiMjktNDNkMS05MDlkLTgwOGU3M2RmNDc4YiJ9
        6⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x304,0x308,0x30c,0x2e4,0x310,0x6d11ae8c,0x6d11ae98,0x6d11aea4
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe" --version
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe" --backend --install --import-browser-data=0 --enable-stats=1 --enable-installer-stats=1 --consent-given=0 --general-interests=0 --general-location=0 --personalized-content=0 --personalized-ads=0 --launchopera=1 --installfolder="C:\Users\Admin\AppData\Local\Programs\Opera" --profile-folder --language=en --singleprofile=0 --copyonly=0 --allusers=0 --setdefaultbrowser=1 --pintotaskbar=1 --pintostartmenu=1 --run-at-startup=1 --show-intro-overlay --server-tracking-data=server_tracking_data --initial-pid=1924 --package-dir-prefix="C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_20240921211139" --session-guid=af0e5cc5-1ee6-4e73-ad3e-7ff2e4b9c246 --server-tracking-blob=YmIzYzE5NWFiZTJhZDEyMjUwOGExZTg1NjlmNDg2MDM0NjAwYTA4NGQzYzVhYTBjNDQ5ZWMwNmE3OTRmMzg2Yzp7ImNvdW50cnkiOiJHQiIsImluc3RhbGxlcl9uYW1lIjoiT3BlcmFTZXR1cC5leGUiLCJwcm9kdWN0Ijp7Im5hbWUiOiJvcGVyYSJ9LCJxdWVyeSI6Ii9vcGVyYS9zdGFibGUvd2luZG93cz91dG1fc291cmNlPUxBVkFTT0ZUJnV0bV9tZWRpdW09YXBiJnV0bV9jYW1wYWlnbj1sYXZhc29mdE9QVE9VVCIsInN5c3RlbSI6eyJwbGF0Zm9ybSI6eyJhcmNoIjoieDg2XzY0Iiwib3BzeXMiOiJXaW5kb3dzIiwib3BzeXMtdmVyc2lvbiI6IjEwIiwicGFja2FnZSI6IkVYRSJ9fSwidGltZXN0YW1wIjoiMTcyNjk1MzA5Ny41ODMyIiwidXRtIjp7ImNhbXBhaWduIjoibGF2YXNvZnRPUFRPVVQ6RVNfTkFfNjMwNTNhNzMzNDJmMTc2NDdiZDJjZWM1IiwibWVkaXVtIjoiYXBiIiwic291cmNlIjoibGF2YXNvZnQifSwidXVpZCI6Ijk4YTI4ODgwLTBiMjktNDNkMS05MDlkLTgwOGU3M2RmNDc4YiJ9 --silent --desktopshortcut=1 --wait-for-package --initial-proc-handle=2405000000000000
        7⤵
        Executes dropped EXE
        Enumerates connected drives
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS04092408\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.62 --initial-client-data=0x314,0x318,0x31c,0x310,0x320,0x6c79ae8c,0x6c79ae98,0x6c79aea4
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409212111391\assistant\Assistant_113.0.5230.31_Setup.exe_sfx.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409212111391\assistant\Assistant_113.0.5230.31_Setup.exe_sfx.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409212111391\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409212111391\assistant\assistant_installer.exe" --version
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409212111391\assistant\assistant_installer.exe
        
        "C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409212111391\assistant\assistant_installer.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Crash Reports" "--crash-count-file=C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win32 --annotation=prod=OperaDesktop --annotation=ver=113.0.5230.31 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x3c2c48,0x3c2c54,0x3c2c60
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H2OCleanup.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5076
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "PID eq 4052" /fo csv
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\SysWOW64\find.exe
        
        find /I "4052"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5108
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4252
- - C:\Users\Admin\AppData\Local\setup95304198.exe
    C:\Users\Admin\AppData\Local\setup95304198.exe hready
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4456
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\link.txt
    3⤵
    - System Location Discovery: System Language Discovery
    - Opens file in notepad (likely ransom note)
    PID:4992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4320

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Adaware\OfferInstaller.exe_Url_1hem3jux35iv1vzfopbi55gu03hcnxpl\7.14.2.0\user.config

Filesize
798B

MD5
f3da41e2f01ec12a28efa662df2fa963

SHA1
9760227f497132829ec34fffec6184969043bba1

SHA256
a4544f806b5637e45e2e702c7997d0b6a52b805670a72aac518d189c3004d1c2

SHA512
ae4f56f93a2386abe8891ba5ba1cc7de166a28c6a2f3913870bed2926ac43469bbbf0b4b18acf2fce7c7f120056e36b3777aabbdf9715cc12d2159403e392e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XCFODRP5\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YGWDMITP\Scythex Exploit_95304198[1].exe

Filesize
9.5MB

MD5
fe199f51da36542219eeea6f2cc3cb8d

SHA1
ffe0276d59a60475cafc48b7cb2f2278aea19128

SHA256
16bb6d0fae77ee99a00727114cc9e6717905df018271d8cbcb7e642db7f90330

SHA512
4881f0304934701b1e7220714f42ca05362b7ded751583a7dbc8176811e2dcc161d06ee5ed7393d6ae459569ae3952580225d87b0678b9fc4d124055b93d0d9a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\P25NBSGP\favicon[1].png

Filesize
81KB

MD5
53df7bf8bfc885a6b5ed1580858f958c

SHA1
7510337856627738b94b37244d7fe2406ab8247c

SHA256
52bb7a64791d603a33c1a09e3602796154dff26b4e92f41f84315066c8a88587

SHA512
dedde68f55a3488fb74d6414bbbb8c3303c25448a26f0146eed9f6cca41ecd6056d2493c697ab44d3c184db2852b6bb7e649bebcff49483ee879e30f2692b91d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SWI8KNW7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\YGWDMITP\Scythex Exploit_95304198[1].exe

Filesize
13KB

MD5
25ed7edeadf459b633798d5b3805b224

SHA1
fff6c0770e1e1c81c011813f54296eb97820055f

SHA256
e38c26626bbd7c9faa615527c0547012fe4b996f7fffe3371852a75598bcd9d5

SHA512
9680c434172aeb8afb10d1dcf81a0de02f21350163f570fe44c0f58ad4cc8883258879e492e447e1b7500f0476d58bfb0fc83178ba8daf38b0157832f0ed226e

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\opera_package_202409212111391\additional_file0.tmp

Filesize
2.6MB

MD5
0995a010e2f8b866c6abca90fa49130f

SHA1
f282871f9d6333f5bcc738062613c44567a58dc0

SHA256
74d4c26b0ee35a7431944e51aaf5ec4ab3338b6776bf44bdfdbc1e201b4fea76

SHA512
b98e4bd252a9bdb11a7f15c795910daabdbe8e0ba0fa86a5ee6f8167ff66a9b67790c51f700666239781ad46241926590588b6831d16e5057dcbfebe37c3ae6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\.opera\Opera Installer Temp\setup.exe

Filesize
5.1MB

MD5
c3ad19d69141fa707540087edc297679

SHA1
0bba92b6e3371770989ef3597a9192d16b4feae2

SHA256
ff7ac32388dbd9ad3ef945b0e71518c2d869b9d9cc8fbbd14d3b0665850b0933

SHA512
28648a5c8c44def983cbdc4f6b48dc97d5fbda2a2f8ac3d93f85476f3492bc18986be97a5954e27fff1206779736b0ed90df1a04c35f30e1c182b6435cf33f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Opera_installer_2409212111394311828.dll

Filesize
4.6MB

MD5
af4d7038964957d0316e5cc585dcc65b

SHA1
5adf3de24387ba6aa548787586cca5c6186fddfa

SHA256
bac6f2f2f872837ceecf54e7ab04e620e5e0a951029e93920977bac0a2b0fe03

SHA512
b76b889e3ef159a363a85b0db84a67d478a04b1737b14582877622dc07fd12fb5dd20171d0f178bad1c7d9b77aebe76edee59ca9e5b8c75d983384e6dab33fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2ODAL.dll

Filesize
15KB

MD5
422be1a0c08185b107050fcf32f8fa40

SHA1
c8746a8dad7b4bf18380207b0c7c848362567a92

SHA256
723aea78755292d2f4f87ad100a99b37bef951b6b40b62e2e2bbd4df3346d528

SHA512
dff51c890cb395665839070d37170d321dc0800981a42f173c6ea570684460146b4936af9d8567a6089bef3a7802ac4931c14031827689ef345ea384ceb47599

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OViewModels.dll

Filesize
8KB

MD5
be4c2b0862d2fc399c393fca163094df

SHA1
7c03c84b2871c27fa0f1914825e504a090c2a550

SHA256
c202e4f92b792d34cb6859361aebdbfc8c61cf9e735edfd95e825839920fb88a

SHA512
d9c531687a5051bbfe5050c5088623b3fd5f20b1e53dd4d3ed281c8769c15f45da36620231f6d0d76f8e2aa7de00c2324a4bf35a815cefc70ca97bc4ab253799

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\HtmlAgilityPack.dll

Filesize
154KB

MD5
17220f65bd242b6a491423d5bb7940c1

SHA1
a33fabf2b788e80f0f7f84524fe3ed9b797be7ad

SHA256
23056f14edb6e0afc70224d65de272a710b5d26e6c3b9fe2dfd022073050c59f

SHA512
bfbe284a2ee7361ada9a9cb192580fd64476e70bc78d14e80ad1266f7722a244d890600cf24bfb83d4914e2434272679ba177ee5f98c709950e43192f05e215e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Ninject.dll

Filesize
133KB

MD5
8db691813a26e7d0f1db5e2f4d0d05e3

SHA1
7c7a33553dd0b50b78bf0ca6974c77088da253eb

SHA256
3043a65f11ac204e65bca142ff4166d85f1b22078b126b806f1fecb2a315c701

SHA512
d02458180ec6e6eda89b5b0e387510ab2fad80f9ce57b8da548aaf85c34a59c39afaeacd1947bd5eb81bee1f6d612ca57d0b2b756d64098dfc96ca0bf2d9f62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\OfferSDK.dll

Filesize
172KB

MD5
b199dcd6824a02522a4d29a69ab65058

SHA1
f9c7f8c5c6543b80fa6f1940402430b37fa8dce4

SHA256
9310a58f26be8bd453cde5ca6aa05042942832711fbdeb5430a2840232bfa5e4

SHA512
1d3e85e13ff24640c76848981ca84bafb32f819a082e390cb06fe13445814f50f8e3fc3a8a8e962aae8867e199c1517d570c07f28d5f7e5f007b2bb6e664ddb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Resources\tis\Config.tis

Filesize
291B

MD5
bf5328e51e8ab1211c509b5a65ab9972

SHA1
480dfb920e926d81bce67113576781815fbd1ea4

SHA256
98f22fb45530506548ae320c32ee4939d27017481d2ad0d784aa5516f939545b

SHA512
92bd7895c5ff8c40eecfdc2325ee5d1fb7ed86ce0ef04e8e4a65714fcf5603ea0c87b71afadb473433abb24f040ccabd960fa847b885322ad9771e304b661928

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\SciterWrapper.dll

Filesize
134KB

MD5
105a9e404f7ac841c46380063cc27f50

SHA1
ec27d9e1c3b546848324096283797a8644516ee3

SHA256
69fe749457218ec9a765f9aac74caf6d4f73084cf5175d3fd1e4f345af8b3b8b

SHA512
6990cbfc90c63962abde4fdaae321386f768be9fcf4d08bccd760d55aba85199f7a3e18bd7abe23c3a8d20ea9807cecaffb4e83237633663a8bb63dd9292d940

Download Submit
C:\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\app.ico

Filesize
766B

MD5
4003efa6e7d44e2cbd3d7486e2e0451a

SHA1
a2a9ab4a88cd4732647faa37bbdf726fd885ea1e

SHA256
effd42c5e471ea3792f12538bf7c982a5cda4d25bfbffaf51eed7e09035f4508

SHA512
86e71ca8ca3e62949b44cfbc7ffa61d97b6d709fc38216f937a026fb668fbb1f515bac2f25629181a82e3521dafa576cac959d2b527d9cc9eb395e50d64c1198

Download Submit
C:\Users\Admin\AppData\Local\setup95304198.exe

Filesize
3.8MB

MD5
29d3a70cec060614e1691e64162a6c1e

SHA1
ce4daf2b1d39a1a881635b393450e435bfb7f7d1

SHA256
cc70b093a19610e9752794d757aec9ef07ca862ea9267ec6f9cc92b2aa882c72

SHA512
69d07437714259536373872e8b086fc4548f586e389f67e50f56d343e980546f92b8a13f28c853fc1daf187261087a9dceb33769ba2031c42382742d86c60e4b

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.LastScreen.dll

Filesize
57KB

MD5
6e001f8d0ee4f09a6673a9e8168836b6

SHA1
334ad3cf0e4e3c03415a4907b2d6cf7ba4cbcd38

SHA256
6a30f9c604c4012d1d2e1ba075213c378afb1bfcb94276de7995ed7bbf492859

SHA512
0eff2e6d3ad75abf801c2ab48b62bc93ebc5a128d2e03e507e6e5665ff9a2ab58a9d82ca71195073b971f8c473f339baffdd23694084eaaff321331b5faaecf6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\GenericSetup.dll

Filesize
117KB

MD5
08112f27dcd8f1d779231a7a3e944cb1

SHA1
39a98a95feb1b6295ad762e22aa47854f57c226f

SHA256
11c6a8470a3f2b2be9b8cafe5f9a0afce7303bfd02ab783a0f0ee09a184649fa

SHA512
afd0c7df58b63c7cfdbedea7169a1617f2ac4bad07347f8ed7757a25ab0719489d93272109b73a1b53e9c5997dedad8da89da7b339d30fc2573ca2f76c630ddb

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OCommonResources.dll

Filesize
5.7MB

MD5
38cc1b5c2a4c510b8d4930a3821d7e0b

SHA1
f06d1d695012ace0aef7a45e340b70981ca023ba

SHA256
c2ba8645c5c9507d422961ceaeaf422adf6d378c2a7c02199ed760fb37a727f2

SHA512
99170f8094f61109d08a6e7cf25e7fba49160b0009277d10e9f0b9dac6f022e7a52e3d822e9aee3f736c2d285c4c3f62a2e6eb3e70f827ac6e8b867eea77f298

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OModels.dll

Filesize
75KB

MD5
c06ac6dcfa7780cd781fc9af269e33c0

SHA1
f6b69337b369df50427f6d5968eb75b6283c199d

SHA256
b23b8310265c14d7e530b80defc6d39cdc638c07d07cd2668e387863c463741d

SHA512
ad167ad62913243e97efaeaa7bad38714aba7fc11f48001974d4f9c68615e9bdfb83bf623388008e77d61cee0eaba55ce47ebbb1f378d89067e74a05a11d9fe3

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OResources.dll

Filesize
19KB

MD5
554c3e1d68c8b5d04ca7a2264ca44e71

SHA1
ef749e325f52179e6875e9b2dd397bee2ca41bb4

SHA256
1eb0795b1928f6b0459199dace5affdc0842b6fba87be53ca108661275df2f3e

SHA512
58ce13c47e0daf99d66af1ea35984344c0bb11ba70fe92bc4ffa4cd6799d6f13bcad652b6883c0e32c6e155e9c1b020319c90da87cb0830f963639d53a51f9c6

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OServices.dll

Filesize
160KB

MD5
6df226bda27d26ce4523b80dbf57a9ea

SHA1
615f9aba84856026460dc54b581711dad63da469

SHA256
17d737175d50eee97ac1c77db415fe25cc3c7a3871b65b93cc3fad63808a9abc

SHA512
988961d7a95c9883a9a1732d0b5d4443c790c38e342a9e996b072b41d2e8686389f36a249f2232cb58d72f8396c849e9cc52285f35071942bec5c3754b213dd5

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\H2OUtilities.dll

Filesize
119KB

MD5
9d2c520bfa294a6aa0c5cbc6d87caeec

SHA1
20b390db533153e4bf84f3d17225384b924b391f

SHA256
669c812cb8f09799083014a199b0deee10237c95fb49ee107376b952fee5bd89

SHA512
7e2e569549edb6ddd2b0cb0012386aed1f069e35d1f3045bb57704ef17b97129deb7cde8e23bc49980e908e1a5a90b739f68f36a1d231b1302a5d29b722e7c15

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Core.dll

Filesize
56KB

MD5
f931e960cc4ed0d2f392376525ff44db

SHA1
1895aaa8f5b8314d8a4c5938d1405775d3837109

SHA256
1c1c5330ea35f518bf85fad69dc2da1a98a4dfeadbf6ac0ba0ac7cc51bbcc870

SHA512
7fa5e582ad1bb094cbbb68b1db301dcf360e180eb58f8d726a112133277ceaa39660c6d4b3248c19a8b5767a4ae09f4597535711d789ca4f9f334a204d87ffe0

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\MyDownloader.Extension.dll

Filesize
168KB

MD5
28f1996059e79df241388bd9f89cf0b1

SHA1
6ad6f7cde374686a42d9c0fcebadaf00adf21c76

SHA256
c3f8a46e81f16bbfc75de44dc95f0d145213c8af0006bb097950ac4d1562f5ce

SHA512
9654d451cb2f184548649aa04b902f5f6aff300c6f03b9261ee3be5405527b4f23862d8988f9811987da22e386813e844e7c5068fd6421c91551f5b33c625f29

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\Newtonsoft.Json.dll

Filesize
541KB

MD5
9de86cdf74a30602d6baa7affc8c4a0f

SHA1
9c79b6fbf85b8b87dd781b20fc38ba2ac0664143

SHA256
56032ade45ccf8f4c259a2e57487124cf448a90bca2eeb430da2722d9e109583

SHA512
dca0f6078df789bb8c61ffb095d78f564bfc3223c6795ec88aeb5f132c014c5e3cb1bd8268f1e5dc96d7302c7f3de97e73807f3583cb4a320d7adbe93f432641

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.Net.dll

Filesize
101KB

MD5
83d37fb4f754c7f4e41605ec3c8608ea

SHA1
70401de8ce89f809c6e601834d48768c0d65159f

SHA256
56db33c0962b3c34cba5279d2441bc4c12f28b569eadc1b3885dd0951b2c4020

SHA512
f5f3479f485b1829bbfb7eb8087353aee569184f9c506af15c4e28bfe4f73bf2cc220d817f6dfc34b2a7a6f69453f0b71e64b79c4d500ff9a243799f68e88b9f

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\ServiceHide.dll

Filesize
151KB

MD5
72990c7e32ee6c811ea3d2ea64523234

SHA1
a7fcbf83ec6eefb2235d40f51d0d6172d364b822

SHA256
e77e0b4f2762f76a3eaaadf5a3138a35ec06ece80edc4b3396de7a601f8da1b3

SHA512
2908b8c387d46b6329f027bc1e21a230e5b5c32460f8667db32746bc5f12f86927faa10866961cb2c45f6d594941f6828f9078ae7209a27053f6d11586fd2682

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\msvcp140.dll

Filesize
426KB

MD5
8ff1898897f3f4391803c7253366a87b

SHA1
9bdbeed8f75a892b6b630ef9e634667f4c620fa0

SHA256
51398691feef7ae0a876b523aec47c4a06d9a1ee62f1a0aee27de6d6191c68ad

SHA512
cb071ad55beaa541b5baf1f7d5e145f2c26fbee53e535e8c31b8f2b8df4bf7723f7bef214b670b2c3de57a4a75711dd204a940a2158939ad72f551e32da7ab03

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\sciter32.dll

Filesize
5.6MB

MD5
b431083586e39d018e19880ad1a5ce8f

SHA1
3bbf957ab534d845d485a8698accc0a40b63cedd

SHA256
b525fdcc32c5a359a7f5738a30eff0c6390734d8a2c987c62e14c619f99d406b

SHA512
7805a3464fcc3ac4ea1258e2412180c52f2af40a79b540348486c830a20c2bbed337bbf5f4a8926b3ef98c63c87747014f5b43c35f7ec4e7a3693b9dbd0ae67b

Download Submit
\Users\Admin\AppData\Local\Temp\ec05d89197b949eb6957b79472e8723d\vcruntime140.dll

Filesize
74KB

MD5
1a84957b6e681fca057160cd04e26b27

SHA1
8d7e4c98d1ec858db26a3540baaaa9bbf96b5bfe

SHA256
9faeaa45e8cc986af56f28350b38238b03c01c355e9564b849604b8d690919c5

SHA512
5f54c9e87f2510c56f3cf2ceeb5b5ad7711abd9f85a1ff84e74dd82d15181505e7e5428eae6ff823f1190964eb0a82a569273a4562ec4131cecfa00a9d0d02aa

Download Submit
memory/3404-44-0x000001F7D0500000-0x000001F7D0600000-memory.dmp

Filesize
1024KB

Download
memory/3404-43-0x000001F7D0500000-0x000001F7D0600000-memory.dmp

Filesize
1024KB

Download
memory/4052-430-0x0000000006FD0000-0x0000000006FF2000-memory.dmp

Filesize
136KB

Download
memory/4052-446-0x00000000086B0000-0x0000000008C64000-memory.dmp

Filesize
5.7MB

Download
memory/4052-330-0x0000000005F00000-0x0000000005F28000-memory.dmp

Filesize
160KB

Download
memory/4052-306-0x0000000005E70000-0x0000000005E94000-memory.dmp

Filesize
144KB

Download
memory/4052-322-0x0000000005ED0000-0x0000000005EFE000-memory.dmp

Filesize
184KB

Download
memory/4052-298-0x0000000005D10000-0x0000000005D24000-memory.dmp

Filesize
80KB

Download
memory/4052-338-0x0000000005F70000-0x0000000005FA2000-memory.dmp

Filesize
200KB

Download
memory/4052-276-0x0000000000FF0000-0x00000000013C8000-memory.dmp

Filesize
3.8MB

Download
memory/4052-346-0x0000000005F50000-0x0000000005F6A000-memory.dmp

Filesize
104KB

Download
memory/4052-437-0x00000000076D0000-0x00000000076DC000-memory.dmp

Filesize
48KB

Download
memory/4052-362-0x0000000005FC0000-0x0000000005FCA000-memory.dmp

Filesize
40KB

Download
memory/4052-314-0x0000000005EA0000-0x0000000005EC8000-memory.dmp

Filesize
160KB

Download
memory/4052-354-0x0000000005FE0000-0x0000000006004000-memory.dmp

Filesize
144KB

Download
memory/4052-429-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

Filesize
40KB

Download
memory/4052-370-0x0000000006050000-0x0000000006058000-memory.dmp

Filesize
32KB

Download
memory/4052-475-0x0000000008670000-0x000000000869E000-memory.dmp

Filesize
184KB

Download
memory/4052-378-0x00000000060A0000-0x00000000060CC000-memory.dmp

Filesize
176KB

Download
memory/4052-457-0x0000000007910000-0x00000000079A2000-memory.dmp

Filesize
584KB

Download
memory/4052-388-0x0000000006030000-0x000000000604D000-memory.dmp

Filesize
116KB

Download
memory/4052-431-0x0000000007000000-0x0000000007350000-memory.dmp

Filesize
3.3MB

Download
memory/4052-405-0x0000000006710000-0x0000000006722000-memory.dmp

Filesize
72KB

Download
memory/4052-440-0x0000000007BF0000-0x00000000080EE000-memory.dmp

Filesize
5.0MB

Download
memory/4052-424-0x0000000006F40000-0x0000000006FCC000-memory.dmp

Filesize
560KB

Download
memory/4264-538-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/4264-546-0x0000000006D00000-0x0000000006D0A000-memory.dmp

Filesize
40KB

Download
memory/4320-178-0x000002A4A5D20000-0x000002A4A5D22000-memory.dmp

Filesize
8KB

Download
memory/4320-118-0x000002A4A7D70000-0x000002A4A7D72000-memory.dmp

Filesize
8KB

Download
memory/4320-122-0x000002A4A81B0000-0x000002A4A81B2000-memory.dmp

Filesize
8KB

Download
memory/4320-120-0x000002A4A81A0000-0x000002A4A81A2000-memory.dmp

Filesize
8KB

Download
memory/4320-127-0x000002A4A7EE0000-0x000002A4A7EE2000-memory.dmp

Filesize
8KB

Download
memory/4320-133-0x000002A4A8020000-0x000002A4A8022000-memory.dmp

Filesize
8KB

Download
memory/4320-61-0x000002A494E00000-0x000002A494F00000-memory.dmp

Filesize
1024KB

Download
memory/4320-131-0x000002A4A7FC0000-0x000002A4A7FC2000-memory.dmp

Filesize
8KB

Download
memory/4320-129-0x000002A4A7FA0000-0x000002A4A7FA2000-memory.dmp

Filesize
8KB

Download
memory/4320-105-0x000002A4A5BA0000-0x000002A4A5BC0000-memory.dmp

Filesize
128KB

Download
memory/4320-124-0x000002A4A5770000-0x000002A4A5772000-memory.dmp

Filesize
8KB

Download
memory/4320-116-0x000002A4A7BF0000-0x000002A4A7BF2000-memory.dmp

Filesize
8KB

Download
memory/4320-176-0x000002A4A5C70000-0x000002A4A5C72000-memory.dmp

Filesize
8KB

Download
memory/4320-180-0x000002A4A5D30000-0x000002A4A5D32000-memory.dmp

Filesize
8KB

Download
memory/5000-0-0x0000026D76D20000-0x0000026D76D30000-memory.dmp

Filesize
64KB

Download
memory/5000-163-0x0000026D7D4C0000-0x0000026D7D4C1000-memory.dmp

Filesize
4KB

Download
memory/5000-162-0x0000026D7D4B0000-0x0000026D7D4B1000-memory.dmp

Filesize
4KB

Download
memory/5000-35-0x0000026D740C0000-0x0000026D740C2000-memory.dmp

Filesize
8KB

Download
memory/5000-16-0x0000026D76E20000-0x0000026D76E30000-memory.dmp

Filesize
64KB

Download